Tag: DOJ

Categories
Compliance Into the Weeds

Compliance into the Weeds: Bosch and the Foreign Direct Product Rule: Lessons from the Export Controls and NSD Settlement

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it in greater depth. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss the recent Bosch export controls enforcement action involving two German subsidiaries that sold about $72 million in advanced microsensors and software to Huawei from 2020 to late 2024

Their actions violate U.S. export controls tied to the Foreign Direct Product Rule and 2020 “footnote one” restrictions. Although Bosch voluntarily self-disclosed, cooperated, remediated, disgorged profits, and received a DOJ criminal Declination, BIS imposed a $36.1 million civil penalty, citing fundamental compliance failures: an understaffed and underqualified export controls function, confusion between the de minimis rule and the foreign direct product rule (which has no de minimis exception), and mishandling repeated external warnings from business partners and suppliers. They highlight internal control and communication breakdowns (including external signals) and the need to build specialized export/sanctions compliance capacity, noting BIS issued a compliance framework in 2020 and offers training.

Key highlights:

  • Bosch case overview
  • Understaffed compliance fallout
  • Ignored partner warnings
  • Declination and remediation
  • COSO signals and controls
  • Building export compliance muscle

Resources

Matt in Radical Compliance

Tom in the FCPA Compliance Blog: Part 1, Part 2, Part 3, Part 4, and Part 5 posts on Thursday, June 25.

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: June 24, 2026, The Denying Sorsby Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Gutman Adani met with Don Jr. before garnering a Trump pardon.  (Forbes)
  • DOJ shuts down Teamster oversight. (NYT)
  • NFL shuts down Supplemental Draft. (WSJ)
  • Judge allows search of AI prompts and queries. (Reuters)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Blog

The Bosch Delineation, Part 4: Third-Party Warnings and the COSO Principle 15 Failure

The Bosch enforcement action is, at one level, an export controls case. But for compliance professionals, it is also a communications failure. More specifically, it is a case study in what can happen when a company receives significant external compliance information but does not treat that information as control-relevant intelligence.

That is why COSO 2013 Objective IV, Information and Communication, is such a useful lens for the penultimate post in this Bosch series. COSO Objective IV states that management must obtain or generate and use relevant, quality information from both internal and external sources to support the functioning of internal control. It also describes communication as a continual, iterative process of providing, sharing, and obtaining necessary information. External communication is expressly twofold: it enables inbound communication of relevant external information and allows the organization to provide information externally in response to requirements and expectations.

That framework maps directly onto Bosch. The issue was not that Bosch lacked all information. The issue was that Bosch lacked an effective system to recognize, escalate, reconcile, and act on information it already had. The thesis is simple: Bosch failed to treat third-party communications as control information under COSO Principle 15. The Bosch order illustrates what a Principle 15 failure can look like in practice.

Principle 15: External communication is not just outbound messaging

Principle 15, “Communicate Externally,” is sometimes understood too narrowly. Companies often think of external communication as pushing information outward: codes of conduct, supplier expectations, hotline information, compliance certifications, contractual clauses, and policy requirements. Those are important. But they are only half the principle.

The COSO summary makes clear that Principle 15 also recognizes that outside parties can provide information to management about the effectiveness of internal controls and regulatory communications. In other words, third parties are not only recipients of compliance expectations. They can also be sources of control information. Compliance officers must evaluate communication lines to third parties because information can flow both ways: compliance obligations can go out, and compliance issues can come back.

That is the key Bosch lesson. Bosch’s suppliers and contract manufacturers were not merely exchanging paperwork. They were providing information that challenged Bosch’s existing compliance conclusion. They were telling Bosch, in substance, that something about the Huawei analysis might be wrong. Under Principle 15, those communications should have entered a controlled process for review, escalation, reconciliation, and documented decision-making.

As noted in the BIS-Bosch Order, Bosch continued to rely on erroneous guidance for more than four years despite indications that should have raised questions about the accuracy of the original August 25, 2020 guidance.

Company Four: the first external warning

Company Four sent BST’s ( a Bosch subsidiary named in the Order) purchasing department a letter on September 2, 2020. It explained the relevant rule and advised BST that it should assume the equipment involved in Company Four’s assembly and test processes triggered the relevant product-scope provisions. Company Four also requested that BST complete a compliance certification addressing whether products processed by Company Four would be incorporated into items produced, purchased, or ordered by Huawei, or whether Huawei was a party to any transaction involving Company Four’s product.

That communication should have been treated as a control event. It came from an external party with direct knowledge of its own production and testing environment. It raised a specific compliance concern. It requested a certification. It implicated a high-risk customer. It was precisely the kind of external information Principle 15 expects a company to receive, process, and use.

Bosch’s response illustrates the failure. BST’s purchasing and logistics personnel forwarded the letter to the BST Executive. Bosch trade compliance personnel in Germany then drafted a general but inaccurate response stating that BST’s transactions were compliant and that Company Four’s products were not incorporated into, or used in, products subject to the EAR. Company Four pushed back, noting that the response did not expressly address the recent Huawei-related changes and explicitly warning that equipment used at Company Four factories included U.S. export-controlled equipment. Company Four further said BST should assume that transferring products worked on by Company Four to or for Huawei might be prohibited. BST purchasing personnel took no further action, and BIS found that Bosch did not analyze the Company Four warning to determine whether Bosch’s own understanding was consistent with Company Four’s warning.

