Tag: compliance

Categories
Compliance Into the Weeds

Compliance into the Weeds: Duty Owed vs. Material Nonpublic Information: Prediction Markets and Compliance

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss prediction markets and their implications for compliance.

Tom and Matt focus on the phrase “violation of a duty owed” by employees and note that this standard appears significantly broader than traditional insider trading laws. They explain that insider trading law centers on the disclosure of material nonpublic information, whereas a “duty owed” framework emphasizes the underlying duty itself. Because “duty owed” could encompass obligations beyond material nonpublic information, the speaker highlights the potential compliance implications and expresses interest in exploring a related hypothetical scenario.

Resources:

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Daily Compliance News

Daily Compliance News: April 8, 2026, The Fleeing Binance Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Social engineering scams in banking. (FT)
  • Tariff fraud and accounting tricks. (NYT)
  • Compliance professionals are leaving Binance. (Bloomberg)
  • Dirty accounting jobs and AI. (WSJ)
Categories
Innovation in Compliance

Innovation in Compliance: Dr. Rohan Lall: Innovation, Clinical Evidence, and Compliance in Electrifying Spine Surgery

Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox visits with Dr. Rohan Lall, a clinically trained Neurological Surgeon and Chief Medical Officer of SynerFuse, about innovation in spine surgery and the compliance infrastructure needed to support it.

Dr. Lall Law explains TLIF (transforaminal lumbar interbody fusion) and ETLIF, which integrates direct nerve root stimulation into reconstructive spine surgery to address persistent pain from chronically injured nerves even after decompression and fusion. Dr. Lall describes the innovation as team-driven, highlighting collaboration and detailing the regulatory path for a novel Class III device, including a feasibility proof-of-concept study, third-party data management, and an independent data and safety monitoring board. Dr. Lall outlines how compliance leaders should align with business speed while managing FDA requirements, data integrity, ethics, and risk, and he notes future impacts from neuromodulation, robotics, and image guidance.

Key highlights:

  • Back Surgery Basics and Electrified TLIF Explained
  • Innovation Origin Story
  • Regulatory and Collaboration Hurdles
  • Clinical Trials and Data Integrity
  • How Compliance Can Help Innovators

Resources:

Dr. Rohan Lall on LinkedIn

Synerfuse Company Website

Innovation in Compliance is a multi-award-winning podcast that was recently ranked Number 4 in Risk Management by 1,000,000 Podcasts.

Categories
Daily Compliance News

Daily Compliance News: April 3, 2026, The Pam Bondi Fired Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

Categories
All Things Investigations

ATI In-House Insights: Navigating Internal Investigations: A Conversation with Mike Gill

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. This is a special series featuring sights from in-house practitioners, hosted by Mike DeBernardis. In this podcast, Mike D visits with Mike Gill, Assistant GC and Director of Investigations at HII, on conducting internal investigations from an in-house perspective in a defense shipbuilding environment.

Gill says the first concern when allegations arise is immediate safety risk to employees and the integrity of work affecting Navy and other military customers, followed by designing an investigation that will be viewed as timely, accurate, and credible. He emphasizes scoping, planning, selecting the right team (including technical experts and, sometimes, outside counsel), and establishing disciplined communication and reporting lines to management and customers while protecting privilege. Gill highlights building employee trust through fair processes, enforcement of anti-retaliation policies, and appropriate follow-up, and notes common mistakes: jumping to conclusions, failing to bound scope, and inadequate planning.

Key highlights:

  • Safety First Priorities
  • Architecting the Investigation
  • Scope Planning and Team
  • Protecting Privilege
  • Culture and Fairness
  • Anti-Retaliation Trust
  • Top Mistakes to Avoid

Resources:

Hughes Hubbard & Reed website

Mike DeBernardis

Mike Gill on LinkedIn

Categories
Sunday Book Review

Sunday Book Review: March 29, 2026, The Top Books for COs Edition

In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. In this episode, we look at 4 top books that every compliance professional should read and have in their library.

