Tag: compliance

Categories
Great Women in Compliance

Great Women in Compliance – Catching Up with the OG GWIC with Mary Shirley

Welcome to the Great Women in Compliance podcast with Hemma Lomax and Lisa Fine, sponsored by Corporate Compliance Insight and a part of the Compliance Podcast Network.  My guest today isn’t really a guest; she’s so much more.  She is an architect of GWIC, my first partner in compliance, and my first compliance friend, who remains a dear friend to this day.  She coined the phrase “Send the Elevator Back Down,” taught me about tall poppy syndrome, and I am still using her cheat codes.  Of course, it’s Mary Shirley!

Mary, can you update everyone on all the cool things that have been happening since you became, as we call it, #GWICemerita?

As a global compliance leader who has lived in several countries and now three very different states in the US, what do you see as the principles of a “culture of integrity” that apply to any business, regardless of geography or industry?

  • While there have been changes in US laws, particularly the FCPA, and newer laws in the EU and the UK, among others, are you seeing any shifts in how to define – or communicate – a culture of integrity?
  • You have compiled a list of questions for job seekers to ask about the terms of compliance programs and a culture of integrity. What do you think is the most revealing one and why?
    • Mine is “Can I talk to my predecessor?”

I look forward to seeing you very soon at SCCE CEI.  You and Matt Kelly are presenting “AI Governance for N00bs: A Beginner’s Guide for the Non-Tech Compliance Practitioner” on Sunday to kick off the event.

  • What do you see as the biggest opportunities for compliance professionals to use AI and machine learning?
  • What challenges do you see for integrating AI and machine learning into their compliance program, and how should we approach it?
  • What about the algorithmic bias?
  • It seems like ethics and compliance are being welcomed as “partners” at the AI governance table. What do you think is the most significant reason for this shift, and what can a compliance professional do to ensure they maintain that strategic seat at the table?

When you think about the first 200 episodes, do you have a specific non-substantive, non-podcast memory that sticks out to you?  Besides the origin story – which I still tell!

Categories
Compliance Into the Weeds

Compliance into the Weeds: Examining the Impact of Reducing Middle Management on Corporate Culture

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Seeking insightful perspectives on compliance? Look no further than Compliance into the Weeds! In this episode, Tom Fox and Matt Kelly discuss the implications of reducing the number of middle managers in corporate America.

Kelly’s blog post, inspired by a Wall Street Journal article, serves as the foundation for a broader discussion on how the reduction of managers impacts corporate culture, employee dynamics, and compliance programs. They explore the reasons behind this trend, such as the desire for agility or cost-cutting, and its effects on communication, institutional knowledge, and the role of compliance officers. They also explore potential solutions, including the use of AI, enhanced training, and adaptive compliance strategies, to mitigate the risks associated with fewer middle managers.

Key highlights:

  • Corporate America’s Managerial Shift
  • Implications for Corporate Culture
  • AI and Compliance Solutions
  • Institutional Knowledge and Risks
  • Compliance Takeaways and Final Thoughts

Resources:

Matt on Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred the Davey, Communicator, and W3 Awards for podcast excellence.

Categories
AI Today in 5

AI Today in 5: September 3, 2025, The Human in the Loop Episode

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories:

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
Blog

The Sound of Compliance: Using Branded Podcasts to Build Culture and Trust

One of the greatest challenges in corporate compliance is not merely writing policies, conducting investigations, or designing training, but instead effectively implementing these measures. The real challenge is communication. That is finding ways to connect compliance messages with employees in a way that resonates, sticks, and inspires action (IE., engaging and targeted). For years, compliance officers have experimented with email newsletters, intranet portals, and short training videos. These have their place, but the question remains: how do you make compliance messages memorable?

Enter branded podcasts. While businesses often view podcasts as marketing tools, they represent an underutilized resource for compliance professionals. Branded podcasts combine the power of long-form storytelling, intimacy, and authenticity. They don’t just tell employees what the rules are; they let compliance leaders engage directly with their workforce in ways that build trust and credibility.

Consider how branded podcast strategies, borrowed from the marketing world, can be integrated into your compliance communications toolkit.

Why Branded Podcasts Work for Compliance

Marketing research shows that branded podcasts can:

  • Lift brand awareness by 89%
  • Improve brand favorability by 61%
  • Increase brand consideration by 57%
  • Drive purchase intent by 14%

Now, translate those metrics into the compliance world. Awareness means employees are aware of the Code of Conduct’s existence. Favorability equals trust in the compliance function. Consideration equals employees being willing to pick up the phone and ask a question. Purchase intent equals employees actually following the guidance you’ve laid out.