For CCOs, this is the moment Principle 15 becomes operational. An inbound external communication that contradicts internal guidance should trigger a defined escalation pathway. It should not depend on whether purchasing personnel recognize the legal significance of the warning.

Company One: the certification that should have forced reconciliation

Company One’s February 2021 certification request presented another clear opportunity. Company One asked personnel at a Bosch production facility to complete an end-user certification in connection with items produced using Company One’s epitaxy machines. The certification required Bosch personnel to acknowledge that direct products of the machines could be subject to a license requirement if the relevant rule applied. It also asked Bosch personnel to certify that the machines would not be used in production or development of items produced, purchased, or ordered by an entity with a footnote 1 designation.

This was not routine vendor paperwork. It was a third-party control communication requiring a representation from Bosch. Bosch personnel asked German trade compliance for advice. A Germany-based trade compliance employee correctly advised that Huawei was a footnote 1 entity and that products manufactured with Company One’s equipment must not be involved in business activities with Huawei if the document was to be signed. Yet when the BST Executive separately learned of the certification request, he provided the production facility personnel with the earlier August 25, 2020 email stating that the rule did not affect BST products. The production personnel then signed the certification without reconciling the conflicting guidance and the specific warning provided by Company One.

This is a classic internal-control breakdown. The external communication entered the organization. Compliance was consulted. A relevant warning was generated. But the organization lacked a mechanism to force reconciliation between the supplier certification, the newer internal advice, and the original advice. Principle 15 requires communication lines that allow external information to inform management’s understanding of control effectiveness. Here, the warning was received but not converted into action.

Company Five: the warning Bosch treated as a supplier problem

Company Five’s communication in June 2023 was even more striking. In connection with onboarding Company Five as a new contract semiconductor manufacturer, Company Five told BST that BST would not be able to provide products containing items manufactured by Company Five to Huawei without appropriate authorization. When BST procurement asked why, Company Five cited the relevant rule and referenced the $300 million Seagate penalty for sales to Huawei without authorization.

That should have triggered a broader question: if Company Five believed its manufacturing process created a restriction, why would Bosch assume that similar risks did not exist with other suppliers or contract manufacturers?

Instead, the response became supplier-specific. A Bosch trade compliance professional in Germany advised that Company Five’s position was based on its internal policy and not compelled by U.S. export requirements. BST’s Managing Director responded that Company Five’s position made it an unsuitable supplier. BIS found no evidence that BST management, procurement, or trade compliance personnel made appropriate efforts to understand why the restrictions cited by Company Five would not affect BST’s other suppliers or Bosch’s ability to sell sensors to Huawei.

For a CCO, this is a critical lesson. Third-party resistance is often compliance data. When a supplier refuses to proceed, demands a certification, cites a regulatory issue, or references a peer enforcement action, the company should not dismiss the issue as the supplier’s internal policy. It should ask whether the supplier has identified a risk that the company has missed.

Contract manufacturer certifications: repeated paperwork, repeated missed signals

Between 2021 and 2024, BST employees signed multiple compliance certifications for two contract semiconductor manufacturers involved in the BST Sensor production process, including Company Two. Each certification noted that items produced by the manufacturers were subject to the EAR and required BST to certify that it would not provide such items to a footnote 1 entity. The relevant BST personnel later explained that they signed the certifications because they did not understand that Huawei was a footnote 1 entity.

That fact is particularly important for compliance professionals because it shows how external communication failures often begin in business functions. Procurement, logistics, supply chain, legal, contract management, production, and customer-response personnel may be the first employees to receive a supplier warning or sign a certification. If they do not understand escalation triggers, the compliance function may never receive the information in a usable form.

Principle 15 therefore requires more than an external-facing policy. It requires training and controls around inbound third-party information. Employees need to know that certifications, supplier refusals, regulatory references, customer warnings, and contract clauses may be compliance intelligence.

Lessons learned for compliance professionals

  1. Express third-party compliance communications as control information. Supplier letters, certifications, onboarding objections, contract restrictions, and compliance representations should be categorized, tracked, and reviewable.
  2. Build escalation triggers. Any third-party communication that references a restricted customer, government list, license requirement, blocked transaction, sanctions/export rule, enforcement action, or inability to proceed should require escalation to compliance or legal.
  3. Require the reconciliation of conflicting information. When external warnings conflict with prior internal advice, the prior advice should not automatically control. The company should document the conflict, identify the owner, obtain subject-matter review, and record the final rationale.
  4. Train the first receivers. CCOs should ensure that procurement, logistics, supply chain, legal, production, and contract management personnel know when third-party communications are not merely commercial communications. They need practical examples and clear escalation channels.
  5. Track certifications centrally. Certifications signed by business personnel should be stored, searchable, and periodically reviewed by compliance. Repeated certifications on the same topic should be treated as a pattern, not isolated paperwork.
  6. Treat supplier refusals as red flags. When a supplier will not support a transaction because of a compliance concern, the response should not be limited to replacing the supplier. Compliance should ask whether the supplier has exposed a broader control gap.
  7. Close the loop. Principle 15 is not satisfied when a third-party warning is forwarded. It is satisfied when the company receives the information, evaluates it, escalates it, acts on it, and documents the decision.
  8. Test the system. A CCO should be able to ask: Can we identify all third-party compliance warnings received in the last year? Who reviewed them? Which were escalated? Which changed a control, a customer decision, a supplier decision, or a legal conclusion?

