Tag: DOJ

Categories
Daily Compliance News

Daily Compliance News: March 5, 2026, The DOJ and State Bars Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Regulators need to catch up on private credit risk. (WSJ)
  • DOJ wants authority over state bar discipline. (NYT)
  • Head of UK police union arrested for corruption. (TheGuardian)
  • When part of compliance moves to protection. (FT)
Categories
Compliance Into the Weeds

Compliance into the Weeds: SDNY’s New Declination Policy: Crime Categories, Cooperation, and Compliance Implications

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly look at the recently announced new Southern District of New York standard for Declinations.

They look at SDNY U.S. Attorney Jay Clayton’s newly released self-disclosure/cooperation/declination policy and its implications for corporate compliance. While the core elements, prompt voluntary disclosure, cooperation, remediation, and restitution, mirror existing DOJ expectations, they highlight a significant change: SDNY now treats “aggravated circumstances” as certain categories of crimes that are categorically ineligible for declinations, including foreign corruption/FCPA, sanctions evasion, terrorism, sex trafficking with minors, smuggling, drug cartels, and forced labor, rather than focusing on offense traits such as senior management involvement or recidivism. They note potential inconsistencies with DOJ’s corporate enforcement approach, uncertainty about disclosure timing despite references to promptness and pre-investigation disclosure, broad discretion in enforcement, and the risk of forum shopping.

Key highlights:

  • Why SDNY Declinations Matter
  • Clayton Policy Key Changes
  • Aggravated Circumstances Redefined
  • FCPA Carve Out Confusion
  • Timing and Disclosure Pressure
  • Cooperation Restitution Disgorgement

Resources:

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Blog

SDNY Just Raised the Stakes on Self-Disclosure: What Compliance Leaders Must Do in the First 14 Days

For years, compliance leaders have worked under a simple reality: if the government learns about a problem from someone else first, you have already lost leverage. The Southern District of New York (SDNY) just sharpened that reality into a clear, public framework. Its Corporate Enforcement and Voluntary Self-Disclosure Program for Financial Crimes, effective February 24, 2026, is not subtle. It is designed to force an earlier decision and reward companies that make it; this means making it fast, transparent, and with meaningful remediation and restitution.

This is not just a fraud prevention or reporting program. It reaches conduct that can show up in any company: accounting games, deceptive disclosures, market-facing misconduct, and the broader universe of financial crime risks that sit adjacent to bribery-and-corruption controls. If you are running a compliance program, you should read this initiative as a warning: even when the underlying misconduct is not charged as “bribery,” the financial-crimes hook is often where prosecutors live. You may think you are managing “corruption risk.” SDNY is telling you it is also “market integrity” and “victim harm” risk.

And SDNY is pairing that message with something rare in enforcement policy: speed. SDNY says qualifying companies “can expect to receive a conditional declination letter within two to three weeks of self-reporting”. That is a flashing sign for CCOs: the window for decision-making just got smaller.

The SDNY is pushing fiduciary duty and stewardship.

Business executives usually talk about self-disclosure as a tactical choice. Compliance professionals have long known better, and now the SDNY frames it as something deeper: governance and duty. The program states that corporate leaders are “fiduciaries” with a “fundamental duty” to ensure integrity and transparency, and it positions voluntary self-disclosure as a core act of good corporate citizenship and stewardship. It will be interesting to see whether this “fundamental duty” to ensure integrity and transparency, and the corporate leaders as ‘fiduciaries’, bring a new level of Caremark scrutiny to Delaware.

That language matters. It is not only prosecutors describing a pathway to leniency. It is prosecutors telling boards and executives what they believe ethical leadership requires when the company discovers misconduct that harms markets, counterparties, customers, or investors. In other words, SDNY is trying to turn self-disclosure into a leadership test.

The Carrot is Real and Designed to Change Behavior

SDNY’s incentives are intentionally strong. If a company meets the program requirements, including timely voluntary self-disclosure, full cooperation, and timely remediation, the SDNY says it will issue a declination and will not prosecute the company. It also states that there will be no criminal fine and that, if the company pays appropriate restitution to victims, SDNY will not require forfeiture. Even more significant for compliance leaders is the following: SDNY says it “generally will not require” an independent compliance monitor for a qualifying company.

Those are meaningful benefits. They are the kind of benefits that can change what a board is willing to authorize in the first two weeks of a crisis. But the benefits only matter if you can move fast enough, gather credible facts, and maintain control of the narrative.

The First 14 Days: what compliance leaders should do now, not later

If SDNY is telling you it can issue a conditional declination letter in “two to three weeks”, then your internal process cannot take three weeks to decide whether you even have a problem. The ethical governance move is to treat the first 14 days as a disciplined sprint, one that protects truth, protects victims, and protects the integrity of your program.

Days 1–2: Triage without spinning

Your first obligation is to stop the bleeding and preserve facts. That means:

  • immediate escalation into a controlled response team (Compliance, Legal, Finance, Internal Audit, IT/security, and, if needed, HR),
  • an evidence preservation hold that includes chat platforms, mobile devices, third-party messaging, deal rooms, and personal email, where permitted, and
  • a decision to ring-fence relevant individuals, accounts, and transactions so you do not create new harm.

