Tag: compliance

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 2 Seneca on Pressure and Compliance

I recently wrote a series on the direct link between ancient Greek Philosophers and modern corporate compliance programs and compliance professionals. It was so much fun and so well-received that I decided to follow up with a similar series on notable Roman Philosophers. This week, we will continue our exploration of the philosophical underpinnings of modern corporate compliance programs and compliance professionals by looking at five philosophers from Rome, both from the Roman Republic and the Roman Empire.

Yesterday, we considered Cicero and the duty, law, and the moral limits of business; today, we will look at Seneca and power, pressure, and ethical decision-making under stress; upcoming blog posts include Marcus Aurelius and ethical leadership and tone at the top; Varro and corporate governance; and Lucretius to explore rationality, fear, and risk perception. Today, we continue with Seneca on pressure and when compliance matters the most.

I. Seneca in Context: Ethics from Inside Power

Lucius Annaeus Seneca did not write philosophy from a safe distance. He lived at the center of Roman power, wealth, and danger. As tutor and later advisor to Emperor Nero, Seneca understood how quickly ethical intentions could be compromised by fear, ambition, loyalty, and survival. He also understood how people justify those compromises to themselves.

Seneca’s writings, particularly Letters from a Stoic and On Anger, are not abstract moral treatises. They are practical examinations of how human beings behave when placed under stress. He was deeply concerned with emotional excess, not because emotions were immoral, but because unchecked emotion distorts judgment. Anger, fear, greed, and the desire for approval all lead otherwise rational people to make decisions they later defend as necessary.

For Seneca, ethical failure was rarely sudden. It was incremental. People crossed lines not because they intended to be corrupt, but because they convinced themselves that circumstances demanded flexibility. This insight makes Seneca indispensable to the modern compliance professional, whose greatest challenge is not policy design, but behavior under pressure.

II. The Compliance Problem Seneca Illuminates: Rationalization Under Stress

Most compliance programs are designed around rules, controls, and reporting structures. Far fewer are designed with human psychology in mind. Seneca would argue that this is a critical oversight. Modern compliance failures often occur in high-pressure environments: aggressive sales targets, looming deadlines, competitive markets, political instability, or financial distress. In these moments, individuals do not typically reject ethical norms outright. Instead, they rationalize deviations as temporary, necessary, or harmless.

Common rationalizations include:

  • “This is how business is done here.”
  • “We will fix it later.”
  • “No one is really harmed.”
  • “Leadership expects results.”
  • (and my personal favorite) “We’ve always done it this way.”

Seneca warned that these internal narratives are more dangerous than ignorance. Once people justify unethical conduct to themselves, external controls become less effective. A policy cannot compete with a story someone tells themselves to preserve status, income, or safety. The DOJ, particularly in its various iterations of the Evaluation of Corporate Compliance Programs (ECCP), has increasingly focused on this dynamic. In recent enforcement actions, regulators have emphasized root-cause analysis, asking not only what rule was broken but also why individuals felt compelled to break it. Pressure, incentives, and cultural signals consistently appear as contributing factors.

Seneca teaches that compliance programs must anticipate rationalization. It is not enough to say “do not do this.” Organizations must understand when and why people will convince themselves that doing it is acceptable.

III. Modern Corporate Application: Seneca, DOJ Expectations and Behavioral Compliance

The ECCP explicitly asks whether a company’s risk assessment and controls account for “the types of misconduct most likely to occur” and whether the company has “addressed the root causes of misconduct.” These questions align directly with Seneca’s insights. Consider major enforcement actions involving systemic bribery, fraud, or manipulation of controls. In cases such as the Wells Fargo fraudulent accounts scandal or the Volkswagen emissions testing scandal, both of which involved employees operating under intense performance pressure. While not all wrongdoing can be excused by culture, regulators repeatedly noted environments where employees felt trapped between expectations and ethics.

A Seneca-informed compliance program would focus on several practical measures.

First, risk assessments should explicitly identify pressure points. Compliance should map where incentives, deadlines, or market conditions increase the likelihood of rationalization. This includes sales functions, third-party relationships, emerging markets, and crises.

Second, training should move beyond rules into scenario-based discussions. Seneca believed self-awareness was an ethical discipline. Modern compliance training should confront common rationalizations directly, helping employees recognize them before they take hold. DOJ guidance increasingly favors practical, tailored training over generic training.