The Bosch order demonstrates that compliance failures do not always arise from a lack of information. Sometimes the information is already inside the company. The failure is the absence of a system to recognize it, escalate it, and act on it. That is the core Principle 15 lesson, and it is one every CCO should take seriously.

Categories
Blog

The Bosch Delineation: Part 3 – Bosch and the ECCP: When Compliance Expertise and Resources Fail

As most readers know, sometimes when I get going on a multipart blog series, I either get carried away or simply cannot stop. Maybe sometimes it is both. This week is beginning to seem like one of those times. Today, I recorded an episode of Compliance into the Weeds with my co-host Matt Kelly, and we discussed some very interesting points from the enforcement action that I decided to keep going. (The episode will post on Wednesday, June 24.)

Over the past couple of blog posts, I have reviewed the DOJ Declination through the lens of the National Security Division. Today, I want to look at the BIS enforcement action and mine it for a different set of lessons learned.

The BIS enforcement is a useful case study for compliance professionals because it is not merely a story about a company without a compliance program. Rather, Bosch had export compliance processes, including U.S. export compliance processes. The failure was more subtle and more important: the compliance function lacked sufficient expertise and staffing to interpret a major regulatory change, translate that change into operational requirements, challenge incomplete business responses, and revisit advice when contrary facts emerged. BIS charged Bosch with 109 violations involving approximately $72.4 million in exports to Huawei without required authorization.

That is precisely the kind of failure the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) is designed to test. Under ECCP Section II, prosecutors ask whether the compliance program is “adequately resourced and empowered to function effectively.” Section II.B, “Autonomy and Resources,” directs prosecutors to examine whether compliance personnel have sufficient qualifications, seniority, and stature; sufficient resources, including staff to audit, document, and analyze; and sufficient autonomy from management, including access to the board or audit committee.

As laid out in the BIS enforcement action, Bosch failed in the Expertise requirement. The enforcement action stated:

Bosch’s U.S. export compliance team did not have sufficient expertise or resources at the time to adequately address the August 2020 changes to the EAR, namely, the FOP Rule, which expanded restrictions on Huawei. Bosch’s failure to have an effective U.S. export controls compliance program in place for BST and ETAS at this time contributed directly to the violations at issue in these charges.

Bosch also failed in the Resources requirement. Here, the enforcement action stated:

During most of the relevant period, Bosch’s export controls compliance team in the United States consisted primarily of two employees. These employees were responsible for advising Bosch’s central trade compliance function, based in Germany, and Bosch’s non-U.S. businesses on compliance with U.S. export control regulations. Only one of these employees was tasked primarily with advising on compliance with U.S. export controls. The second employee provided part-time assistance with U.S. export controls compliance while also focusing on U.S. customs and tariffs compliance. The U.S. trade compliance team included other employees primarily focused on U.S. customs and tariffs, who could occasionally assist with minor, discrete export controls questions.

1. Did compliance personnel have the right experience and qualifications?

The ECCP asks whether compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities. That question sits at the center of the Bosch enforcement action.

During much of the relevant period, Bosch’s U.S. export controls compliance team primarily consisted of two employees. Only one was tasked primarily with advising on U.S. export controls; the second provided part-time export controls assistance while also focusing on customs and tariffs. Other U.S. trade compliance personnel were primarily customs and tariffs employees who could occasionally assist with minor export controls questions.

That staffing model proved inadequate for the risk. BIS found that Bosch’s U.S. export compliance team lacked sufficient expertise or resources to address the August 2020 changes to the EAR, and that this failure directly contributed to the violations. Communications between U.S. and German trade compliance personnel showed confusion about the Foreign Direct Product Rule (FDPR). That confusion produced erroneous guidance: a Germany-based trade compliance employee advised BST (a Bosch German entity) management that if products contained less than 25% U.S. content and the U.S. content was not classified under certain ECCNs, there was no impact and no license requirement. BIS explained that this advice improperly confused and conflated the De Minimis Rule with the FDPR.

For compliance professionals, the lesson is direct. Experience and qualifications cannot be evaluated generically. “Trade compliance experience” is not the same as deep expertise in a specific high-risk, fast-changing legal regime. A compliance team may be experienced enough for ordinary classification, screening, and documentation work, but underqualified for a complex regulatory change affecting a major restricted customer, foreign production, production equipment, software, suppliers, and end-user certifications.

The same issue appeared in Bosch’s German subsidiaries, collectively known as ETAS, in the enforcement action. Bosch trade compliance personnel reviewed automotive software sales to Huawei but incorrectly concluded that the FDPR applied only to physical goods, not software. BIS said Bosch personnel repeatedly advised ETAS that the restrictions did not apply to CycurHSM software.

The broader point is that qualifications must match the company’s risk profile. For a global technology company operating across complex supply chains, compliance expertise must be technical, up to date, and operationally fluent.

2. Did the level of experience and qualifications change over time?

The ECCP also asks whether the level of experience and qualifications in compliance and control roles changed over time. Bosch is a warning about static capability in a dynamic risk environment.