Ethically, this is where senior leadership proves it wants the truth, not just a version of it.

Days 3–5: Board notice and decision rights

If you are waiting for “certainty” before you brief the board or a board committee, you are already behind the SDNY clock. The goal is not to accuse. The goal is to establish governance: decision rights, cadence, and oversight. SDNY’s fiduciary framing means this cannot be treated as a management-only event. The board must be positioned to make an informed decision on disclosure, remediation, and restitution as facts develop.

Days 6–10: Outside counsel, scoped investigation, and credibility building

This is when you decide whether to engage outside counsel and forensic support to ensure independence and speed. For SDNY purposes, credibility is currency. The company needs to show it can:

  • Identify the misconduct,
  • identify who was involved,
  • quantify harm, including victims and losses,
  • explain control failures, and
  • demonstrate remediation beyond “we are reviewing policies.”

Remember: SDNY’s program is built around concrete action, self-reporting, cooperation, remediation, and restitution. If your internal processes create delays and ambiguity, you are squandering the very benefits SDNY offers.

Days 11–14: Regulator strategy and the self-disclosure decision

This is the moment of ethical leadership. You will not know everything. You will know enough to determine whether misconduct occurred and whether it falls into a category SDNY will view as market-harming or integrity-compromising. SDNY is offering a structured benefit for early self-reporting, but it is also signaling that waiting for a subpoena is not a strategy.

Five Lessons for the Compliance Professional

Lesson 1: SDNY is reframing self-disclosure as a fiduciary duty rather than optional crisis PR.

The program’s emphasis on leaders as “fiduciaries” with a “fundamental duty” of integrity and transparency is a direct ethical challenge to boards and executives. If your organization treats disclosure solely as a legal risk calculation, SDNY is telling you that you have already missed the governance point.

Lesson 2: Speed is now a moral and operational requirement.

The “two to three weeks” commitment to a conditional declination letter is SDNY saying: “Do not slow-walk the truth.” In compliance terms, timeliness is not merely a matter of efficiency. It is ethical stewardship. Delay increases harm, increases victim loss, and increases the chance that someone else tells your story first.

Lesson 3: Restitution is not a side issue; it is a core ethical outcome.

SDNY’s program explicitly states that paying “appropriate restitution to victims” is central, and it links that to the decision not to pursue forfeiture. Compliance leaders should read this as a directional signal: the government is measuring corporate ethics by whether the company makes harmed parties whole, not merely by whether it updates a policy.

Lesson 4: The benefits are real, but they are earned through cooperation and remediation that changes behavior.

No prosecution, no fine, and generally no monitor are extraordinary incentives. But SDNY is also telling you what it values: companies that step forward, cooperate fully, remediate quickly, and do not play games with facts. Ethically, this is “clean hands” enforcement: if you want mercy, show you deserve it.

Lesson 5: Some conduct is simply disqualifying, and compliance must stop pretending every risk is manageable with process.

SDNY calls out aggravating circumstances that can make a company ineligible for a declination under the program. The list includes conduct tied to terrorism, sanctions evasion, foreign corruption, trafficking, cartels, forced labor, violence, and related financing or laundering. That matters because it draws an ethical boundary: there are categories of wrongdoing so corrosive that the “cooperate and remediate” story is not enough. For CCOs, the lesson is to build escalation protocols that treat these risks as existential and non-negotiable.

A Blunt Wake-up Call: The Cost of Not Self-Reporting is Going Up

SDNY is trying to end the era of corporate hesitation. The program signals that a company’s decision not to self-report will weigh heavily against it when prosecutors later assess resolutions. This is the part compliance leaders must say out loud internally: the old playbook of “let us wait and see” is increasingly incompatible with how prosecutors say they will exercise discretion. If your organization has not pre-built a rapid disclosure decision tree, you are asking to miss the window SDNY is dangling in front of you. You will not get the benefit of a program you were not prepared to use.

Conclusion: Compliance and Ethics that Move at Prosecutorial Speed

The SDNY initiative is not merely a new memo. It is a redefinition of what “responsible corporate conduct” looks like in real time. It asks boards and senior executives to behave like fiduciaries: to choose integrity and transparency early, to protect victims through restitution, and to treat cooperation and remediation as proof that the company is worthy of trust. For the compliance professional, the message is simple and uncomfortable: your program will not be judged by the elegance of your policies. It will be judged by whether your leadership can tell the truth quickly, act with stewardship, and make hard decisions when the facts are incomplete but the duty is clear.

Categories
Blog

The Dog Bite Defense Fails Again – Defendant Found Guilty in FCPA Trial

To the surprise of absolutely no one, former Corsa Coal executive Charles ‘Hunter’ Hobson was found guilty last week for FCPA violations. As most readers of this blog know, I am a recovering trial lawyer. I almost always represented corporations as defense counsel during my trial lawyer career. In the trial lawyer world, there are four recognized defenses to any claim, which are known as the “Dog Bite Defenses”. They are:

  1. My dog didn’t bite you.
  2. Even if my dog did bite you, it’s because you provoked him.
  3. Even if my dog did bite you, you really aren’t injured.
  4. My dog didn’t bite you because I don’t have a dog.