Podcasts offer compliance officers something that other tools rarely do: extended attention from an audience. Employees may skim an email or fast-forward through a training video, but a podcast, whether listened to on a commute, while exercising, or during lunch, can create space for employees to hear the compliance message truly.

Strategy 1: Control the Narrative

Compliance often struggles with being framed as the “Department of No.” Podcasts flip that narrative by letting compliance officers control the storytelling. Imagine a compliance podcast series titled Decisions That Matter. Each episode could feature leaders across the organization discussing how they navigated ethical dilemmas, or employees telling stories about how compliance policies guided their work. This does not simply reinforce policy; it makes compliance part of the corporate identity.

Owning the narrative also means controlling distribution. Just like marketers, compliance teams can utilize multiple channels, including internal podcast feeds, company intranets, email blasts, and even short video clips posted on collaboration tools like Microsoft Teams or Slack.

Strategy 2: Leverage the Intimacy of Audio

There’s a reason people often describe listening to their favorite podcasts as “hanging out with smart, funny friends.” That sense of closeness and familiarity is one of audio’s greatest strengths—and one compliance officers can harness. Unlike fleeting interactions with TV spots, email blasts, or even in-person announcements, podcasts hold an audience’s attention for extended periods. This creates a deeper, more personal connection between compliance and employees.

The BBC’s Audio Activated Study (2019) demonstrated this effect, showing that branded podcasts build uniquely strong engagement and trust. For compliance professionals, the implications are significant: podcasts enable you to move beyond transactional reminders of policy and instead foster authentic conversations about values, ethics, and decision-making.

Consider this: while an employee may forget the details of an email announcing a new anti-retaliation policy, if they hear the Chief Compliance Officer (CCO) discussing real-world examples in a conversational podcast format, they are far more likely to remember and internalize the message. Podcasts enable compliance leaders to “enter the room” with employees in a trusted, low-pressure manner. One that builds credibility and reinforces the culture of compliance over time.

Strategy 3: Use the Right Voices to Build Authenticity

Compliance communication is often top-down, but podcasts allow you to broaden the voices employees hear. A charismatic host, whether it is the compliance officer themselves or a skilled internal communicator, can create an authentic connection.

Guests matter too. Bring in diverse voices, such as regional managers, data privacy specialists, whistleblower program champions, or outside experts. Each guest not only injects energy but also shows that compliance is a broad, collaborative effort. The key to all this is authenticity. Employees are far more likely to engage with compliance messaging if they perceive it as genuine, rather than scripted.

Strategy 4: Make Compliance Entertaining

You may not think that phrase “compliance podcast” naturally screams entertainment, but I can assure you, it does. But if employees do not enjoy listening, they will not return.

Think about different formats:

  • Narratives: Tell true stories of corporate scandals (Bre-X, Enron, or Theranos) and extract compliance lessons.
  • Deep Dives: Break down a single risk topic like sanctions, data privacy, or conflicts of interest in an accessible, story-driven way.
  • Interviews: Feature executives discussing how compliance enables them to lead effectively.

Entertainment does not mean fluff. It means packaging compliance in a way that keeps employees engaged long enough to absorb the lesson. When employees enjoy compliance content, they will not simply listen once; they come back and recommend it to colleagues.

Strategy 5: Promotion and Distribution

Even the best compliance podcast fails if no one listens. That’s why promotion is critical. Here’s where compliance can borrow from marketing:

  • Internal channels: Feature podcast links in company newsletters, Slack channels, or employee portals.
  • Cross-promotion: Play snippets during training modules or town halls.
  • Teasers: Create short audio or video trailers to spark interest.
  • Executive sponsorship: Ask senior leaders to endorse the podcast in their communications and social media posts.

The lesson from marketing is clear: consistent, multi-channel promotion builds an audience. For compliance, that means embedding your podcast into the rhythm of corporate communications.

Strategy 6: Measure the Impact

Marketers measure branded podcast success in downloads and brand lift. Compliance officers should measure the impact on awareness and behavior.

Metrics could include:

  • Number of downloads or streams
  • Average listening time (are employees finishing episodes?)
  • Employee surveys on awareness and trust in compliance
  • Increases in questions to the hotline or requests for compliance guidance

Suppose you show that podcast listeners are more likely to engage with compliance programs. If you prove the value, you will elevate compliance into a strategic communications leader.

Case Study Inspiration

Consider the success of Century 21 Real Estate’s branded podcast The Relentless. Rather than simply promoting properties or agents, the series focused on the broader themes of persistence, innovation, and personal growth. These are the very qualities that drive success in the competitive world of real estate. Each episode highlighted stories of entrepreneurs, industry leaders, and business visionaries who embodied the “relentless” mindset that Century 21 sought to represent.