After the original August 2020 advice, Bosch received repeated warnings that should have triggered reassessment. Company Four warned BST that equipment used in its factories included U.S. export-controlled equipment and that products worked on by Company Four for Huawei could be prohibited under the EAR. BST did not analyze whether that warning conflicted with Bosch’s internal understanding.

A Bosch trade compliance professional in the United States also sent a September 4, 2020, request for information to Bosch businesses, including BST. The request sought detailed information about production lines, production equipment, and U.S.-origin software and technology used in production. BST did not answer the specific questions. The BST Executive responded that the products had already been “clarified” as not impacted and cited a “dire allocation situation.” BIS found that, had BST answered the questions, Bosch’s U.S. trade compliance personnel likely would have identified the sensors as within the FDPR’s product scope.

The failure was not merely the first wrong answer. It was the absence of a mechanism to upgrade expertise, revisit assumptions, and escalate conflicting information. A mature compliance program treats major legal change as a trigger for a surge of resources, specialist review, and documented reassessment. It also treats repeated inconsistent data points as evidence that the original advice may no longer be reliable.

3. How did the company invest in training and development?

The ECCP asks how the company invests in further training and development of compliance and control personnel. Bosch shows that training cannot be limited to compliance staff alone.

Between 2021 and 2024, BST employees signed multiple compliance certifications for semiconductor manufacturers under contract. Those certifications stated that items produced by the manufacturers were subject to the EAR and required BST to certify that it would not provide such items to an entity with a footnote 1 designation. The relevant employees later explained that they signed because they did not understand that Huawei was a covered entity.

That is a gatekeeper training failure. Procurement, logistics, production, contract management, and customer-response personnel were all part of the control environment. They received supplier certifications, customer requests, internal guidance, and external warnings. Yet the process did not ensure they understood what those documents meant or when they had to escalate.

The lesson is practical: high-risk certifications should not be treated as administrative paperwork. They are control documents. Employees who sign them need tailored, role-based training. They should understand restricted-party designations, escalation triggers, the consequences of inaccurate certifications, and the limits of relying on old guidance.

Compliance personnel also need continuing education. Where regulations are complex and fast-moving, development should include external specialist support, second-level review of high-risk advice, lessons learned from enforcement actions, and technical briefings with engineering and supply chain personnel. Obviously, the regulations changed in 2020, but it appears Bosch trade compliance professionals received training on this change.

4. Who reviewed the performance of the compliance function?

The ECCP’s final question asks who reviews the performance of the compliance function and what the review process is. Bosch illustrates why that review must go beyond activity metrics.

BIS found that Bosch’s internal controls were insufficient to ensure that compliance advice was broadly distributed, independently reviewed, or reassessed to confirm that it was correct or updated for new facts. Bosch also implemented internal blocks on Huawei orders, but German trade compliance personnel repeatedly released those orders based on the erroneous August 2020 advice from the US trade compliance team.

A meaningful review process would have asked different questions: Were high-risk legal interpretations independently validated? Were assumptions documented? Were unanswered business information requests escalated? Were supplier warnings reconciled against prior advice? Were order-block releases reviewed for quality, not just processed for speed? Were compliance personnel empowered to say, “No complete data, no release”?

Performance review of compliance should include legal quality, escalation discipline, documentation, red-flag closure, audit findings, and whether the function has sufficient staff to do the work expected of it. It should also include board or audit committee visibility when resource constraints affect the company’s ability to manage material compliance risks.

Lessons learned for compliance professionals

The Bosch order offers several broader lessons.

  1. Compliance resources must be risk-based. A global company cannot judge staffing by historical headcount or budget inertia. Staffing must be measured against regulatory complexity, geographic scope, business volume, customer risk, and the operational burden of collecting facts.
  2. Specialist expertise matters. A general compliance function may identify issues, but complex regulatory regimes require personnel or advisors with deep subject-matter knowledge.
  3. Business pressure is a control risk. The “dire allocation situation” response mattered because it showed how operational urgency can displace compliance fact-gathering. A strong program requires mandatory responses to requests for compliance information.
  4. Advice must have a lifecycle. High-risk compliance advice should identify assumptions, facts reviewed, legal basis, owner, date issued, and reassessment triggers. It should not become a permanent operating authority unless periodically reviewed.
  5. Gatekeepers must be trained as gatekeepers. Employees who sign certifications, release orders, onboard suppliers, or respond to customers are part of the compliance control system.

The Bosch case is a reminder that a compliance program can have policies, procedures, and blocks and still fail. The ECCP asks whether compliance is adequately resourced and empowered. Bosch shows why that question matters. The issue is not whether compliance was present. The issue is whether compliance had the expertise, staff, authority, and review mechanisms necessary to function effectively when the business needed it most.

Categories
Blog

The Bosch Declination: Part 2 – Lessons Learned in Transparency, Remediation, and the ECCP in Action

Every Chief Compliance Officer should study the Bosch declination because it answers a practical question: what does the DOJ reward when a company discovers serious national security compliance failures? It is also a useful case study for CCOs beyond export controls. It is a broader lesson in how enforcement authorities evaluate program effectiveness, internal controls, and corporate response after misconduct is identified.

The answer is not perfection. The answer is transparency, cooperation, remediation, resources, accountability, and governance. Bosch received a declination from the National Security Division under the DOJ’s Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP) after self-disclosing export control issues, cooperating with the investigation, remediating, and resolving parallel civil exposure with BIS.