The fourth version of the Dog Bite defense is certainly an ‘all-in’ move. You had either (1) better be right or (2) have some big kahunas to make that argument to a jury with a straight face.

Defense No. 1 – Hobson did not pay or direct anyone to pay.

Hobson’s attorneys said the government was overreaching by charging Hobson with FCPA violations on several grounds. His lawyer argued that Hobson did not know, pay, or direct Nassar to bribe anyone. “Mr. Hobson never saw Ahmed the broker pay any money to anyone,” his attorney told the jury in the opening. Further, Hobson never hired Ahmed, the broker, and claimed that Mr. Hobson never paid him. Corsa hired Ahmed, the broker; Corsa paid Ahmed, the broker; and Corsa approved Ahmed’s commissions, not Mr. Hobson.

Defense No. 2- Social custom in Egypt says it’s OK to pay a bribe.

Attorneys for Hobson tried to undermine the government’s expert witness by pointing to opinions he had given that bribery was not only not illegal in Egypt but actually socially acceptable. They confronted Mohamed Arafa, an adjunct professor focusing on comparative law at Cornell University, with law review articles he had previously written, where he said that corruption was “commonly accepted and had become the ‘social law’” in Egypt. The Professor distinguished the expert opinion on Egyptian law that he offered at trial and “his prior, scholarly opinions on whether people adhered to that law in modern Egypt. Santoni quoted him saying, “I’m not here to talk about that; I’m here to talk about the law,” Arafa said. ” … Saying something like that does not make the act legal.””

Defense No. 3- His bosses approved it.

Here, Hobson tried to argue that once Nassar was paid his commission, which was due and owing, it was not up to Hobson what Nassar did with it, nor was it “Corsa’s money” any longer. Hobson’s attorney also said that “Mr. Hobson never saw Ahmed, the broker, pay any money to anyone,” Price said. “Mr. Hobson never hired Ahmed the broker, Mr. Hobson never paid Ahmed the broker. Corsa hired Ahmed the broker, Corsa paid Ahmed the broker, and Corsa approved Ahmed’s commissions, not Mr. Hobson.” His counsel also said that Hobson had been tasked with opening up new foreign markets for Corsa. Having never dealt in Egypt before, he spoke with employees of a company that had recently merged with Corsa and had done business there, who connected him with Nassar.

Defense No. 4-Ahmed wasn’t a government official.

Here was the truly all-in defense (I don’t own a dog). It was that Ahmed was not a government official or did not work at an instrumentality of the Egyptian government. In his cross-examination of cooperating witness Frederick Cushmore, Jr., who worked for Hobson, his defense counsel questioned Cushmore about any indications he had that Al Nasr was affiliated with the Egyptian government. Obviously, trying to take the entire case out of an FCPA criminal action by alleging that one of the elements of an FCPA was not present. The issue is that payments are being directed to a government official or to someone at a government-affiliated company. But Cushmore said it was “industry knowledge” and pointed to a 2017 email from Hobson that said both the shipping company and Al Nasr were “Egyptian-owned companies”. Counsel then questioned whether Hobson really meant that to indicate “owned by the Egyptian government.”

Two prosecution witnesses eviscerated Hobson’s defense. The first was Frederick Cushmore Jr., who pled guilty to conspiring to violate the FCPA. He agreed to testify against Hobson, said their emails and WhatsApp messages talked about people at Al Nasr Co. for Coke and Chemicals being “taken care of” by keeping Corsa’s agent, Ahmed Nassar, paid high commissions for the sales he brought in, implying that Nassar’s higher-than-normal pay was being passed on as bribes to Al Nasr officials.

According to Matthew Santoni reporting in Law360, “Cushmore read a November 2016 email from Hobson, then a vice president of sales at the Somerset County, Pennsylvania-based coal mining company, that said there were “a few the agent has to take care of” during an early discussion of Nassar’s proposed commission payments. “I took that as people at Al Nasr who would be receiving bribes… I was shocked at how open the discussion was,” Cushmore, whom prosecutors said held various international sales positions with Corsa Coal. “I simply said, I suspected… ‘What’s he doing with all that money?’ Mr. Hobson said, ‘What do you think he’s doing with all that money?'””

The second was Mohamed Arafa, an adjunct professor focusing on comparative law at Cornell University. He made clear, in no uncertain terms, that bribery of government officials was illegal under Egyptian law, not a matter of social custom. The defense had no rebuttal for either witness’s testimony.

Although the trial lasted over one week, the jury was out for less than one day before finding the defendant guilty. The sentencing date has not been set.

Join us tomorrow, where we look at the lessons a compliance professional can draw from the Hobson trial.