  1. The Complete Works of Sherlock Holmes by AC Doyle
  2. Higher Ground by Alison Taylor
  3. The Honest Truth About Dishonesty by Dan Ariely
  4. The Power of Habit by Charles Duhigg
Categories
AI Today in 5

AI Today in 5: March 19, 2026, The Elasticity Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Elasticity as a compliance standard in the age of AI. (UCToday)
  2. Context-first AI for Co-Pilot. (FinTechGlobal)
  3. AI agents to reduce discovery costs. (BusinessWire)
  4. GSA AI clause. (Holland & Knight)
  5. How the military is using AI. (CBS)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

Vendor AI Risk Is the New Third-Party Risk Frontier: From Contracts to Compliance Evidence

For years, compliance professionals have understood a basic truth about third-party risk: your company can outsource a function, but it cannot outsource accountability. That principle has long applied to distributors, agents, resellers, consultants, customs brokers, and supply-chain partners. In the age of artificial intelligence, it now applies equally to AI vendors.

And here is the key issue. Most companies are not building AI entirely in-house. They are licensing models, embedding third-party copilots, procuring AI-enabled platforms, connecting external APIs, and relying on vendors for everything from data enrichment to automated decision support. In other words, the AI stack is increasingly a third-party stack.

That means AI governance is rapidly becoming a third-party risk management problem. For compliance officers, this is a critical shift. The question is no longer simply whether your organization is using AI. The question is whether you have sufficient contractual leverage, operational visibility, and documentary evidence to demonstrate that third-party AI risk is managed in a credible, defensible, and scalable manner. If the answer is no, then your AI program may be far less mature than it looks on the PowerPoint slide.

AI Is Rarely a Standalone Tool

One of the most dangerous myths in the current AI conversation is that “the AI” is a single product that can be evaluated once and approved once. That is not how most enterprise deployments work. A single AI-enabled workflow may involve a foundation model provider, a cloud host, a retrieval layer, one or more data processors, a business application vendor, and internal configuration choices that change over time. Add subcontractors, model updates, and cross-border data flows, and you begin to see the real picture. The risk does not sit neatly with any single vendor. It sits across an ecosystem.

That matters because when something goes wrong, regulators, plaintiffs, auditors, and boards will not care that the problem sat in a vendor dependency chain. They will ask what your company knew, what it required, what it monitored, and what evidence it retained. The bottom line is that vendor AI risk has to move out of the procurement annex and into the core compliance framework.

Start with a More Realistic Definition of Third-Party AI Risk

When many companies think about vendor AI risk, they default to privacy and cybersecurity. Those issues are absolutely important, but they are only the beginning.

Third-party AI risk can also include opaque training data, weak model governance, unexplained output variability, inaccurate summarization, hidden subcontractors, unauthorized data retention, insufficient segregation of customer data, model changes without notice, untested bias, poor incident response, weak record retention, and limited auditability. If the tool affects regulated processes, the stakes rise even higher.

Think about the real-world use cases now being deployed. AI tools support customer communications, onboarding, HR screening, contract review, due diligence triage, transaction monitoring, investigations, and report drafting. In each of those settings, the company may be relying on output it did not fully generate, cannot fully inspect, and may not be able to reproduce later without the right controls in place.

That is where compliance must lean in. The core question is not whether the vendor claims to use responsible AI. The core question is whether your company can obtain sufficient evidence that the system is well-controlled for its intended use.

Contracts Are the First Line of Governance

If AI risk is outsourced to vendors, contracts become the first line of governance. Yet too many AI agreements still read like standard software contracts with a few privacy words sprinkled on top. That is not good enough. A sound AI vendor agreement should, at a minimum, address permitted use, data rights, confidentiality, security, model-change notification, subcontractor transparency, performance expectations, audit rights, incident reporting, regulatory cooperation, and termination support.

Most importantly, the contract should define the use case. That sounds basic, but it is essential. A vendor tool approved for low-risk drafting support is not automatically appropriate for high-impact decision-making. If the intended use is not defined, the actual use will drift. And drift is where governance begins to fail. The agreement should also make clear what data the vendor can use, for what purpose, and for how long. Can the vendor use your inputs to train its models? Can it retain prompts or outputs? Can it use metadata to improve service? Can affiliates or subprocessors access the data? If those questions are not answered with precision, you lack clarity. You have hope. Hope is not a control.

SLAs Need to Measure More Than Uptime

Service level agreements are another area where companies need to upgrade their thinking. Traditional SLAs focus on uptime, availability, and support response times. Those are still necessary, but with AI, they are not sufficient. For an AI-enabled service, the SLA discussion should expand to include quality, reliability, explainability support, incident escalation, and change transparency. A system can be available 99.9% of the time and still produce garbage. That is not a service success. That is a control failure delivered efficiently.