Lessons Learned

1. Manage Your Organization’s Risks

Those facts present the first lesson for CCOs. A compliance program must be built around the company’s actual risk profile. For a global technology and manufacturing company, that means export controls cannot be treated as a narrow legal specialty. They must be embedded into product development, sales, logistics, customer review, third-party engagement, software, engineering, and business approval processes.

This point aligns directly with the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The ECCP asks three fundamental questions: Is the program well designed? Is it applied earnestly and in good faith, meaning adequately resourced and empowered? Does it work in practice? DOJ also states that prosecutors evaluate the program at the time of the offense and at the time of charging or resolution.

The Bosch Declination demonstrates why those questions matter. A program may exist on paper, yet still fail if it lacks specialized knowledge, escalation paths, and operational integration. The Foreign Direct Product Rule (FDPR) is technical. It requires understanding product origin, technology lineage, software, manufacturing equipment, Entity List designations, and licensing requirements. If the compliance team lacks the expertise or access needed to analyze those issues, the control environment is not fit for purpose. Clearly, the Bosch compliance team lacked the expertise needed for trade compliance.

2. Quick Action-the Need for Speed

The second lesson is that detection and escalation remain central to program effectiveness. The DOJ credited Bosch with conducting an internal investigation after discovering the issues and voluntarily self-disclosing to both NSD and BIS while that investigation was still ongoing. That detail matters. Bosch did not wait for a perfect final report before going to the government. It identified the problem, investigated it, and disclosed it while continuing to learn the facts.

For CCOs, this is the real-world self-disclosure dilemma. Companies often want certainty before disclosure. DOJ policy rewards promptness. The Bosch matter shows that the government may credit a company that self-discloses while its internal investigation is still underway, provided the company preserves evidence, continues to develop the facts, cooperates, and remediates.

3. Active Cooperation

The third lesson is that cooperation must be active. The DOJ cited Bosch’s disclosure of relevant facts; the preservation, collection, and production of documents and information; and prompt, voluntary responses to CES requests following the self-disclosure. This is not passive cooperation. It is an organized, disciplined, and documented cooperation.

For the CCO, this means the company must be ready before a crisis. There should be an investigation protocol. There should be document preservation capabilities. There should be clarity on who owns export control investigations, who briefs the board, who coordinates with outside counsel, who manages government requests, and who ensures that remediation does not wait until the matter concludes.

4. Substantive Remediation

The fourth lesson is that remediation must be tangible. Bosch was credited with organizational changes, including adding 66 employees to its trade compliance organization, expanding U.S. trade compliance resources, and updating internal policies and procedures to clarify U.S. export control jurisdiction and licensing requirements.

That is an important message for every compliance leader. Remediation is not a memo. Remediation is not revised policy language alone. Remediation means changing the program so that the same issue is less likely to happen again. It means more resources where the risk requires them. It means better expertise. It means clearer rules. It means stronger controls. It means accountability. Law360 reported that Bosch also made organizational changes, imposed discipline, added trade compliance employees, expanded U.S. trade compliance resources, and updated internal policies and procedures.

5. Effectiveness

The fifth lesson is that the DOJ is connecting compliance effectiveness to enforcement outcomes. DOJ’s CEP is designed to encourage companies to invest in effective compliance programs, voluntarily self-report potential misconduct, cooperate with law enforcement, and rectify wrongdoing. The policy states that the DOJ will decline to prosecute when the company voluntarily self-discloses, fully cooperates, remediates in a timely and appropriate manner, has no aggravating circumstances, and is required to disgorge, forfeit, or otherwise compensate victims for the misconduct.

Bosch is the proof point. DOJ did not ignore the misconduct. Bosch agreed to disgorge $11,430,098, with a credit for amounts paid to BIS. BIS imposed a parallel civil penalty. DOJ also made clear that the declination did not protect individuals and that the investigation could be reopened if DOJ learned new information that changed its assessment or if disgorgement was not paid promptly.

That is a critical governance message. A declination is not a free pass. It is an enforcement outcome tied to conditions, cooperation, transparency, remediation, and accountability.

The Board Component

For boards, Bosch should be read as a Caremark-adjacent reminder that mission-critical compliance risks require real oversight. Export controls and sanctions are not technical back-office functions for global technology companies. They are national security, legal, operational, reputational, and business continuity risks.

The Bosch declination letter states that the company’s Management Board had been advised of the terms of the letter agreement and that Bosch’s Global General Counsel signed the agreement on behalf of the company. That is how these matters should land. Senior management and the board must understand the facts, the root cause, the remediation plan, the financial consequences, and the continuing obligations.

Boards should be asking whether the company has identified its mission-critical regulatory risks. For a technology, manufacturing, software, logistics, aerospace, life sciences, energy, or semiconductor company, export controls and sanctions may sit at the center of that risk map. The board should ask whether compliance has sufficient expertise, authority, budget, data access, and independence. It should ask whether management has tested the controls around high-risk customers, restricted parties, product classification, end-use, end-user, software, and foreign-produced items.

The ECCP reinforces this governance point. The DOJ expects prosecutors to consider whether a company has made significant investments in its compliance program and internal controls and whether improvements have been tested to demonstrate that they would prevent or detect similar misconduct in the future.