Resources:

Articles by Matthew Santoni in Law360

Coal Exec Knew Egyptian Broker Paid Bribes, Jury Told

Coal Exec’s Co-Worker Says Emails Hinted At Egypt Bribes

Egypt’s ‘Social Law’ Doesn’t Endorse Bribery, Jury Told

Coal Exec Used ‘Mr.. Yen’ To Talk Kickbacks, FBI Testifies

Coal Exec ‘Had No Ability’ To OK Paying Bribes, Jury Told

Jury Finds Ex-Coal Exec Guilty Of Authorizing Bribes

Categories
Compliance Into the Weeds

Compliance into the Weeds: FCPA Trial Rarity: Charles Hobson Convicted

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly look at the recent conviction of Charles ‘Hunter” Hobson for FCPA violations.

Former Corsa Coal senior sales executive Charles Hunter Hobson was found guilty in Pennsylvania of helping arrange roughly $4.8 million in bribes to officials tied to a state-owned Egyptian coal company, using an intermediary, to secure about $143 million in contracts. Also, Hobson allegedly pocketed about $200,000. Tom and Matt  Hobson’s unsuccessful “dog bite” defenses. They also discuss tensions between corporate and individual accountability, the practical reality that companies may cooperate and “turn on” individuals, and that individuals can also expose companies by cooperating with prosecutors. Finally, they speculate on why DOJ pursued trial amid shifting enforcement signals, referencing other recent FCPA matters (Millicom DPA, Smartmatic indictment) and past DOJ trial losses, and conclude that the best approach is to avoid bribery and avoid being the “last man standing.”

Key highlights:

  • Hobson Case Overview
  • Dog Bite Defense Breakdown
  • Payment Red Flags
  • Declinations and Individual Risk
  • Why Go to Trial?

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Blog

5 Strategic Board Playbooks for AI Risk (and a Bootcamp)

Artificial intelligence is no longer a future-state technology risk. It is a current-state governance issue. If AI is being deployed inside governance, risk, and compliance functions, then it is already shaping how your company detects misconduct, prioritizes investigations, manages regulatory obligations, and measures program effectiveness. That makes AI risk a board agenda item, not a management footnote.

In an innovation-forward organization, the goal is not to slow AI adoption. The goal is to professionalize it. Board of Directors and Chief Compliance Officers (CCOs) should approach AI the way they approached cybersecurity a decade ago: move it from “interesting updates” to a structured reporting cadence with measurable controls, clear accountability, and director education that raises the collective literacy of the room.

Today, we consider 5 strategic playbooks designed for a Board of Directors and a CCO operating in an industry-agnostic environment, building AI in-house, without a model registry yet, and with a cross-functional AI governance committee chaired and owned by Compliance. The program must also work across multiple regulatory regimes, including the DOJ Evaluation of Corporate Compliance Programs (ECCP), the EU AI Act, and a growing patchwork of state laws. We end with a proposal for a Board of Directors Boot Camp on their responsibilities to oversee AI in their organization.

Playbook 1: Put AI Risk on the Calendar, Not on the Wish List

If AI risk is always “important,” it becomes perpetually postponed. The first play is procedural: create a standing quarterly agenda item with a consistent structure.

Quarterly board agenda structure (20–30 minutes):

  1. What changed since last quarter? Items such as new use cases, material model changes, new regulations, and major control exceptions.
  2. AI full Risk Dashboard, with 8–10 board KPIs, trends, and thresholds.
  3. Top risks and mitigations, including three headline risks with actions, owners, and dates.
  4. Assurance and testing, which would include internal audit coverage, red-teaming results, and remediation progress.
  5. Decisions required include policy approvals, risk appetite adjustments, and resourcing.

This cadence does two things. First, it forces repeatability. Second, it creates institutional memory. Boards govern better when they can compare quarter-over-quarter progress, not when they receive one-off deep dives that cannot be benchmarked.

Playbook 2: Build the AI Governance Operating Model Around Compliance Ownership

In your design, Compliance owns AI governance and its use throughout the organization, supported by a cross-functional AI governance committee. That is a strong model, but only if it is explicit about responsibilities.

Three lines of accountability:

  • Compliance (Owner): policy, risk framework, controls, training, and board reporting.
  • AI Governance Committee (Integrator): cross-functional prioritization, approvals, escalation, and issue resolution.
  • Build Teams (Operators): documentation, testing, change control, and implementation evidence.

Boards should ask one simple question each quarter: Who is accountable for AI governance, and how do we know it is working? If the answer is “everyone,” then the real answer is “no one.” Your model makes the answer clear: Compliance owns it, and the committee operationalizes it.

Playbook 3: Create the AI Registry Before You Argue About Controls

You have no model registry yet. That is the first operational gap to close, because you cannot govern what you cannot inventory. In a GRC context, this is not a “nice to have.” Without an inventory, you cannot prove coverage, you cannot scope an audit, you cannot define reporting, and you cannot explain to regulators how you know where AI is influencing decisions.

Minimum viable AI registry fields (start simple):

  • Use case name and business owner;
  • Purpose and decision impact (advisory vs. automated);
  • Data sources and data sensitivity classification;
  • Model type and version, with change log;
  • Key risks (bias, privacy, explainability, security, reliability);
  • Controls mapped to the risk (testing, monitoring, approvals);
  • Deployment status (pilot, production, retired); and
  • Incident history and open issues.