I am not suggesting that every company can negotiate custom model-accuracy guarantees from every AI vendor. In many cases, that will not be realistic. But companies can require practical commitments around things like response logging, traceability, notification of material model or system changes, error-handling workflows, and support for validation testing. They can define turnaround times for incidents involving hallucinations, security breaches, inappropriate outputs, or data leakage. They can require that the vendor cooperate with investigations and remediation.

That is where the compliance function should partner closely with legal, procurement, information security, and the business owner. The goal is not to demand impossible warranties. The goal is to create enough visibility so that the company is not flying blind.

Audit Rights Must Be Usable, Not Decorative

Many vendor contracts include broad-sounding audit clauses that are so restricted, delayed, or indirect that they provide little real assurance. In the AI context, that problem is magnified. If you cannot meaningfully assess controls over data handling, model governance, subprocessors, logging, incident response, and change management, then your audit right is little more than legal wallpaper.

A usable audit-right framework does not always mean sending a team on-site with clipboards. It can include layered assurance mechanisms: independent third-party assessments, SOC reports, model governance summaries, penetration-test results, bias testing documentation, incident logs, certifications, tabletop exercise results, and the right to ask targeted follow-up questions. In higher-risk arrangements, it may also include deeper review rights, validation support, or the ability to commission an independent assessment.

From Due Diligence to Ongoing Monitoring

Once a contract is signed, the real work begins. Models change. Vendors add subprocessors. Features evolve. Use cases expand. Business users discover new workflows that procurement never contemplated. A vendor that began as a low-risk drafting tool can quietly become embedded in a regulated process six months later. That is why monitoring matters.

Companies should inventory AI vendors and classify them by risk. They should map which business processes depend on them, what data they touch, what decisions they inform, and what regulatory exposure they create. They should require periodic attestations, monitor control changes, review incidents, reassess data use, and revisit whether the tool is being used in line with approved purposes.

This is also where shadow AI becomes a third-party problem. Employees often access AI functionality through existing vendors before compliance even realizes it is enabled. Suddenly, a platform you bought for workflow management has rolled out AI summarization, drafting, or analytics features. If no one is watching vendor change notices and product updates, the company can slide into AI use without ever consciously approving it. That is a governance gap.

Build a Compliance Evidence File

If there is one practical takeaway, it is this: for significant AI vendors, build a compliance evidence file.

By that, I mean a documented record showing the rationale for approval, the use case, the risk classification, the key contractual controls, the diligence performed, the evidence reviewed, the approvals obtained, and the monitoring steps required going forward. If the vendor supports a high-risk process, the file should also include validation results, escalation pathways, and a record of any incidents or material changes.

Why does this matter? Because when the board asks why the company trusted a third-party AI tool, you need a better answer than “the business wanted it.” When the internal audit asks how control assurance was established, you need something more concrete than “a legal review of the contract.” And when a regulator asks how the company oversees outsourced AI risk, you need documentation that demonstrates a repeatable, risk-based process.

Five Questions Every CCO Should Ask

Every Chief Compliance Officer should be asking five simple questions right now.

  1. Do we know which vendors in our ecosystem are using or enabling AI?
  2. Have we classified those vendors based on data sensitivity and the business impact of the use case?
  3. Do our contracts clearly address data rights, change notification, incident response, and usable audit rights?
  4. Do our SLAs measure what matters for AI-enabled services, not just uptime?
  5. Can we produce evidence showing why a vendor was approved, what controls we relied on, and how the relationship is being monitored?

If the answer to any of those questions is no, the work is not done.

The Bottom Line

Third-party risk has always been about visibility, leverage, and evidence. AI does not change that. It intensifies it. The organizations that manage vendor AI risk well will not be the ones with the flashiest AI procurement strategy. They will be the ones that define use cases carefully, contract for transparency, demand usable assurance, monitor continuously, and retain evidence that their oversight is real.

That is where compliance comes in. Not as the department that slows innovation down, but as the function that makes outsourced innovation governable. Because in the end, if AI is rarely in-house, then AI governance cannot be either.

Categories
All Things Investigations

ATI In-House Insights: Challenges and Tips for Navigating a Changing Risk Landscape with Sarah Iles

In this episode of the ATI: InHouse Insights Podcast, Mike DeBernardis speaks with seasoned in-house compliance leader Sarah Isles about navigating an ever-changing risk landscape shaped by political, geopolitical, regulatory, and technological shifts. 