The strategy worked. Over the course of three seasons, The Relentless not only amplified Century 21’s brand identity but also resonated deeply with its audience, ultimately placing the show in the top 1% of all podcasts with more than 1.5 million downloads.

Now translate that model into compliance communications. Imagine a compliance podcast that tells compelling stories of ethical leadership, employee resilience in the face of ethical dilemmas, or how teams have navigated complex regulatory challenges. Instead of compliance being framed as rules and restrictions, it becomes a series of stories about persistence, integrity, and doing the right thing under pressure.

If a compliance function could achieve even a fraction of The Relentless’s engagement, it would no longer be seen as the department of “no,” but rather as a trusted, sought-after source of inspiration and guidance for the workforce.

Conclusion

Branded podcasts are not just for marketing departments. For compliance professionals, they represent an untapped frontier in employee engagement.

By controlling the narrative, leveraging the intimacy of audio, building authenticity through diverse voices, making compliance entertaining, promoting aggressively, and measuring outcomes, compliance officers can transform the way they communicate.

In a world where regulators emphasize culture, communication, and engagement, podcasts may be one of the most effective tools available for achieving these goals. The time has come for compliance leaders to borrow a page from the marketing playbook and make branded podcasts a cornerstone of their communication strategy.

Because at the end of the day, compliance is not simply about rules on paper. Instead, it is about conversations. And podcasts give compliance a voice.

Categories
Innovation in Compliance

Innovation in Compliance – Cybersecurity Challenges and Solutions: An In-Depth Interview with Robert Meyers

Innovation comes in many areas, and compliance professionals need to be ready for it and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, Tom Fox interviews Robert Meyers, a cybersecurity and privacy expert with over 30 years of experience.

Meyers shares his journey from starting in IT to becoming a prominent figure in cybersecurity, privacy, and M&A security. He recounts the evolution of cybersecurity from the 1980s to the present day, highlighting key lessons learned along the way. He discusses the philosophical divide between U.S. and European attitudes toward data privacy, the importance of a cross-functional approach to cybersecurity and privacy within companies, and how emerging technologies like agentic AI are reshaping the industry. He also shares insights from his new book, ‘Privacy Snippets for the Cybersecurity Professional,’ aimed at helping professionals bridge the gap between cybersecurity and privacy. Additionally, Meyers’s passion for Comic-Con offers a unique perspective on how creativity and community engagement can inform and enrich professional practices.

Key highlights:

  • Robert Meyers’ Professional Background
  • Early Cybersecurity Challenges
  • Evolution of Privacy and Security
  • Roles and Responsibilities in Cybersecurity
  • Agentic AI and Future Challenges
  • Comic-Con and Personal Interests
  • Advice for Aspiring Professionals

Resources:

Privacy Snippets for the Cybersecurity Professional on Amazon

Robert Meyers’ Profile on Amazon

Robert Meyers ‘on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
From the Editor's Desk

Compliance Week’s Reflections from August and Insights into September 2025

In this episode of ‘From The Editor’s Desk’ podcast, hosts Tom Fox and Aaron Nicodemus delve into key compliance issues featured in Compliance Week. They discuss the heightened risks for companies doing business in Mexico due to connections with cartels, recent enforcement actions stemming from these connections, and the Trump administration’s first FCPA bribery case. They also preview an upcoming case study on Lafarge’s operations in Syria and introduce new website features, including CW Connect, designed to foster meaningful conversations among compliance officers. Additionally, they highlight best practices and preview articles planned for National Compliance Officer Day.

Highlights include:

  • Top Compliance Stories in August 2025
  • Risks of Doing Business in Mexico
  • FCPA Enforcement Actions and Investigations
  • Upcoming Case Study on Lafarge
  • Website Redesign and New Features

Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

Categories
Blog

UM Cheating Scandal, Part 5: Compliance Lessons Learned

In August 2025, the NCAA released its long-awaited Report on infractions committed by and for the University of Michigan football program. For compliance professionals, this case should be viewed not merely as a college sports story but as a case study in organizational misconduct, leadership failure, and cultural breakdown. Just as an FCPA enforcement action lays bare how companies slip into non-compliance, this NCAA decision reveals how one of the country’s premier football programs allowed systemic misconduct to flourish.