Boards do not need the registry details. They need the coverage metric and the assurance that the registry is complete enough to support governance.

Playbook 4: Align to the ECCP, EU AI Act, and State Laws Without Creating a Paper Program

Many organizations make a predictable mistake: they respond to multiple frameworks by producing multiple binders. That creates activity, not effectiveness. A better approach is to use a single control architecture to map to multiple requirements. The board should see one integrated story:

  • DOJ ECCP lens: effectiveness, testing, continuous improvement, accountability, and resourcing;
  • EU AI Act lens: risk classification, transparency, human oversight, quality management, and post-market monitoring; and
  • State law lens: privacy, consumer protection concepts, discrimination prohibitions, and notice requirements where applicable

This mapping becomes powerful when it ties back to the board dashboard. The board is not there to read statutes. The board is there to govern outcomes.

Playbook 5: Use a Board Dashboard That Measures Coverage, Control Health, and Outcomes

You asked for a combined dashboard and narrative with 8–10 KPIs. Here is a board-level set designed for AI in governance, risk, and compliance functions, with in-house build, internal audit, and red teaming for assurance.

Board AI Governance KPIs (8–10)

1. AI Inventory Coverage Rate

Percentage of AI use cases captured in the registry versus estimated footprint.

2. Risk Classification Completion Rate

Percentage of registered use cases risk-classified (EU AI Act style tiers or internal tiers).

3. Pre-Deployment Review Pass Rate

Percentage of deployments that cleared required testing and approvals on first submission.

4. Model Change Control Compliance

Percentage of model changes executed with documented approvals, testing evidence, and rollback plans.

5. Explainability and Documentation Score

Percentage of in-scope use cases with complete documentation, rationale, and user guidance.

6. Monitoring Coverage

Percentage of production use cases with active monitoring for drift, anomalies, and performance degradation.

7. Issue Closure Velocity

Median days to close AI governance issues, by severity.

8. Internal Audit Coverage and Findings Trend

Number of audits completed, rating distribution, repeat findings, and remediation status.

9. Red Team Findings and Remediation Rate

Number of material vulnerabilities identified and percentage remediated within the target time.

10. Escalations and Incident Rate

Number of AI-related incidents or escalations (including near-misses), with severity and lessons learned.

These KPIs do not require vendor controls and align with an in-house build model. They also support both board oversight and compliance management.

AI Director Boot Camp

Your board has a medium level of literacy and needs a boot camp. I agree. Directors do not need to become engineers. They need a common vocabulary and a governance frame. The recommended boot camp design is one-half day, making it highly practical. It should include the following.

  1. AI in the company’s operating model. This means where it touches decisions, risk, and compliance outcomes.
  2. AI risk taxonomy, such as bias, privacy, security, explainability, reliability, third-party, and later.
  3. Regulatory landscape overview, including a variety of laws and regulatory approaches, including the DOJ ECCP approach to effectiveness, the EU AI Act risk framing, and several state law themes approaches.
  4. Governance model walkthrough to ensure the BOD understands the registry, risk classification, controls, monitoring, and escalation.
  5. Tabletop exercises, such as an AI incident in a GRC context with false negatives in monitoring or biased triage.
  6. Board oversight duties. Teach the BOD how they can meet their obligations, including which questions to ask quarterly, which thresholds trigger escalation, and similar insights.

The deliverable from the boot camp should be a one-page “Director AI Oversight Guide” with the KPIs, escalation triggers, and the quarterly agenda structure.

The Bottom Line for Boards and CCOs

This is the moment to treat AI risk like a board-governed discipline. The organizations that get it right will not be the ones with the longest AI policy. They will be the ones with the clearest operating model, the most reliable reporting cadence, and the strongest evidence of control effectiveness.

If Compliance owns AI governance, then Compliance must also own the proof. That proof is delivered through a registry, a quarterly board agenda item, a balanced KPI dashboard, and assurance through internal audit and red teaming. Add a director boot camp to create shared understanding, and you have the beginnings of a program that is innovation-forward and regulator-ready.

That is the strategic playbook: not fear, not hype, but governance.

Categories
Daily Compliance News

Daily Compliance News: February 12, 2026, The Social Media Addiction Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Is the Trump DOJ about to go after judges? (Reuters)
  • OpenAI exec who opposed erotic AI fired for sexual harassment. (WSJ)
  • BlackRock alleges it was duped into a $400 Million investment through fraud. (WSJ)
  • Social media is on trial in the US for being addictive. (BBC)
Categories
Blog

From Enforcement-Driven to Purpose-Driven Compliance

For more than two decades, corporate compliance programs have been built around one central organizing principle: enforcement. Where regulators go, compliance resources follow. When the Department of Justice prioritizes anticorruption, companies invest in FCPA controls. When regulators turn to privacy, cybersecurity, or AML, compliance budgets pivot accordingly. This enforcement-driven approach has shaped the modern compliance profession.