Top Five Takeaways

  1. Voluntary self-disclosure still matters. Bosch received credit because it disclosed to NSD and BIS while still under investigation and then continued to cooperate and remediate.
  2. Export controls are internal controls. FDPR risk requires more than screening. It requires integration across product, software, engineering, sales, legal, and compliance.
  3. Resources are evidence. DOJ credited Bosch for adding 66 trade compliance employees and expanding U.S. trade compliance resources. That is remediation prosecutors can see.
  4. The ECCP is a governance tool. CCOs should use the ECCP’s three questions to assess whether the program is well designed, empowered, resourced, and working in practice.
  5. Boards must oversee national security risks. Export controls and sanctions are mission-critical risks for many global companies. Bosch shows that transparency and remediation can materially shape the enforcement outcome.

The Bosch remediation was not cosmetic. Adding 66 trade compliance employees and expanding U.S. trade compliance resources communicates seriousness. It tells enforcement authorities that the company understood the root cause and invested in fixing it. CCOs should take that lesson directly to the board. Compliance resources should follow risk. Where the business model creates national security exposure, compliance must have the technical capability to match that risk.

Categories
Blog

The Bosch Declination: Part 1 – The DOJ’s New National Security Enforcement Playbook

The Bosch Declination is an important early marker in the Department of Justice’s new corporate enforcement architecture. It is also a practical case study in how export controls, national security compliance, voluntary self-disclosure, and remediation now intersect under the Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy. Over the next two blog posts, we will consider this Declination. Today we look at the Declination itself. In the next blog post (on Monday), we will consider the lessons for compliance professionals.

On June 17, 2026, the DOJ announced that the National Security Division had declined prosecution of Robert Bosch GmbH, resolving an investigation into an alleged scheme involving the export of products and software to an Entity-listed company in the People’s Republic of China. The Declination was reached under Part I of DOJ’s Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy, after DOJ considered the Principles of Federal Prosecution of Business Organizations. DOJ stated that Bosch promptly disclosed the misconduct to NSD, fully cooperated, and timely and appropriately remediated, with no aggravating circumstances present.

The facts are significant. The DOJ’s Declination letter states that from approximately September 2020 to September 2024, Bosch, through two non-U.S. subsidiaries, re-exported more than $70 million in foreign-produced Micro-Electro-Mechanical Systems sensor products and foreign-produced software to Huawei Technologies Co., Ltd. and its affiliates on the Entity List, including Huawei Tech. Investment Co., Ltd., Hong Kong. DOJ identified the two Bosch subsidiaries as Bosch Sensortec GmbH and ETAS GmbH. According to the DOJ, the products were provided without the required license or authorization from the Department of Commerce’s Bureau of Industry and Security, in violation of the Export Administration Regulations.

The central export control issue was the Entity List Foreign Direct Product Rule, or FDPR. The DOJ stated that BST and ETAS provided Huawei with foreign-produced items subject to the EAR under the Entity List FDPR for designated entities, without obtaining the required authorization from BIS. DOJ further found that Bosch’s trade compliance personnel were “ill-equipped” to provide accurate guidance on the FDPR. The investigation also identified ongoing sales despite several missed opportunities in which third-party companies had identified potential FDPR applications for Bosch products or equipment used in providing services. DOJ calculated that Bosch made approximately $11,430,098 in pre-tax profits from the conduct.

That fact pattern is important for compliance professionals because this was not described as a simple denied-party screening failure. It involved the intersection of foreign-produced products, U.S.-origin technology or software, non-U.S. subsidiaries, Entity List restrictions, and a rule that requires sophisticated technical, legal, and operational judgment. This is precisely the type of export control risk that can sit outside traditional compliance comfort zones. It may involve engineering data, manufacturing equipment, software lineage, product classification, third-party technical inputs, and commercial teams operating far from the United States.

The DOJ letter also makes clear that Bosch’s response mattered. DOJ stated that, after discovering the issues, Bosch conducted an internal investigation and voluntarily self-disclosed the matter to both the National Security Division’s Counterintelligence and Export Control Section and BIS. In contrast, the internal investigation was still ongoing. Bosch also remediated promptly and appropriately. The Declination letter notes that Bosch’s internal investigation uncovered numerous mistakes in applying the FDPR to Huawei sales. However, Bosch did not believe those mistakes rose to the level of willfulness required for criminal violations under the Export Control Reform Act.

The DOJ’s decision rested on four factors. First, Bosch made a timely and voluntary self-disclosure. Second, Bosch cooperated, including by disclosing relevant facts, preserving, collecting, and producing documents and information, and promptly responding to NSD requests. Third, Bosch remediated, including through organizational changes, adding 66 employees to its trade compliance organization, expanding U.S. trade compliance resources, and updating policies and procedures to provide clearer guidance on U.S. export control jurisdiction and licensing requirements. Fourth, DOJ found that regulatory remedies were adequate, specifically the approximately $36 million penalty imposed by BIS for civil violations under the ECRA and EAR.

The financial terms are also instructive. The DOJ conditioned the Declination on Bosch’s agreement to disgorge $11,430,098 within thirty days. That amount represented the pre-tax profits from sales to Huawei through BST and ETAS for products for which Bosch had not obtained the required EAR authorization. DOJ agreed to credit $7,829,069 paid by Bosch to BIS in the parallel resolution against the disgorgement amount.