Sarah shares her background across manufacturing sectors and discusses how multinational compliance risks evolve as jurisdictional priorities shift, including sanctions, export controls, tariffs, sustainability, labor rights, data protection, and AI. They identify internal challenges, including a lack of infrastructure to address new risks, siloed ownership, and weak change management, and emphasize clear governance and accountability. Sarah advises “back to basics,” using DOJ’s Evaluation of Corporate Compliance Programs, focusing on real risk mitigation over form-heavy questionnaires, keeping communication channels open through formal committees and informal connections, scaling risk assessments appropriately, targeting communications to relevant audiences, escalating thoughtfully, and building resilient programs by expecting and embracing constant change.

Key highlights:

  • Geopolitics Drives Risk
  • Internal Adaptation Hurdles
  • Silos and Ownership
  • Culture and Change
  • Proactive Compliance Basics
  • Partnering With Business
  • Right-Sized Risk Assessments
  • Communicating Emerging Risks

Resources:

Sarah Iles LinkedIn

Mike DeBernardis LinkedIn

ATI: In-House Insights Podcast

Hughes Hubbard & Reed Website

Categories
Blog

AI Is Only as Good as the Data: What Compliance Leaders Need to Know About Data Readiness

There is an old lesson in compliance that remains evergreen: bad facts produce bad decisions. The same is true for data science: Garbage In, Garbage Out (GIGO). In the GenAI era, that lesson has a new twist. Bad data produces bad outputs at machine speed.

That is why the report, Taming the Complexity of AI Data Readiness, deserves the attention of every Chief Compliance Officer, compliance technologist, and board member who asks management, “What is our AI strategy?” The better follow-up question is, “What is our data readiness strategy?” Because the report makes one point with unmistakable clarity: the model is not the mission; the data foundation is.

For compliance professionals, this is not a technical side issue. It is central to the enterprise risk conversation. If your organization is training, testing, or deploying AI on messy, siloed, biased, stale, or poorly governed data, you are not building a competitive advantage. You are an industrializing risk.

The Dirty Little Secret of Enterprise AI

The report lays out a reality that will not surprise anyone who has lived through a data initiative. Most organizations are not ready. Only 7% of survey respondents said their company’s data was completely ready for AI adoption. By contrast, 51% said it was only somewhat ready, while 27% said it was not very or not at all ready. Only 42% said their organization had high trust in its AI data, and 73% agreed their company should prioritize AI data quality more than it currently does. That should give every compliance officer pause.

We are living through a corporate rush toward GenAI, yet most companies are still stuck at the same old starting line: fragmented, inconsistent, poorly governed data. Many AI conversations inside companies still begin with use cases, copilots, and vendor demos. Far fewer begin with data lineage, data permissions, data quality, or governance maturity. That is a mistake.

If the underlying data is unreliable, the downstream output will be unreliable as well. Worse, it may arrive dressed up in polished prose, persuasive charts, or tidy summaries that create a false sense of confidence. In compliance with that, it is especially dangerous. Whether the use case is sanctions screening, due diligence, internal investigations, policy management, financial controls, or regulatory reporting, a bad answer delivered quickly is still a bad answer.

Bad Data Is Not Just a Tech Problem

One of the most useful parts of the report is how it frames the core barriers. The top challenge cited by respondents was siloed data and difficulty integrating sources at 56%. After that, a lack of a clear data strategy ranked 44%, and data quality or bias issues ranked 41%. Other concerns included regulatory constraints on data use, unclear data lineage, inadequate security, and outdated data. Every one of those should sound familiar to compliance professionals.

Siloed data means incomplete visibility. Weak lineage means you may not be able to defend how an answer was generated. Bias in the data means distorted outputs. Outdated data means inaccurate decisions. Weak security exposes sensitive information. Regulatory constraints mean the company may not even have the right to use certain data the way its AI aspirations assume.

The report underscores this point. 52% of respondents identified inaccurate or biased AI results as a top concern, while 40% cited the loss of security or intellectual property. That is not abstract. That is the modern compliance risk register.

Can We Trust the Data?

A quote from Teresa Tung of Accenture in the report is worth lingering over. She said data readiness means “you can access data to see an accurate view of what is happening in your business and what you can do about it.” That is also a very good working definition of compliance intelligence.