Yet, as Veronica Root Martinez persuasively argues in her recent working paper, Purpose-Driven Compliance, this dominant model may be fundamentally flawed, certainly in the era of Trump.  Despite unprecedented investments in compliance infrastructure, corporate misconduct persists. Repeat offenders remain common. Penalties grew larger, but behavior did not meaningfully improve. For compliance professionals, this raises an uncomfortable question: are we optimizing for the wrong objective?

Martinez’s answer is both challenging and clarifying. Compliance programs should not be primarily designed to satisfy enforcement authorities or to maximize mitigation credit after failure. Instead, they should be anchored in the organization’s own purpose, business risks, and ethical standards. In short, it is time to move from enforcement-driven compliance to purpose-driven compliance.

The Limits of Enforcement-Driven Compliance

The enforcement-driven model rests on two assumptions. First, that enforcement priorities reflect a company’s most significant risks. Second, that imperfect compliance is inevitable and acceptable so long as the organization can demonstrate good-faith efforts. Martinez brings both under scrutiny.

Regulatory priorities often lag behind real business risks. Enforcement agencies focus on certain categories of misconduct because they are visible, politically salient, or historically entrenched. But the risks that most threaten an organization’s mission may lie elsewhere. Martinez highlights how firms can become over-invested in compliance areas that attract enforcement attention while under-investing in mission-critical risks to their operations.

The second assumption, that some level of misconduct is acceptable, is even more troubling. Behavioral ethics research suggests that tolerating small violations creates conditions for larger ones. When leaders frame misconduct as statistically insignificant or “within expectations,” they risk normalizing behavior that undermines culture, trust, and ultimately performance. Wells Fargo’s infamous “1% problem” illustrates this danger. Senior leadership took comfort in the idea that only a small fraction of employees were engaging in misconduct, failing to appreciate that those numbers reflected only the misconduct that had been detected.

An enforcement-driven mindset encourages this type of thinking. If the organization is sanctioned, then low detection rates look like success. But if the question is whether the organization is living up to its own purpose and values, the same data tell a very different story. This is not the broken windows theory of enforcement, but something else.

The Cost of Treating Compliance as a Cost of Doing Business

Another weakness of enforcement-driven compliance is that it can turn sanctions into a predictable line item. As firms grow larger and penalties are discounted through cooperation credit, fines risk being internalized as a cost of doing business. Empirical work cited by Martinez suggests that large, repeat offenders often pay penalties that are small relative to their assets and revenues. In that environment, enforcement loses much of its deterrent effect.

For compliance professionals, this dynamic creates a structural tension. Programs may be technically “effective” under DOJ guidance while still failing to prevent misconduct that harms customers, employees, and communities. The distinction between standards of review and standards of conduct becomes critical. Meeting the government’s expectations for leniency is not the same as meeting the organization’s ethical obligations to itself and its stakeholders.

What Is Purpose-Driven Compliance?

Purpose-driven compliance begins with a simple but powerful shift in perspective. Instead of asking, “What does the regulator expect?” the organization asks, “What risks threaten our ability to achieve our purpose and what standards of conduct are required to address them?” Martinez defines purpose-driven compliance as programs directed by three elements: the firm’s purpose, the inherent risks associated with pursuing that purpose, and the ethical standards the organization sets for itself. This approach does not reject enforcement frameworks; rather, it treats them as a floor, not a ceiling.

In practical terms, purpose-driven compliance requires leadership to articulate why the organization exists and how misconduct undermines that mission. For a bank, this may mean focusing on customer trust and market integrity. For a pharmaceutical company, it may mean prioritizing patient safety and scientific integrity. For a university, it may mean safeguarding academic freedom and institutional trust. For a summer camp, it means protecting the campers from flash floods and other storms.

Once the purpose is clearly defined, compliance risk assessments become more meaningful. Risks are evaluated not only by enforcement exposure but by their potential to compromise the organization’s core objectives. This reframing helps compliance leaders resist the temptation to chase regulatory trends at the expense of mission-critical risks.

Moving Beyond Mitigation to Aspirational Standards

A key insight in Martinez’s work is that firms often confuse mitigation with excellence. Compliance programs are designed to minimize penalties rather than to maximize ethical performance. Purpose-driven compliance challenges that mindset by encouraging organizations to adopt high, ethical, and aspirational standards of conduct.

This does not mean pursuing perfection through draconian controls or internal criminalization. Martinez rightly warns against overdeterrence and strict liability regimes that incentivize concealment rather than transparency. Instead, purpose-driven compliance emphasizes ethical framing, employee voice, and organizational learning. Compliance should never be Dr. No, sitting in the Department of Business Non-Development.

The examples of Wells Fargo and Novartis are instructive. Both organizations suffered repeated compliance failures under enforcement-driven regimes. Their subsequent reforms went beyond addressing the specific violations that triggered enforcement. They re-examined culture, leadership incentives, and ethical expectations. In Novartis’s case, tying bonuses to ethical performance and co-creating a new code of ethics signaled a shift from box-checking to values anchored in purpose.

Why Purpose-Driven Compliance Matters for the Modern CCO

For today’s chief compliance officer, Martinez believes purpose-driven compliance offers three critical benefits.