Law360 reported that Bosch agreed to pay $36 million to resolve allegations that it improperly exported technology products to Huawei, with the payment amount including profit disgorgement under the DOJ Declination and a penalty under the parallel BIS agreement. Law360 also reported that Bosch said the civil violations were unintentional. That, upon discovering the potential export control violations, it conducted an extensive investigation, voluntarily self-disclosed to U.S. authorities, and cooperated throughout the process.

The timing matters. The DOJ released its first Department-wide Corporate Enforcement Policy for criminal matters on March 10, 2026. That policy was designed to provide uniformity, predictability, and fairness across DOJ corporate criminal enforcement. DOJ stated that, absent certain limited aggravating circumstances, companies that voluntarily disclose discovered misconduct, cooperate, and timely and appropriately remediate may receive a declination.

The Bosch matter is also tied directly to NSD’s export control and sanctions enforcement priorities. DOJ’s March 30, 2026, NSD guidance stated that enforcing export control and sanctions laws is a top priority for NSD and that companies and employees are at the forefront of protecting U.S. national security by preventing unlawful exports of sensitive commodities, technologies, and services, as well as unlawful transactions with sanctioned countries and designated parties.

In that context, Bosch is not merely an export controls case. It is the first public example of how NSD will apply the new Department-wide CEP to a national security matter. DOJ stated that this was the first time NSD had declined to prosecute a company under the CEP.

For trade compliance professionals, the facts underscore several enforcement realities. Export control jurisdiction can attach to foreign-produced items. Non-U.S. subsidiaries can create U.S. enforcement exposure. Entity List designations require more than customer screening. FDPR analysis must be integrated into product classification, sales review, engineering support, and third-party risk management. A compliance program that lacks the technical competency to interpret the rule can fail even when employees are trying to comply.

This is where the facts become the enforcement message. DOJ did not say Bosch had no compliance program. The DOJ said the relevant personnel were ill-equipped on a critical rule and that third-party warning signs were missed. In other words, the issue was not simply whether the company had a trade compliance function. The issue was whether that function had the expertise, authority, resources, and escalation mechanisms to identify and stop sales governed by complex national security controls.

The Bosch Declination also shows that voluntary self-disclosure continues to have real value, but only when paired with cooperation and remediation. DOJ did not reward disclosure alone. It credited Bosch for preserving and producing facts, responding promptly, making organizational changes, expanding resources, adding personnel, strengthening policies, accepting disgorgement, and resolving the civil matter with BIS.

That is the factual landscape. On Monday, we will turn from the facts to the lessons. For CCOs, Bosch is not simply a trade compliance resolution. It is a case study in what DOJ expects from compliance governance, internal controls, resources, remediation, and board oversight when national security risk moves from theoretical to real.

Categories
Daily Compliance News

Daily Compliance News: June 11, 2026, The DeBanking Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Malaysia drops probe into ABC chief. (SCMP)
  • An Air Canada pilot flies for 17 years without a proper license. (NYT)
  • DOJ investigating big banks for ‘debanking’. (WSJ)
  • 7 charged in Hong Kong for the fire that killed 168 people. (FT)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Everything Compliance

Everything Compliance: New Season – The Government Misfires Edition

Welcome to a revamped Everything Compliance! We have a new host, Adam Turteltaub, and a new panelist, Rebecca Walker, who joins returning regulars Matt Kelly, Jonathan Armstrong, and Karen Moore for the next iteration of Everything Compliance.

  • Jonathan Armstrong discusses BP’s leadership upheaval, shareholder ESG concerns, and recurring governance and tone-at-the-top issues, highlighting UK directors’ duties under Section 172 of the Companies Act.
  • Karen Moore reviews IBM’s $17M DOJ False Claims Act settlement tied to alleged DEI-related practices, outlining the recent enforcement scaffolding, key alleged program elements, and ongoing risks beyond the settlement.
  • Matt Kelly summarizes DOJ remarks on “algorithmic antitrust” risk, citing the RealPage litigation and warning that shared AI pricing tools can constitute cartel behavior, with heightened whistleblower incentives.
  • Rebecca Walker explains the EU’s April 21, 2026, anti-corruption directive, which harmonizes offenses across 27 member states, including private bribery and “trading in influence,” large turnover-based penalties, and expected national transposition. The episode closes with brief shout-outs, rants, and themes of compliance culture.

The members of Everything Compliance are:

The award-winning Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

What Interruptions Reveal About Corporate Culture

Every Chief Compliance Officer talks about culture. Every company claims to value ethics, integrity, respect, inclusion, and speak-up behavior. Those words appear in codes of conduct, CEO messages, training decks, town halls, leadership offsites, and annual ethics campaigns. Yet culture is not built into the code of conduct. It is revealed in the meeting.

That is the central lesson of Research: What Interruptions Reveal About Company Culture by William Degbey, Benjamin Laker, Baniyelme Zoogah, Sanjay Kumar Singh, and Ghulam Murtaza. The authors argue that workplace culture is shaped less by formal statements and engagement programs than by everyday interaction patterns, especially interruptions in meetings. Their research found that interruptions, redirections, and moments where employees were spoken over were not merely interpersonal annoyances. They were signals of whose voice carried weight in the room.