In Part 1, we examined the background facts, the elaborate scouting scheme, recruiting inducements, and failures to cooperate. In Part 2, we discussed the deeper issue of culture, where the football program viewed compliance as an adversary. In Part 3, we analyzed the violations and penalties, focusing on the sanctions imposed on Michigan and its staff. Finally, in Part 4, we considered what happens when an enforcement agency is stripped of its ability to enforce by asking whether the NCAA itself has become a toothless enforcement agency after declining to vacate wins or strip Michigan of its 2023 national championship.

Together, these four posts tell a story that is both uniquely collegiate and universally corporate: a tale of rules violated, compliance sidelined, culture corrupted, penalties imposed, and a regulator under fire. For corporate compliance professionals, the lessons are clear.

The Background: What Happened at Michigan

At the heart of the Michigan case was Connor Stalions, a staffer who orchestrated an elaborate sign-stealing operation. Using a network of interns, acquaintances, and even student-athletes, Stalions purchased tickets, filmed opponents’ sidelines, and created a “Master Chart” of signals. Over the course of three seasons, there were 56 instances of impermissible in-person scouting across 52 games.

The violations went beyond scouting. Coaches and staff provided improper inducements, including meals, gear, and even attempts at social media “blue check” verification. Nearly 100 impermissible text messages were sent to a recruit before the allowable date.

Head coach Jim Harbaugh was charged with head coach responsibility violations, having failed to promote compliance or monitor his staff. To make matters worse, multiple individuals failed to cooperate once the investigation began; devices were destroyed, evidence was deleted, and investigators were misled.

This was Michigan’s second infractions case in as many years, making it a repeat violator.

The Cultural Breakdown

But the facts alone do not explain how this misconduct flourished. The real story was cultural.

Michigan football had a contentious relationship with compliance. Coaches dismissed the compliance staff as “roadblocks” and even “true scum of the earth.” The Chief Compliance Officer, a respected industry leader, testified that she was seen as “a thorn in [Harbaugh’s] side.”

This hostility created an environment of willful blindness. Staff admitted they “went out of their way not to know” what Stalions was doing, so long as results were delivered. Red flags raised by interns or opponents were ignored or brushed aside.

Compliance education was lacking, especially for interns, many of whom played key roles in the scheme but received no targeted training. The compliance office could not even get into the room unless it forced its way in.

Ultimately, the NCAA concluded that “Michigan failed to create a culture of compliance in the football program.” For compliance professionals, this is a cautionary tale: no matter how effective your compliance office is, culture will ultimately prevail if leadership undermines it.

The Penalties: What Was Possible, What Was Imposed

The violations — Level I for the most serious. They were for scouting, head coach responsibility, and failures to cooperate, and Level II for recruiting and monitoring, which carried potentially devastating penalties. As a repeat violator, Michigan could have faced multi-year postseason bans, scholarship reductions, and the vacating of wins.

Instead, the NCAA opted for a different approach:

  • For Michigan: Four more years of probation, multi-million-dollar fines, loss of postseason revenue, recruiting restrictions, and public posting of the infractions’ decision.
  • For Individuals: Career-altering show-cause orders and doling out 10 years for Harbaugh, 8 years for Stalions, 3 years for Robinson, and 2 years for Moore. Negotiated resolutions added show-cause penalties for Clinkscale and Minter.

But the NCAA declined to impose a postseason ban or vacate Michigan’s 2023 national championship. Instead, it substituted financial penalties, citing fairness to current athletes who were not involved in the violations.

The NCAA’s Credibility Crisis

This decision has sparked a broader debate: Is the NCAA now a toothless enforcement agency? By choosing not to vacate wins, not to impose a postseason ban, and not to strip the national championship, the NCAA sent a message: even the most serious Level I–Aggravated violations can be survived without meaningful on-field consequences.

The NCAA justified its choice by citing the need for fairness to current athletes. But the effect was to undercut deterrence. If Michigan can commit widespread violations, win a championship during the scheme, and keep both the wins and the trophy, what message does that send? For compliance professionals, this is equivalent to a regulator declining to debar a repeat corporate offender or refusing to impose a monitor after repeated bribery scandals have occurred. Enforcement without teeth creates cynicism, undermines culture, and emboldens violators.

Five Lessons for Corporate Compliance Professionals

From the four perspectives we have explored — facts, culture, penalties, and the regulator’s credibility — come five key lessons for corporate compliance officers.

1. Culture Will Always Trump Policy

Michigan had a compliance office, policies, and training. Yet the football program treated compliance as the enemy. Harbaugh’s tone at the top set a culture where results mattered more than rules. Compliance professionals must remember that culture is the real driver of behavior. Policies without culture are paper tigers.

2. Repeat Offenders Face Escalating Consequences

Michigan’s repeat violator status magnified its penalties. In the corporate world, companies with prior FCPA or sanctions violations are judged far more harshly when caught again. Building credibility requires not just resolving past cases but sustaining reform over time.