First, it creates durability. Enforcement priorities shift with administrations. Indeed, this Administration has signaled a cutback in white-collar enforcement by offering essentially get-out-of-jail-free cards to companies that self-disclose early. This underscores the importance of compliance programs. A compliance program anchored solely in regulatory expectations will always be reactive. Purpose-driven programs are more stable because they are tied to the organization’s identity rather than external politics.

Second, it improves the quality of compliance metrics. Measuring effectiveness against internal standards allows organizations to ask harder questions about culture, decision-making, and root causes. Not every initiative will succeed, but a willingness to acknowledge failure is itself a sign of program maturity.

Third, it enhances credibility with boards and senior leadership. When compliance is framed as a strategic partner in achieving the organization’s mission, rather than as a defensive function, it earns a more meaningful seat at the table.

Conclusion

Compliance has never been more sophisticated, expensive, or visible. Yet sophistication alone does not guarantee effectiveness. Martinez’s Purpose-Driven Compliance challenges compliance professionals to rethink the foundations of their programs. Enforcement-driven compliance has taken us far, but it cannot take us far enough.

The next evolution of compliance requires organizations to define their own standards of conduct, grounded in purpose, risk, and ethics. That shift is not easy. It requires courage from compliance leaders and commitment from boards and executives. But if compliance is truly about preventing harm and sustaining trust, purpose-driven compliance is not optional. It is essential.

Categories
Daily Compliance News

Daily Compliance News: February 9, 2026, The Is Netflix a Monopoly Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Knock off obesity pill pulled from market. (NYT)
  • Former Norwegian Prime Minister under investigation over corruption from Epstein files. (Politico)
  • Jay Clayton promises a bigger get out of jail free card. (Reuters)
  • DOJ to investigate if Netflix is a monopoly. (WSJ)
Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 5 – Lucretius, Rationality, and Continuous Improvement in Compliance

Welcome to our concluding blog post on notable Roman Philosophers and the philosophical underpinnings of modern corporate compliance programs and compliance professionals, focusing on five philosophers from Rome spanning the end of the Roman Republic to the Roman Empire.

We have considered Cicero and the duty, law, and the moral limits of business; Seneca on power, pressure, and ethical decision-making under stress; Varro on corporate governance; and Marcus Aurelius on ethical leadership and tone at the top. Today, we conclude with Lucretius to explore rationality, fear, and risk perception.

I. Lucretius in Context: Seeing the World Clearly

Titus Lucretius Carus is the outlier in the Roman philosophical tradition, and that is precisely why he matters to compliance professionals. In De Rerum Natura (On the Nature of Things), Lucretius set out to explain the world as it actually is, stripped of superstition, fear, and comforting illusions. He believed that human suffering and bad decision-making were driven less by malice than by misunderstanding.

Lucretius lived in a Roman world gripped by fear of divine punishment, fate, and unseen forces. He argued that when people attribute events to superstition or rumor rather than observation and evidence, they lose the ability to respond rationally. Fear, in his view, was the enemy of clear judgment. Only through disciplined observation and reason could individuals and institutions act wisely.

For modern compliance professionals, Lucretius offers a final and essential lesson. Even the best-designed compliance program, staffed by accountable individuals and supported by ethical leadership, will fail if it cannot see itself clearly. Programs that rely on assumptions, anecdotes, or reputation rather than evidence inevitably drift. Lucretius teaches that rational observation is not merely a scientific virtue. It is an ethical one.

II. The Compliance Problem Lucretius Illuminates: Blind Spots and Compliance Theater

Many compliance programs operate on belief rather than proof. Leaders believe the culture is strong. Boards believe controls are effective. Compliance teams believe training is working. Yet enforcement actions routinely reveal blind spots that persisted for years, unnoticed or unchallenged. This gap between belief and reality is what Lucretius would have called superstition. In compliance, it takes the form of compliance theater: dashboards that look reassuring, certifications that go unquestioned, and metrics that measure activity rather than effectiveness.

The DOJ Evaluation of Corporate Compliance Programs (ECCP) repeatedly asks whether companies test, monitor, and improve their programs. Prosecutors are explicit that assumptions are insufficient. They want evidence that the program detects misconduct, adapts to change, and evolves based on lessons learned. Fear plays a central role here. Organizations fear discovering problems. They fear bad news reaching the board. They fear regulatory scrutiny. Lucretius warned that fear distorts perception. In compliance terms, fear leads to underreporting, superficial audits, and avoidance of uncomfortable data.

A compliance program that cannot tolerate evidence of weakness cannot improve. Lucretius insists that rational systems must prefer truth over comfort.

III. Modern Corporate Application: Lucretius, DOJ Expectations, and Evidence-Based Compliance

Applying Lucretius to modern compliance highlights the central role of monitoring, testing, and continuous improvement.

First, compliance monitoring must focus on effectiveness, not volume. Counting training completions or hotline calls says little about whether the program works. Lucretius would insist on asking harder questions. Are issues detected early? Are repeat risks declining? Are controls changing behavior?

Second, data must be interpreted without fear. DOJ guidance emphasizes learning from misconduct and near misses. Yet many organizations treat incidents as anomalies rather than signals. Lucretius teaches that patterns matter more than isolated events. Compliance teams should analyze trends across regions, functions, and time, even when results are uncomfortable.