Third, escalation pathways must be realistic under stress. A hotline that exists only on paper will not be used when fear of retaliation or failure dominates. Seneca understood that fear silences conscience. Effective compliance programs must demonstrate that speaking up under pressure is protected, valued, and acted upon.

Fourth, leadership messaging matters most during crises. Seneca warned that leaders set moral boundaries through behavior, not speeches. The DOJ has emphasized that how management responds to misconduct is a key indicator of program effectiveness. When leaders excuse results achieved through questionable means, rationalization spreads quickly.

Finally, compliance must be present before the crisis, not introduced afterward. Seneca would view reactive compliance as inherently weak. Ethical resilience must be built in advance, when judgment is clear, and stakes are lower.

Key Takeaways for Compliance Professionals

1. Behavioral Risk. Compliance professionals should view Seneca as a guide to behavioral risk, not philosophical pessimism. Seneca focuses on how real people behave under pressure rather than on abstract ethical ideals. He recognizes that stress, fear, ambition, and loyalty distort judgment long before formal rules are broken. For compliance professionals, Seneca provides a framework for understanding why misconduct occurs even in organizations with well-designed programs.

2. Pressure Points. Compliance should identify and manage pressure points where rationalization thrives. High-performance targets, crises, and competitive markets create environments where ethical shortcuts are easily justified. Seneca teaches that rationalization flourishes when people feel trapped between expectations and consequences. Compliance programs must proactively map and mitigate these pressure points rather than react after misconduct occurs.

3. Training Design. Compliance should design training that addresses how people actually make decisions under stress. Traditional rule-based training assumes calm, rational decision-making, which rarely occurs in real-world situations. Seneca reminds us that ethical failure often occurs in moments of emotional intensity rather than in deliberation. Effective compliance training should use scenarios and realistic dilemmas that reflect pressure, ambiguity, and competing incentives.

Compliance should ensure escalation mechanisms work when fear and incentives collide. A hotline or reporting channel is ineffective if employees do not trust it during high-risk moments. Seneca understood that fear silences conscience and discourages disclosure. Compliance programs must test whether escalation pathways function when the personal cost of speaking up feels high.

4. Leadership Engagement. Compliance should engage leadership on how their responses to pressure shape ethical behavior. Leaders signal ethical boundaries most clearly when responding to setbacks, failures, or missed targets. Seneca warned that inconsistent or emotionally driven leadership responses accelerate ethical decay. Compliance professionals must ensure leaders understand that their reactions under pressure become cultural instruction.

  • Compliance should focus on prevention through awareness, not punishment after failure. Seneca emphasized self-awareness as the first defense against moral error. Compliance messaging that only appears after misconduct reinforces fear rather than learning. Ongoing communication about pressure, rationalization, and ethical expectations strengthens resilience before problems arise.
  • Finally, Seneca instructs us that ethical systems fail not because people abandon values, but because they convince themselves that those values can wait. A compliance program that ignores pressure is a program designed to fail when it matters most. Rationalization is the quiet mechanism through which ethical erosion occurs. Seneca shows that delay, exception-making, and “temporary” compromises accumulate into systemic failure. Compliance programs that do not confront rationalization directly leave themselves exposed at their most vulnerable moments.

Conclusion

Seneca exposes the internal dynamics that cause compliance programs to fail under pressure. He shows us how fear, ambition, and rationalization erode ethical judgment, even when rules are clear and controls are in place. But Seneca largely examines the problem from the inside out, focusing on how individuals respond to external forces. That analysis leads directly to the next question in the compliance lifecycle: what responsibility does the individual retain when pressure is real, and authority is unequal? This is where Seneca gives way to Epictetus.

Join us tomorrow as we explore Varro and corporate governance for your compliance regime.

Categories
AI Today in 5

AI Today in 5: February 2, 2026, The On Thin Ice Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. OpenAI/Nvidia deal ‘on thin ice’. (WSJ)
  2. Wearable AI helping stroke victims. (FoxNews)
  3. Financial firms are facing new compliance risks over AI. (CPI)
  4. A playbook for AI compliance and governance. (FinTechGlobal)
  5. Will AI automate compliance? (LawFare)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 1 Cicero on Duty and Ethics

I recently wrote a series on the direct link between ancient Greek Philosophers and modern corporate compliance programs and compliance professionals. It was so much fun and so well-received that I decided to follow up with a similar series on notable Roman Philosophers. This week, we will continue our exploration of the philosophical underpinnings of modern corporate compliance programs and compliance professionals by looking at five philosophers from Rome, both from the BCE and AD eras.