3. Individual Accountability is Here to Stay

The NCAA’s most severe sanctions fell on individuals, Harbaugh and Stalions in particular. This mirrors the DOJ’s emphasis on individual liability. Compliance officers must ensure executives understand that they will personally bear responsibility for compliance failures.

4. Cooperation is Non-Negotiable

The obstruction made this case far worse. Destroying evidence and refusing to cooperate turned a bad situation into a career-ending one for multiple individuals. In corporate enforcement, cooperation credit can significantly reduce penalties; obstruction can magnify them.

5. Regulators Must Enforce Meaningfully — or Risk Irrelevance

The most sobering lesson is about the NCAA itself. By declining to vacate wins or strip championships, the NCAA undermined its own credibility. For compliance officers, this underscores the importance of strong, consistent enforcement. If your regulator is weak, it makes your job harder because the business will treat compliance as optional.

The Broader Meaning

The Michigan case is about more than football. It is about how organizations treat compliance, how regulators enforce rules, and how culture drives outcomes. For compliance professionals, it offers a sobering parable. When leadership undermines compliance, culture tolerates misconduct, violations are repeated, and regulators fail to enforce penalties meaningfully, the result is inevitable: misconduct flourishes, penalties escalate, and credibility erodes.

The job of the compliance professional is to resist that cycle: to build cultures that embrace compliance, to insist on accountability, to promote cooperation, and to hold leadership accountable for setting the tone at the top. And when regulators fail to act, compliance officers must redouble their efforts internally because rules without enforcement may be just suggestions, but culture without compliance is a guaranteed recipe for disaster.

Categories
AI Today in 5

AI Today in 5: August 28, 2025, The Afterthought Episode

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest related to AI.

Top AI stories:

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
Blog

UM Cheating Scandal: The NCAA – What Happens When Enforcement Is Toothless?

In August 2025, the NCAA released its long-awaited Report on infractions committed by and for the University of Michigan football program. For compliance professionals, this case should be viewed not merely as a college sports story but as a case study in organizational misconduct, leadership failure, and cultural breakdown. Just as an FCPA enforcement action lays bare how companies slip into non-compliance, this NCAA decision reveals how one of the country’s premier football programs allowed systemic misconduct to flourish.

In Part 1 of this series, we examined the factual record of the University of Michigan football infractions case, including the impermissible scouting scheme, recruiting inducements, and failures to cooperate. In Part 2, we examined the culture that enabled these violations —a football program that viewed compliance as an enemy and leadership that turned a blind eye. In Part 3, we examined enforcement, or the lack thereof.

Today, when considering the penalties and the enforcement agency, the NCAA. When the dust settled, Michigan walked away without the kind of penalties most observers expected. No games were vacated. No national championship trophies were stripped. No postseason ban was imposed. Instead, Michigan received financial penalties, recruiting restrictions, and an additional four years of probation, in addition to its existing sanctions.

For many, the outcome raises an uncomfortable question: has the NCAA become a toothless enforcement agency? For compliance professionals in the corporate world, this is more than a sports story. It presents an opportunity to reflect on the broader role of enforcement bodies. What happens when regulators fail to enforce meaningfully? How does weak enforcement shape culture? And what can companies learn about their own compliance posture from the NCAA’s example?

The NCAA’s Enforcement Challenge

The NCAA has long touted its role as the guardian of fair play in college sports. Yet over the last decade, its enforcement credibility has eroded. From the Penn State scandal, where authority was challenged in court, to the University of North Carolina’s academic fraud case, where the NCAA claimed it lacked jurisdiction, the association has repeatedly faced criticism that its sanctions are inconsistent, politically influenced, or ineffective.

The Michigan case is the latest data point. Despite describing the scouting scheme as “one of one” in scope and seriousness, the Committee on Infractions declined to impose the stiffest penalties available:

  • No vacating of wins from the 2021–2023 seasons.
  • No forfeiture of the 2023 National Championship, which Michigan won while the scheme was ongoing.
  • No postseason ban, even though the guidelines make such bans mandatory in Level I–Aggravated cases without exemplary cooperation.

Instead, the NCAA substituted financial penalties, citing fairness to current student-athletes who were not involved in the allegations. While this rationale has merit, it leaves the impression that Michigan “got away with it” and that the NCAA is unwilling to enforce its own rules when high-profile programs are involved.

What Weak Enforcement Signals

For compliance officers, this is familiar territory. Regulators who talk tough but avoid meaningful enforcement send a dangerous signal. They tell organizations:

• The risk of being caught is survivable. If the worst that can happen is a fine or probation, misconduct can be rationalized as a business risk.