A mature compliance program helps a company understand what is happening inside the business and what should be done in response. That means your hotline data, your gifts and entertainment data, your training metrics, your third-party files, your investigation records, and your control data all need to mean what you think they mean.

The report makes this point with a simple example. Price data is not useful unless you know whether it is in U.S. or Australian dollars, whether it is a unit or bulk price, and when it applies. The compliance equivalent is easy to imagine. A third-party risk flag is not useful unless you know what triggered it, what jurisdiction it covers, how recently it was refreshed, what source produced it, and whether anyone validated it. Context is a control. Without it, data can mislead just as easily as it can inform.

Why This Is Becoming a Board-Level Issue

Another important finding is that only 23% of organizations have created a data strategy for AI adoption, although 53% are currently developing one. In other words, companies know they have a problem, but most are still working through it. This is where compliance can truly function as a business enabler.

The best compliance leaders know that governance is not the enemy of innovation. Governance is what makes innovation scalable and sustainable. If the business wants to use AI at scale, compliance should request a documented AI data strategy that addresses security, privacy, data quality, governance, accessibility, bias management, and alignment with business objectives.

The report found that security and protection of sensitive data were the most critical elements of such plans, at 59%, followed by clean, usable data quality at 46% and data governance at 41%. That is not just an IT checklist. That is a board conversation.

Bring AI to the Data

The report also discusses a concept compliance professionals need to understand: data gravity. Large and sensitive data sets tend to stay where they are because moving them is costly, slow, and risky. Increasingly, organizations are turning to architectures that bring AI processing to the data rather than moving data to the model. The report highlights approaches, such as zero-copy access and containerized applications, that can reduce latency, control costs, and address security and sovereignty concerns. This matters greatly for compliance.

Many regulated environments cannot simply move sensitive data across systems or borders because a vendor wants a cleaner AI workflow. Privacy laws, localization rules, contracts, and plain good judgment all cut against that approach. If AI can be brought to the data rather than copying data into multiple new environments, the organization may reduce both operational and compliance risk.

Compliance officers do not need to become cloud architects. But they do need to ask the right questions. Are we duplicating sensitive data unnecessarily? Are we crossing jurisdictional lines? Can we explain lineage, access, and security? Are we creating an AI environment that looks controlled or improvised?

Agentic AI: Real Promise, Real Risk

The report is optimistic about the potential of agentic AI for data management. 47% of respondents said their organizations believe agentic AI can solve data quality issues, and 65% expect many business processes to be augmented or replaced by agentic AI over the next 2 years. Experts cited benefits such as mapping data, documenting it, performing quality checks, monitoring drift, and automating routine tasks that previously required significant manual effort.

There is real promise here. Compliance teams spend far too much time on manual work that adds little strategic value. Tools that can responsibly automate mapping, documentation, testing, triage, or drift monitoring deserve serious attention.

But this is no place for magical thinking. The report is equally clear that success requires the right team: data engineers, domain experts, prompt expertise, and a product owner aligned to a business objective. That is the lesson. Agentic AI does not eliminate the need for governance. It raises the stakes for governance. If you automate poor judgment on top of poor data, you do not get efficiency. You get scalable failure.

Five Questions for Every CCO

So what should compliance leaders do now? Start with five questions.

  1. Which AI use cases in our company depend on sensitive, regulated, or high-risk data?
  2. Can we explain the lineage, quality, freshness, permissions, and context of that data?
  3. Do we have a documented AI data strategy, or are we confusing pilots with governance?
  4. Are we moving data in ways that create avoidable privacy, security, or sovereignty risks?
  5. Who owns the meaning of the data?

That final question may be the most important. The report stresses that the business must own the data so it is described properly and used correctly. Data is not just a technical asset. It is a business asset with legal, ethical, and operational meaning. Compliance should insist that meaning be defined before AI starts drawing inferences from it.

The Bottom Line

The great temptation in the AI era is to focus on the model’s brilliance. The wiser course is to focus on the data’s readiness. That is where trust begins. That is where defensibility begins. And that is where sustainable value begins. For compliance professionals, the message is plain. AI governance that ignores data readiness is not governance at all. It is wishful thinking with a dashboard.

The organizations that win with AI will not simply have more tools. They will have better data, better lineage, better controls, better discipline, and better judgment about when and how to use AI. In compliance, that is not glamorous. But it is where real success usually lives.