We will consider Cicero and the duty, law, and the moral limits of business;  Seneca and power, pressure, and ethical decision-making under stress; Marcus Aurelius and ethical leadership and tone at the top; Epictetus and accountability, control, and ethical agency; and we will conclude with Lucretius to explore rationality, fear, and risk perception. Today, we begin with Cicero and the ethical foundations of the compliance program.

I. Cicero in Context: Duty in an Age of Power and Commerce

Marcus Tullius Cicero lived at the intersection of law, politics, and commerce during the final decades of the Roman Republic. Rome was wealthy, expansive, and deeply corrupt. Provincial governors enriched themselves through bribery and extortion. Political power was routinely monetized. Legal technicalities were used to justify conduct that plainly violated any reasonable notion of fairness or justice.

It was in this environment that Cicero wrote De Officiis (On Duties), a work addressed not to philosophers, but to those who held power and responsibility. Cicero was not interested in abstract virtue. He was interested in how people entrusted with authority should behave when tempted by profit, pressure, or expediency.

For Cicero, duty was not optional. It arose from one’s role and the trust placed in that role. Public office, commercial activity, and leadership all carried moral obligations that custom, convenience, or legal loopholes could not waive. Most importantly, Cicero rejected the idea that what was profitable could excuse what was unethical. Where profit and moral duty conflicted, duty had to prevail.

This framing makes Cicero uniquely relevant to modern corporate compliance. Large organizations, like the Roman Republic, operate through delegated authority, complex incentives, and diffuse accountability. Cicero understood that without an ethical foundation grounded in duty, institutions eventually hollow out, even if they remain technically lawful.

II. The Compliance Problem Cicero Illuminates: When Law Becomes the Ceiling

One of the most persistent failures in corporate compliance programs is treating legal compliance as the ultimate objective rather than the minimum requirement. Organizations ask, “Is it legal?” far more often than they ask, “Is it right?” or “Is this consistent with our obligations as stewards of trust?” Cicero would have recognized this failure immediately. In De Officiis, he warned against the misuse of legal form to justify immoral conduct. He argued that clever interpretations of the law, when divorced from justice, ultimately destroy trust in institutions. This is not merely a moral observation. It is an operational one.

Modern enforcement actions repeatedly demonstrate that misconduct often occurs in plain sight, enabled by policies, approvals, and structures that technically comply with written rules. The Department of Justice has been explicit that a compliance program that exists only on paper, or that focuses solely on technical adherence, will not be viewed as effective. The DOJ Evaluation of Corporate Compliance Programs (ECCP) asks whether a company’s program is “well designed,” “applied in good faith,” and “actually works in practice.” These questions implicitly echo Cicero’s concern. A program that treats legality as the ceiling rather than the floor may satisfy internal counsel, but it fails as an ethical governance system.

Cicero teaches that compliance programs must be grounded in duty: to customers, markets, employees, shareholders, and society. Without that grounding, rules become tools for avoidance rather than instruments of integrity.

III. Modern Corporate Application: Cicero, DOJ Expectations, and Real-World Failures

The ECCP places increased emphasis on culture, leadership accountability, and the role of the board. These expectations align closely with Cicero’s insistence that those in power bear heightened ethical responsibility.

Consider enforcement actions involving bribery, corruption, or fraud in which senior leaders claimed ignorance while benefiting from the outcomes. In multiple Foreign Corrupt Practices Act resolutions, the DOJ has rejected arguments that misconduct occurred despite policies, rather than because governance systems tolerated or incentivized it. In cases such as Airbus and Goldman Sachs, regulators highlighted failures in oversight, escalation, and ethical decision-making at senior levels. From a Cicero-inspired perspective, these are failures of duty. Leaders accepted the benefits of authority without fully embracing its obligations. Compliance programs existed, but they were not anchored in a shared understanding that ethical duty limits what is acceptable in profit-seeking behavior.

Applying Cicero to modern compliance design suggests several concrete actions:

First, the code of conduct should be framed as a statement of duties rather than merely a list of prohibitions. Employees should understand not only what is forbidden, but why certain conduct violates the organization’s obligations to stakeholders.