• The rules are negotiable. If guidelines call for certain penalties but regulators bend them for expedience, the rules lose their deterrent effect.

• Culture follows enforcement. If leaders see that regulators will not impose significant penalties, they are less likely to instill a culture of compliance.

The DOJ has been explicit on this point in its 2023 and 2024 guidance updates: enforcement must be consistent, transparent, and meaningful. Otherwise, companies see compliance as optional.

Parallels to Corporate Enforcement

Consider the parallels between the NCAA’s enforcement dilemma and corporate regulation:

  • Financial Institutions and Money Laundering: If a bank is repeatedly fined for AML violations but never loses its charter or key licenses, the cost of compliance failure becomes just another line item on the balance sheet.
  • FCPA Cases Without Monitors: When companies resolve foreign bribery matters with fines but no independent monitor, questions arise about whether compliance programs will really change.
  • Tech Sector Antitrust: When major technology firms pay record fines but retain their market dominance, critics argue that regulators are unwilling to disrupt the status quo.

The NCAA’s approach in the Michigan case echoes these patterns: big headlines, some financial pain, but no penalties that fundamentally change behavior.

Why the NCAA Chose This Path

The NCAA faced a difficult choice. Punishing current athletes for past staff misconduct raises questions of fairness. Vacating championships is largely symbolic; fans remember who won on the field. And the legal and political environment has shifted: with NIL, the transfer portal, and litigation like House v. NCAA, the NCAA’s authority is weaker than ever.

However, from an enforcement perspective, these explanations do not eliminate the central issue. When rules are broken at the highest level and the sanctions do not match the severity of the violations, the credibility of the regulator erodes.

Lessons for Compliance Professionals

What should compliance officers take away from the NCAA’s Michigan decision?

1. Enforcement Must Be Meaningful

If sanctions do not create real pain, misconduct will be rationalized as a cost of doing business. Compliance programs must be backed by meaningful consequences, whether in sports, banking, or healthcare.

2. Consistency Matters

Regulators that treat marquee institutions differently from smaller ones risk undermining the integrity of the system. In the corporate world, DOJ has emphasized consistency across industries. Selective enforcement creates cynicism.

3. Symbolic Sanctions Still Matter

Yes, vacating wins may be symbolic, but symbols shape culture. Stripping a national championship would have sent a message: no program is above the rules. In the corporate world, this is akin to requiring public admissions of wrongdoing, symbols that reinforce accountability.

4. Enforcement Without Teeth Undermines Compliance Officers

Michigan’s Chief Compliance Officer fought to enforce the rules but was rebuffed by the football staff. The NCAA’s weak enforcement now validates that resistance. Similarly, in corporations, when regulators fail to take action, compliance officers lose internal leverage.

5. The Importance of Independent Oversight

The NCAA is fundamentally a membership organization, as the member schools police themselves. This structural conflict mirrors corporate boards that allow management too much sway over investigations. Independence matters. Without it, enforcement credibility is always in doubt. Even worse is the clear implication that the NCAA is now entirely irrelevant for enforcement.

The Broader Question: Can the NCAA Still Govern

The Michigan case may be remembered less for the violations than for what it revealed about the NCAA’s limits. With the rise of NIL collectives, super conferences, and legal challenges, the NCAA’s role as enforcer is shrinking.

Some argue that conferences, such as the SEC and Big Ten, or even external regulators, such as Congress or state legislatures, may need to step into the breach. Others believe that the market itself, including fans, media, and sponsors, will impose reputational sanctions when the NCAA fails to do so.

For compliance officers, this debate is instructive. When a regulator loses credibility, industry participants look elsewhere for governance. The same could happen in corporate sectors if regulators falter: private monitors, investor activism, or even international bodies may step in to enforce standards.

The Cost of Toothless Enforcement

The NCAA’s decision in the Michigan case underscores a hard truth: rules without meaningful enforcement are not rules at all but merely suggestions.

For compliance professionals, this case should prompt reflection. What happens when your regulator is unwilling to enforce? What happens when penalties are softened to avoid controversy? And how do you, as a compliance officer, maintain credibility in a culture that sees enforcement as toothless?

The answers are sobering. Regulators must be consistent, meaningful, and unafraid to impose real consequences. Otherwise, they risk becoming like the NCAA: long on rules, short on enforcement, and increasingly irrelevant.