Third, programs must adapt to changing risk. Lucretius rejected static explanations of the world. The DOJ similarly asks whether compliance programs evolve as business models, markets, and technologies change. A program designed for yesterday’s risks becomes a liability when conditions shift.

Fourth, monitoring must include culture and behavior, not just transactions. Culture surveys, exit interviews, and speak-up analytics provide insight into employees’ trust in the system. Lucretius would caution against ignoring qualitative data simply because it is harder to measure.

Fifth, continuous improvement must be documented and demonstrable. The DOJ evaluates whether companies close the loop by updating controls, training, and governance in response to findings. Rational compliance requires not only seeing clearly but acting on what is seen.

Finally, compliance leaders must resist narrative-driven assurance. Statements such as “this has never happened before” or “we trust our people” are not evidence. Lucretius reminds us that trust is strengthened, not weakened, by verification.

IV. Key Takeaways for Compliance Professionals

1. Father of CM/CI. Compliance professionals should view Lucretius as the philosophical foundation of monitoring and continuous improvement. Lucretius grounds compliance in disciplined observation rather than comfort or tradition. He reminds compliance professionals that a program cannot improve what it refuses to examine honestly. Monitoring and continuous improvement are not technical exercises but ethical commitments to see the organization as it truly operates.

2. Fact-based. Compliance should privilege evidence over assumption. Assumptions about culture, control effectiveness, or employee behavior create blind spots that persist until a failure forces attention. Lucretius warns that belief without verification is a form of self-deception. An effective compliance program insists on data, testing, and validation rather than reassurance.

3. Measure outcomes, not activity. Compliance should design metrics that measure effectiveness, not activity. Counting trainings delivered or policies acknowledged does not demonstrate that misconduct is being prevented or detected. Lucretius would reject metrics that comfort leadership without revealing reality. Compliance metrics must answer whether controls change behavior and reduce risk, not merely whether processes occurred.

4. Information is data. Compliance should treat incidents and near misses as data, not embarrassment. Organizations often hide or minimize incidents out of fear of reputational harm or internal scrutiny. Lucretius teaches that fear distorts judgment and delays learning. A mature compliance program uses incidents and near misses as signals for improvement rather than reasons for denial.

5. Risks Change. Compliance should evolve as risks, markets, and technologies change. Static compliance programs assume the world remains stable, an assumption Lucretius would view as fundamentally irrational. This is certainly not true in the age of Trump. Business models, geopolitical risks, and technologies shift faster than policy cycles. Continuous adaptation is the only rational response to an environment in constant motion.

6. Embrace Observation. Compliance should embrace rational observation as an ethical obligation. Seeing clearly is not morally neutral; it is a responsibility owed to stakeholders and institutions. Lucretius argued that ignorance sustained by fear causes harm. In compliance, choosing not to look is itself an ethical failure.

7. Evidence-based. Finally, Lucretius teaches that organizations fail not because reality is unknowable, but because they choose not to look. This is the capstone lesson of the compliance lifecycle. Organizations that avoid uncomfortable facts drift into compliance theater and false confidence. Rational, evidence-based compliance treats truth as an asset, even when it reveals weakness.

V. Conclusion: Roman Philosophy and the Compliance Program That Actually Works

Taken together, these five Roman philosophers describe the full lifecycle of a modern compliance program as it exists in the real world, not as it appears in policy manuals. Cicero establishes why compliance must exist at all, grounding the program in duty rather than expediency and reminding organizations that law is only the starting point. Seneca then confronts the reality that ethical commitments are tested under pressure, exposing how fear, ambition, and rationalization undermine even well-designed systems. Epictetus moves the analysis to the individual, insisting that ethical responsibility does not disappear inside hierarchy and that compliance ultimately depends on personal agency. Marcus Aurelius elevates that responsibility to leadership, showing how culture is formed through example and how ethical expectations live or die by the behavior of executives. Finally, Lucretius closes the loop, demanding rational observation, evidence, and continuous improvement so that compliance programs do not drift into assumption, superstition, or complacency.

What makes the Roman philosophers uniquely valuable to compliance professionals is their focus on institutions, power, and human behavior under constraint. The Greeks gave us ethical ideals. The Romans showed us how those ideals survive, or fail, inside complex systems. This mirrors the Department of Justice’s modern approach to compliance, which increasingly evaluates not whether a program exists, but whether it operates, adapts, and functions under real-world conditions.

For the compliance professional, the lesson of this series is both sobering and empowering. No single control, policy, or training module is sufficient. Effective compliance requires ethical foundations, behavioral awareness, individual accountability, principled leadership, and disciplined monitoring working together as an integrated system. Remove any one of these elements, and the program weakens. Align them, and compliance becomes not a defensive function, but a durable governance capability.

In combining these Roman insights with the earlier Greek philosophical foundations, the compliance professional gains more than historical perspective. They gain a framework for building programs that withstand pressure, earn trust, and evolve. In the end, that is the measure of a compliance program that actually works.