Second, senior leadership accountability must be explicit. Cicero believed that authority magnifies moral responsibility. The DOJ now expects boards and executives to actively oversee compliance, not passively receive reports. A compliance program that cannot demonstrate meaningful leadership engagement will struggle under scrutiny.

Third, incentives matter. Cicero warned that when institutions reward success without regard to means, they invite corruption. Modern compliance programs must align compensation, promotion, and recognition with ethical behavior, not merely financial outcomes. The DOJ has repeatedly emphasized incentives and discipline as indicators of program effectiveness.

Finally, compliance should be positioned as a governance function, not a technical one. Cicero understood law as a moral instrument, not a procedural shield. Compliance professionals should frame their role as guardians of institutional duty, helping the organization navigate gray areas where legal guidance alone is insufficient.

Key Takeaways for Compliance Professionals

1. Ethical Foundation. Compliance professionals should view Cicero as the ethical foundation of a modern compliance program. Cicero establishes that compliance must be grounded in duty rather than fear of enforcement. He frames ethical behavior as an obligation arising from trust and authority, not as a discretionary choice. A compliance program without this foundation risks becoming a technical exercise divorced from purpose.

2. Law as a Floor. Compliance should treat law as the minimum standard, not the ultimate objective. Cicero warned against using legal formality to justify conduct that violates justice and fairness. Modern compliance failures often arise when organizations ask only whether conduct is legal rather than whether it is right. Effective compliance programs must push beyond legality to reinforce ethical judgment.

3. Governance and Stewardship. Compliance should be positioned as a core governance function. Cicero believed that those entrusted with authority act as stewards, not owners, of institutional power. Compliance should therefore be integrated into governance structures rather than treated as a peripheral control function. This positioning reinforces accountability to stakeholders and long-term institutional integrity.

4. Leadership Duty. Compliance should impose heightened ethical obligations on those with power. Cicero argued that authority magnifies moral responsibility rather than diminishing it. Senior leaders and boards must therefore be held to higher compliance expectations, not exempted for performance or status. Ethical leadership is essential to a program’s legitimacy.

  • Compliance should align incentives with integrity, not just results.
  • Cicero warned that rewarding success without regard to means invites corruption. Modern compliance programs fail when compensation and promotion structures undermine stated values. Incentive alignment is a critical control, not a human resources afterthought.

5. Cultural Legitimacy. Compliance should reinforce trust as an institutional asset.

Cicero understood that institutions survive only so long as they retain public and internal trust. A compliance program grounded in duty strengthens credibility with employees, regulators, and stakeholders alike. Trust is not a soft concept; it is the currency of effective governance.

6. Duty Over Expediency. Finally, Cicero teaches that ethical systems collapse when expediency displaces duty. A compliance program that exists only to manage risk or avoid penalties will eventually lose legitimacy. Compliance grounded in duty, by contrast, becomes a stabilizing force for the institution itself.

Conclusion

Cicero provides the compliance professional with the ethical foundation for a program: duty, legitimacy, and moral purpose. But he largely assumes that once duty is understood, it will be followed. Experience tells us otherwise. Modern compliance failures rarely occur because people do not know the rules or the obligations. They occur because pressure, fear, ambition, and rationalization overwhelm judgment at precisely the moments when duty matters most. That is where Cicero necessarily gives way to Seneca.

If Cicero explains why a compliance program must exist and what it must stand for, Seneca confronts the harder question of how ethical commitments erode under stress. The transition from Cicero to Seneca mirrors the transition from program design to real-world operation, when incentives tighten, stakes rise, and ethical clarity is tested. This is where compliance programs are no longer theoretical and where many begin to fail.

Join us tomorrow as we explore Seneca and compliance under pressure, using Cicero’s foundation as the explicit point of departure.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 30 – The Foreign Extortion Prevention Act

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 30 episode, we discuss the Foreign Extortion Prevention Act (FEPA), a significant piece of legislation that fills a critical gap in the FCPA.

Key highlights:

  • Filling the Gap in Anti-Corruption Laws
  • Key Features and Implications of FEPA
  • Challenges in Implementing FEPA
  • The Name and Shame List

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Blog

Returning to Venezuela: Why “Yes, If” Is the Only Defensible Compliance Answer

Most of you readers know that sometimes when I get going on a project, it (the project, not me) just keeps on growing. What started as a podcast with Matt Ellis on the risks of going back into Venezuela expanded out into a series of podcasts on the FCPA Compliance Report and with Mike DeBernardis on All Things Investigations. The podcasts led to a five-part blog post series on the same topic in the FCPA Compliance and Ethics Blog. I then needed to expand the blogs into a book and provide forms, checklists, frameworks, and deployment packs for compliance professionals to help them think through the issues presented in Venezuela and in other similarly high-risk jurisdictions.