Categories
Blog

UM Cheating Scandal Part 3: Violations, Penalties, and Compliance Lessons

In August 2025, the NCAA released its long-awaited Report on infractions committed by and for the University of Michigan football program. For compliance professionals, this case should be viewed not merely as a college sports story but as a case study in organizational misconduct, leadership failure, and cultural breakdown. Just as an FCPA enforcement action lays bare how companies slip into non-compliance, this NCAA decision reveals how one of the country’s premier football programs allowed systemic misconduct to flourish.

In Part 1 of this series, we examined the factual record of the University of Michigan football infractions case, including the impermissible scouting scheme, recruiting inducements, and failures to cooperate. In Part 2, we examined the culture that enabled these violations —a football program that viewed compliance as an enemy and leadership that turned a blind eye. Today in Part 3, we turn to the enforcement phase. What violations did the NCAA find? What penalties did the rules call for? And most importantly, what lessons can compliance professionals take from the outcome?

The Violations

The NCAA catalogued a long list of violations. They fell into five main categories, each with parallels to corporate enforcement.

1. Impermissible Off-Campus Scouting (Level I)

    • Connor Stalions directed a network of interns, staff, and acquaintances to attend opponents’ games, film sidelines, and provide footage to Michigan coaches.
    • In all, there were 56 instances across 52 contests over three seasons.
    • This was deemed a Level I violation, the most serious category, as it undermined integrity and provided an unfair advantage.

2. Recruiting Inducements and Communications (Level II)

      • Staff provided meals, gear, and even attempted to secure Instagram “blue check” verification for recruits.
      • Nearly 100 impermissible text messages were exchanged with a prospect before the allowable contact date.
      • These were classified as Level II violations, significant breaches, but less than systemic corruption.

3. Head Coach Responsibility (Level I)

    • Jim Harbaugh was charged with failure to promote an atmosphere of compliance and monitor his staff.
    • After January 2023, under new rules, head coaches are automatically responsible for staff violations.

4. Failure to Cooperate (Level I and II)

    • Stalions destroyed his phone and hard drives, instructed others to delete evidence, and misled investigators.
    • Harbaugh refused to provide records or sit for interviews after leaving the University of Michigan.
    • Denard Robinson provided false information.
    • Sherrone Moore deleted text messages but ultimately cooperated; his failure was deemed Level II.

5. Failure to Monitor (Level II)

    • Michigan, as an institution, failed to monitor its football program, was unable to educate interns, and allowed a culture hostile to compliance to persist.

Possible Penalties

NCAA bylaws, much like DOJ sentencing guidelines, provide ranges of penalties depending on the level of violation and the presence of aggravating or mitigating factors.

For Level I–Aggravated cases (the category Michigan, Harbaugh, Stalions, and Robinson were placed in), possible penalties include:

  • Multi-year postseason bans.
  • Scholarship reductions or equivalent financial penalties.
  • Multi-year probation.
  • Show-cause orders for individuals (restricting employment opportunities).
  • Suspensions.
  • Financial fines, including forfeiture of postseason revenue.

For Level II cases, penalties typically include:

  • Probation.
  • Recruiting restrictions.
  • Shorter show-cause orders.
  • Limited suspensions.

Given Michigan’s status as a repeat violator, from its 2024 infractions case, the panel could have imposed harsher penalties, including a multi-year postseason ban.

The Actual Penalties

The Committee on Infractions ultimately issued a wide-ranging set of penalties but also made notable adjustments.

For the Institution

  • Probation: Four years, consecutive to the 2024 probation. Michigan is now under probation through 2031.
  • Financial Penalties:
    • $50,000 plus 10% of the football budget.
    • Forfeiture of postseason revenue sharing for the 2025–26 and 2026–27 seasons.
    • An additional fine equal to 10% of football scholarships (converted to a financial penalty rather than scholarship reductions).
  • Recruiting Restrictions:
    • 25% reduction in official visits.
    • 14 weeks of no recruiting communications during probation (three self-imposed, 11 added by the panel).
  • Public Censure: Posting of infractions decision on the athletic department’s website and disclosure to all recruits.

Notably, no postseason ban and no scholarship reductions were imposed—instead, financial penalties substituted for those traditional sanctions. The panel explained that banning postseason play would unfairly punish current athletes who were not involved in the misconduct.

For Individuals

  • Connor Stalions: 8-year show-cause order, 100% suspension of first season if employed.
  • Jim Harbaugh: 10-year show-cause order, 100% suspension if employed. This runs consecutively to his 4-year show-cause from the 2024 case, extending sanctions through 2038.
  • Denard Robinson: 3-year show-cause order, 100% suspension if employed.
  • Sherrone Moore: 2-year show-cause order, additional one-game suspension on top of Michigan’s self-imposed two-game suspension.
  • Jesse Minter (via negotiated resolution): One-year show-cause order.
  • Steve Clinkscale (via negotiated resolution): Two-year show-cause order plus 50% suspension of first season if employed.