All of that has led to the only book on how to return to Venezuela, Returning to Venezuela: The Compliance Guide to Yes, If (Title inspired by Mike DeBernardis). It is available in both print and eBook versions on Amazon.com.

When companies talk about returning to Venezuela, the conversation almost always begins with opportunity. Oil reserves. Market access. First-mover advantage. What the book Returning to Venezuela does is effectively reset that conversation where it belongs for compliance professionals: with reality. It is a disciplined, compliance-first analysis of what it actually means to operate in one of the world’s highest-risk jurisdictions.

The core message is uncompromising but straightforward: Venezuela is not a place for optimism, informal controls, or siloed compliance. It is a stress test. If your compliance program can function there, it can function anywhere. If it cannot, no license, policy, or assurance letter will save you. The book is not a warning label about Venezuela. It is a working manual for how a compliance function should assess risk, design controls, and govern decision-making before commercial momentum takes over.

Step One: Reframing the Risk Assessment

The first way a compliance professional should use Returning to Venezuela is to recalibrate how risk assessments are performed. Traditional country risk assessments often ask abstract questions: corruption perception scores, sanctions status, and enforcement history. Those inputs are necessary, but insufficient. Returning to Venezuela pushes compliance professionals to replace abstract scoring with operational mapping.

Instead of asking whether Venezuela is high risk, the framework asks:

  • Where will government discretion arise?
  • Where can delay be monetized?
  • Where does the business depend on intermediaries?
  • Where does value move, pause, or change form?

This is a critical shift. Risk is no longer treated as a country attribute. It becomes a process attribute. Compliance professionals can use Returning to Venezuela’s structure to redesign their risk assessment around real business steps: procurement, logistics, payment, security, licensing, and dispute resolution.

Step Two: Identifying Pressure Points Before They Become Incidents

Returning to Venezuela is especially useful in helping compliance professionals identify pressure points, not just risk categories. Pressure points are moments where the business is most likely to face demands for improper value, shortcuts, or exceptions. Procurement is one. Customs clearance is another. Security access, utilities, labor approvals, and payment routing are others.

Using Returning to Venezuela, compliance professionals can document:

  • Where pressure is expected;
  • Who owns the decision at that point?
  • What escalation looks like; and
  • When refusal or exit becomes mandatory.

This transforms compliance from a reactive role into a proactive role in designing decision architecture.

Step Three: Using the Checklists as Control Gates, Not Paper Artifacts

A common compliance failure is treating red flags as documentation exercises rather than control mechanisms. One of the strengths of Returning to Venezuela is that its red flags are designed as gates, not records. Each checklist answers a single question: Is this activity governable under our current assumptions?

Compliance professionals can deploy these checklists at defined moments:

  • Market entry discussions
  • Vendor and JV selection
  • Transaction structuring
  • Payment and banking design
  • Security and logistics planning

If a red flag cannot be cleared, the activity cannot proceed. That discipline is what makes the framework defensible. It also protects compliance officers personally, because decisions are anchored in documented governance rather than informal judgment.

Step Four: Integrating Risk Domains Instead of Managing Them in Silos

Another way compliance professionals should use Returning to Venezuela is as a blueprint for breaking down internal silos. The book makes clear that in Venezuela, corruption, export controls, AML, sanctions, security, and extortion are not separate risks. They are interconnected expressions of the same operating pressure. Treating them separately guarantees blind spots.

Practically, this means compliance can use the book to justify:

  • Integrated risk reviews instead of sequential sign-offs;
  • Shared escalation forums across functions;
  • Unified monitoring rather than separate dashboards; and
  • Common exit triggers across risk domains.

This is particularly important for AML. Returning to Venezuela positions money laundering risk not as a standalone compliance obligation, but as the capstone test of whether the entire framework works.