Analyzing the Penalties

How should compliance professionals view the gap between possible and actual penalties?

1. Postseason Ban Avoided

    • The NCAA rules require a postseason ban in Level I — Aggravated cases, absent exemplary cooperation. Michigan, as a repeat violator, did not meet that standard.
    • Yet the panel deviated, imposing financial penalties instead. The rationale: punishing current student-athletes for past staff misconduct would be inequitable.
    • In corporate terms, this is akin to regulators substituting financial penalties for draconian sanctions that would harm innocent employees or shareholders. For example, instead of barring a company from government contracting (a “corporate death penalty”), DOJ sometimes imposes fines or monitorships.

2. Scholarship Reductions Replaced with Fines

    • Traditionally, scholarship cuts penalize future competitiveness. However, with the NCAA shifting to roster limits, the panel converted this to a financial penalty equivalent to 10% of the scholarships.
    • This reflects a broader compliance trend: sanctions are evolving to fit new realities. Just as regulators now focus on clawbacks, certifications, or ESG commitments, the NCAA tailored penalties to the modern college sports landscape.

3. Severe Individual Penalties

    • The most striking sanctions were against individuals: 8 years for Stalions, 10 years for Harbaugh.
    • These are career-altering penalties. They mirror corporate enforcement where executives are increasingly held personally liable, facing debarment, fines, or even prison.
    • Regulators have made clear: individuals cannot hide behind institutions. The NCAA sent the same message here.

4. Repeat Violator Consequences

    • Michigan’s repeat violator status magnified penalties. The institution argued that violations occurred before the prior case closed. The panel rejected this, emphasizing that timing games cannot avoid repeat status.
    • Corporate regulators apply the same principle. A company that resolves one FCPA case and then stumbles again will face far harsher sanctions, regardless of technical timing arguments.

5. Failure to Cooperate as a Penalty for Drivers

    • The panel noted that Stalions’ obstruction was “one of the more significant and serious failures the COI has seen.” Harbaugh’s refusal to cooperate also elevated his penalties.
    • For corporations, this is a reminder: obstruction is worse than the underlying violation. The DOJ has repeatedly stated that cooperation credit can substantially reduce penalties. Michigan shows the reverse, that obstruction inflates them.

Compliance Lessons

What does all this mean for compliance officers outside of college athletics? Several clear lessons emerge.

1. Culture Drives Outcomes

The penalties Michigan received were not just about violations; they were about culture. The NCAA emphasized how the football program treated compliance with disdain. Regulators in the corporate world do the same; they look beyond technical violations to ask whether the company fostered a culture of compliance.

2. Repeat Offenders Lose Credibility

Michigan’s back-to-back cases destroyed any claim of mitigation. Similarly, corporations with repeat offenses face escalating sanctions. Building credibility with regulators requires not only remediating violations but sustaining reform over time.

3. Individual Accountability is Here to Stay

The lengthy show-cause orders against Harbaugh and Stalions reveal a trend of targeting individuals. In corporate enforcement, the DOJ’s Yates Memo and subsequent policies have prioritized individual accountability. Compliance officers must ensure that executives understand they are personally accountable for their actions.

4. Cooperation Matters More Than Ever

The panel’s harshest language was reserved for those who failed to cooperate. In the private business world, DOJ guidance is clear: full cooperation, timely disclosure, and preservation of evidence are prerequisites for leniency. Michigan’s case proves the inverse: obstruct, and you will pay dearly.

5. Penalties Are Evolving

Just as the NCAA substituted fines for postseason bans, regulators are adapting penalties to modern realities. Companies must be prepared not only for fines but also for innovative sanctions, such as monitorships, clawbacks, mandated compliance certifications, or public disclosure requirements.

A Cautionary Tale

The University of Michigan football case is more than a sports scandal. It is a compliance parable. A program that treated compliance as an enemy, ignored red flags, and repeatedly committed violations ultimately faced some of the harshest individual penalties ever handed down in NCAA history.

For compliance professionals, the lessons are timeless. Culture matters more than policy. Repeat violations destroy credibility. Individuals are accountable. Cooperation is non-negotiable. And penalties evolve with the times.

As the DOJ, SEC, and other regulators continue to refine enforcement expectations, companies would do well to heed Michigan’s example. When compliance is marginalized, when leadership fails to set the tone, and when violations become patterns, the penalties—financial, reputational, and personal—will follow.