Step Five: Structuring Board Oversight Around Decisions, Not Updates

Too often, boards receive high-level compliance updates that provide comfort but not clarity. Returning to Venezuela gives compliance professionals a way to reframe board oversight around decisions, not reports. Using the board materials and decision templates, compliance can:

  • Force explicit risk acceptance;
  • Document assumptions that underpin approvals;
  • Secure delegated authority to pause or exit operations; and
  • Establish clear revisit and escalation triggers.

This protects both the organization and the compliance function. When conditions change, the discussion is no longer “Why did this happen? ” but “Which assumption failed, and what decision does that trigger? ” That is governance functioning as intended.

Step Six: Building a Repeatable Risk Management Framework

The final and most important way to use Returning to Venezuela is as a template, not a one-off Venezuela playbook. While the facts are Venezuela-specific, the framework is portable. Compliance professionals can lift this framework and apply it to:

  • Other high-risk markets;
  • Post-merger integration;
  • Sanctions-heavy environments; and
  • Complex third-party ecosystems.

The Appendices: The Operational Backbone of Returning to Venezuela: Yes, If

One of the defining features of Returning to Venezuela: The Compliance Guide to Yes, If is that it does not stop at analysis. The appendices convert risk identification into governance, decision-making, and operational control. They are not academic supplements. They are the machinery that makes a “yes, if” decision possible in practice.

Taken together, the appendices form an integrated compliance control stack designed for one purpose: to govern decision-making in an environment where corruption, coercion, sanctions, AML exposure, and weak rule of law are not edge cases but daily conditions.

Appendix A: One-Page Operational Checklists

Appendix A contains a series of one-page checklists, each focused on a distinct but interconnected risk domain. These are not policy summaries. They are operational gating tools meant to be used before decisions are made, not after problems occur.

Appendix B: The CCO Deployment Pack

Appendix B is written from the perspective of the Chief Compliance Officer and is explicitly operational. It is designed to be deployed internally to executive leadership, business sponsors, and control functions.

Appendix C: Board of Directors Materials

Appendix C is aimed squarely at directors and audit or compliance committees. Its function is not to educate boards on Venezuela generally but to structure how boards make, record, and revisit risk acceptance decisions.

Appendix D: Decision-Making Frameworks

Appendix D pulls together the logic underlying the entire book. It provides decision-making frameworks that force organizations to confront uncomfortable realities before committing resources.

How the Appendices Work Together

Individually, each appendix addresses a specific audience or function. Collectively, they form an integrated control system that aligns:

  • Operational decision-making.
  • Compliance authority.
  • Board oversight.
  • Exit discipline.

The appendices are designed to prevent the most common failure pattern in high-risk jurisdictions: waiting until conditions deteriorate before asking hard questions. By then, leverage is gone.

Final Thought

The most important contribution of Returning to Venezuela is that it does not accurately describe risk. It shows compliance professionals how to operate in the real world without surrendering control.

Used correctly, the book becomes a working tool:

  • To assess risk honestly;
  • To design controls that hold under pressure;
  • To align management and the board, and finally
  • To decide when “yes” becomes “no.”

For compliance professionals, that is not just risk management. It is about meeting the business in an operational setting with a risk management strategy for literally the highest risk on earth.

You can purchase Returning to Venezuela: The Compliance Guide to Yes, if on Amazon.com.

Categories
AI Today in 5

AI Today in 5: January 29, 2026, The AI Has Competitive Advantage Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Turning AI governance into a competitive advantage. (FinTechGlobal)
  2. AI is rewriting compliance. (BleepingComputer)
  3. Decoding the human genome with AI. (NYT)
  4. Who is training AI to do your job? (FT)
  5. One way to keep AI out of the classroom. (NPR)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 29 – Enhancing Compliance through Automation

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 29 episode, we explore how Chief Compliance Officers and compliance professionals can enhance their programs through automation.

Key highlights:

  • Challenges in Traditional Compliance Reporting
  • The Role of Reg Ops in Compliance
  • Integrating Tools for Real-Time Compliance

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Blog

Is there a FEPA Future in Venezuela?

For U.S. compliance professionals, few jurisdictions raise as many red flags as Venezuela. Decades of entrenched corruption, state capture of key industries, economic collapse, weak rule of law, and the legacy of PdVSA have made the country a case study in what happens when corruption becomes systemic rather than episodic. Now that geopolitical and energy realities are shifting, some U.S. companies are again evaluating whether and how to reenter the Venezuelan market.

Against that backdrop, the passage of the Foreign Extortion Prevention Act (FEPA) represents one of the most significant developments in anti-corruption enforcement in nearly half a century. The question compliance officers are now asking is a practical one: can FEPA actually be used to prevent bribery and corruption for U.S. companies returning to Venezuela, or is it merely a symbolic addition to an already strained enforcement framework?

The answer, as with most compliance questions, is nuanced. FEPA is not a silver bullet. But when properly understood and operationalized, it can meaningfully change the risk calculus for companies operating in high-extortion environments like Venezuela.

The Historic Gap in the FCPA

For decades, the compliance community has lived with a fundamental asymmetry in U.S. anti-corruption law. The Foreign Corrupt Practices Act is a supply-side statute. It criminalizes the offering or payment of bribes by U.S. companies and individuals, but it does not criminalize the demand for those bribes by foreign officials. This gap has long distorted incentives on the ground.

In jurisdictions such as Venezuela, bribery is rarely framed as a voluntary transaction. It is far more often presented as a demand, a condition of doing business, or even a threat, as in the case of extortion. Officials do not ask politely. They delay permits, block shipments, threaten arrests, or endanger employee safety. Until FEPA, U.S. law largely treated this as background noise rather than a prosecutable offense.

FEPA directly addresses that gap by criminalizing the solicitation or acceptance of bribes by foreign officials from U.S. persons or companies. In doing so, it finally targets the demand side of corruption and aligns U.S. law more closely with how bribery actually operates in high-risk countries.

Why Venezuela Is the Ultimate Test Case

If FEPA can work anywhere, it should work in Venezuela. The country’s corruption ecosystem is characterized by pervasive extortion across customs, energy, transportation, security, immigration, and tax authorities. Payments are often demanded not to gain an advantage but to avoid harm. This distinction matters. In Venezuela, the compliance challenge is not simply rogue employees paying bribes. It is employees facing credible threats to liberty, safety, or health. FEPA explicitly recognizes this reality by treating extortion by a foreign official as a criminal act rather than merely a compliance failure by the company.

That framing gives compliance officers something they have long lacked: a legal backbone to support a firm refusal posture. Companies can now say, with credibility, that the demand itself is illegal under U.S. law and subject to DOJ enforcement, even if the official is located abroad.

Extortion, Facilitation, and the Compliance Trap

One of the most dangerous compliance traps in Venezuela has always been the mislabeling of extortion payments. Under the FCPA, facilitation payments occupy a narrow and controversial exception. Extortion payments, however, were never facilitation payments. They were survival payments. FEPA eliminates any lingering ambiguity. Extortion payments involving threats to life, liberty, or health are now clearly illegal, not merely discouraged. This forces compliance programs to confront uncomfortable operational realities.

Policies must explicitly distinguish facilitation from extortion. Employees must be trained that the company will support them if they are threatened, but that any such payment must be immediately documented, accurately recorded, and escalated. Book and record accuracy becomes critical. Mischaracterizing extortion as a routine expense is now a standalone risk under FEPA, not merely an FCPA accounting issue.

FEPA as a Deterrent Tool, Not Just an Enforcement Tool

One of the most overlooked aspects of FEPA is its potential deterrent effect. The statute introduces the possibility of DOJ investigations targeting foreign officials, including public naming and reporting requirements. For officials who interact with U.S. companies, this creates reputational and diplomatic risk that did not previously exist. In Venezuela, where many officials rely on international travel, financial access, and political legitimacy, even the threat of U.S. scrutiny can matter. FEPA does not require immediate extradition to have an impact. The mere existence of a credible enforcement pathway can alter behavior at the margins.

For compliance officers, this means FEPA can be used proactively. Risk assessments should explicitly incorporate FEPA exposure. Third-party due diligence should assess patterns of extortion, not just a history of bribery. Contractual language should reference the reporting obligations for extortion. Training should include scenario-based exercises where employees practice refusing demands and escalating threats.

The Limits of FEPA in Venezuela

None of this should be overstated. FEPA will not cleanse Venezuela of corruption. Extradition of Venezuelan officials is unlikely. Local enforcement cooperation will be minimal. Many officials operate with de facto immunity. But compliance effectiveness has never depended on perfect enforcement. It depends on shifting incentives, setting expectations, and protecting employees. FEPA strengthens all three. From a DOJ perspective, FEPA also changes cooperation dynamics. Companies that proactively document extortion demands, preserve evidence, and report credible threats may be viewed very differently from companies that quietly pay and rationalize. In a Venezuela reentry scenario, that distinction could be outcome-determinative.

What Compliance Officers Should Do Now

For companies considering Venezuela, FEPA must be embedded into program design from day one. This includes updating anti-corruption policies, revising travel and security protocols, enhancing incident reporting mechanisms, and briefing boards on the new enforcement landscape. Most importantly, compliance officers must be realistic. FEPA does not eliminate the need for robust internal controls. It heightens the consequences of getting them wrong. Venezuela will remain a high-risk jurisdiction regardless of statutory innovation.

Five Key Takeaways for the Compliance Professional

1. FEPA Changes the Risk Conversation, Not Just the Law

FEPA fundamentally alters how compliance officers should frame corruption risk in high-extortion jurisdictions like Venezuela. It is no longer only about preventing improper employee payments. It is now about recognizing, documenting, and escalating illegal demands by foreign officials. This allows compliance to move from a defensive posture to a principled refusal backed by U.S. law.

2. Extortion Must Be Explicitly Addressed in Policies and Training

Companies can no longer afford vague language that blurs the distinction between facilitation payments and extortion. Compliance programs must clearly define extortion as illegal, explain how it differs from facilitation payments, and provide step-by-step guidance for employees facing threats to health, safety, or liberty. Scenario-based training is no longer optional in Venezuela risk operations.

3. Books and Records Exposure Has Increased Under FEPA

Accurate documentation is now a frontline compliance control. Any payment made under duress must be recorded precisely and transparently. Mischaracterizing extortion payments as routine expenses or facilitation payments creates a separate and serious compliance failure. Accounting controls, escalation protocols, and audit reviews must be aligned accordingly.

4. FEPA Should Be Embedded in Risk Assessments and Third-Party Due Diligence

Venezuela reentry assessments should explicitly evaluate extortion risk, not merely bribery history. Third parties, customs brokers, security providers, and logistics partners are often the point of pressure. FEPA requires compliance officers to assess whether business partners operate in ways that expose the company to extortion demands and reporting failures.

5. FEPA Strengthens Compliance’s Role as a Strategic Advisor

FEPA gives compliance professionals a credible legal framework to advise management and the board on when and how business can be conducted safely. It reinforces the message that walking away from certain transactions is not risk aversion but risk management. In Venezuela, FEPA can help compliance professionals draw clearer red lines and protect both the company and its people.

The Bottom Line

So, could FEPA be used to prevent bribery and corruption for U.S. companies returning to Venezuela? Not entirely. But it can materially reduce risk, empower employees, and change how companies engage with corrupt systems. For the first time, U.S. law squarely acknowledges what compliance professionals have always known: bribery often begins with a demand. By criminalizing that demand, FEPA gives companies a stronger legal and ethical foundation to say no.

In a country like Venezuela, that may be the most important compliance tool of all.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 28 – The Importance of Data Governance

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 28 episode, we look into the crucial importance of data governance in the realms of compliance and cybersecurity.

Key highlights:

  • The Role of Data Governance in Compliance and Cybersecurity
  • Data Governance and ESG
  • Understanding Data Privacy Laws

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Great Women in Compliance

Great Women in Compliance: A Next-Gen Video of Ethics and Compliance

In this episode of the Great Women in Compliance Podcast, Lisa Fine and Sarah Hadden (Gen X) are joined by Rebecca Anker and Emily Frank for an engaging conversation on what the next generation needs from ethics and compliance. Rebecca, Gen-Z, and Emily, a millennial, share candid insights shaped by their experiences as part of the emerging workforce.

The discussion explores the real-life impact of generational influences—from questioning hierarchy and outdated practices to prioritizing transparency, usability, and minimizing the traditional reliance on hierarchy. Rebecca and Emily discuss how the rising stars in the profession are taking the evolution to a collaborative, service-oriented function that partners with the business and clearly explains the why behind policies and decisions to new levels.

They also discuss current topics, including creative, shorter training approaches, balancing regulatory requirements with innovation, responsible AI use, and rethinking speak-up programs. They discuss why language matters, why “whistleblower” may no longer resonate, and how normalizing the act of raising concerns can strengthen speak-up culture across generations.

The episode wraps with practical advice from Rebecca and Emily for more “seasoned” compliance professionals to stay curious and engage with new voices and ideas. It is exciting to see where they and their peers will take the profession.