For the CCO, that finding should land with force. A company can have a beautifully written value of “speak up.” Still, if employees learn in ordinary meetings that certain people are cut off, ignored, or not credited for their ideas, the real culture is not to speak up. It is speak-only-if-you-have-power. That is a compliance issue.

Culture Is What Happens Before the Hotline

Compliance professionals often think about speak-up culture in terms of hotline reports, investigation data, employee surveys, and anti-retaliation policies. Those are important. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether a company has a trusted reporting mechanism, whether employees feel comfortable using it, whether reporting is encouraged or chilled, and whether employees can raise concerns without fear of retaliation.

But by the time an employee reaches the hotline, the culture has already taught that person a great deal. It has taught them that if management listens. It has taught them whether disagreement is welcome. It has taught them whether bad news is punished. It has taught them whether junior employees can challenge senior leaders. It has taught them whether women, employees from underrepresented groups, remote employees, finance staff, compliance staff, or local market employees are taken seriously.

The author’s most important compliance lesson is that interruptions are cultural data. They are small, repeated, observable signals that show whether the company’s stated values are protected in daily business interactions or suspended when authority, speed, revenue, or hierarchy enters the room.

Why This Matters to Ethics and Integrity

Ethics and integrity depend on voice. Employees must be willing to raise concerns, ask questions, challenge assumptions, and slow down decisions when something does not look right. If the organization’s meeting culture teaches employees that unfinished concerns can be interrupted, redirected, or appropriated, then the company is training people not to speak.

The authors found that many senior leaders interpreted interruptions as signs of efficiency and engagement. They saw energetic cross-talk as evidence of a productive culture. Yet the follow-up study found that others experienced the same conduct as exclusionary and predictable. Interruptions were disproportionately directed at women and employees from underrepresented racial and ethnic groups. In the follow-up study, 19 of 27 interviewees described women being interrupted more frequently than men; all seven Black women interviewed described early-stage interruptions, and five said others later resurfaced their ideas without attribution.

For compliance, that is not simply an inclusion issue, though it certainly is. It is also a risk-detection issue. If certain voices are routinely cut off, then certain risks will be underreported. If certain employees must speak faster, more defensively, or only when explicitly invited, the company loses early warning signals. If some ideas are accepted only when repeated by someone with greater status, then the company is not evaluating risk on its merits. It is evaluating risk through hierarchy. That is how ethical blind spots form.

The Silent Cost of Being Interrupted

One of the most powerful findings in the article is that interruptions changed employee behavior. Twenty-one of the 27 participants in the follow-up study said they changed how they contributed to meetings. Some spoke faster or more defensively. Some pre-structured arguments to avoid being cut off. Some waited for explicit permission to speak. Others stopped contributing unless necessary. That is exactly what a CCO should worry about.

A healthy compliance culture does not require employees to perform perfectly polished courage. It gives employees room to raise half-formed concerns, ask awkward questions, and test whether something feels wrong before they have built a legal brief around it. Many compliance issues begin as fragments: “Something about this consultant does not feel right.” “The customer is asking for unusual documentation.” “The timing of this payment seems odd.” “Why are we routing this through that entity? ”I am not sure the data use matches what we told customers.” Those are early-stage compliance signals. They need space.

If the meeting culture rewards only fast, polished, confident speech, then employees who need time to frame a concern may never get the chance. The authors note that faster and more confident-sounding speech was often treated as more authoritative. In comparison, slower or less forceful speech was treated as incomplete and therefore easier to interrupt. For a CCO, the lesson is clear: do not build a compliance program that only works for the loudest person in the room.

From Tone at the Top to Conduct in the Room

Compliance professionals have long emphasized “tone at the top.” That remains important. But this article reminds us that tone at the top is incomplete unless it becomes conduct in the room.

The DOJ expects companies to demonstrate that compliance policies and procedures are integrated into operations and that a culture of compliance is embedded in day-to-day activities. That is precisely where meeting behavior matters. Meetings are where risk appetite becomes real. They are where employees learn whether the company actually values integrity when there is a deal to close, a target to hit, or a senior executive to satisfy.

A CCO should, therefore, ask:

What happens when ethics enters the meeting?

Does the room slow down?

Does the leader protect the person raising the concern?

Does someone capture the issue and assign a follow-up?

Does the business discuss controls and alternatives?

Or does the concern get interrupted, minimized, joked away, or pushed offline?

The answers will tell you more about culture than a slogan.

Reading Interruptions as Compliance Data

The authors recommend that leaders stop treating interruptions as isolated incidents and begin reading them as data. It suggests observing who gets interrupted, when the interruption occurs, and what happens to the idea afterward. Is the idea acknowledged? Is it dropped? Is it later picked up without credit? That framework can be directly adapted into a compliance culture assessment.

A CCO can ask compliance, internal audit, HR, or an outside facilitator to observe selected meetings where risk decisions are made. These might include third-party approval committees, deal review meetings, product governance meetings, investigations triage meetings, M&A diligence sessions, safety committees, privacy reviews, or regional leadership calls.

The observer should not simply count who speaks. This is not about policing manners. It is about understanding whether the company’s ethical culture allows risk information to travel upward and across the organization.

Slow the Meeting to Surface the Risk

The article warns that speed and forced momentum can amplify inequality. Faster conversations often favor those who already feel entitled to the floor. Those who anticipate interruption compress their thinking, hesitate, or wait for a clear opening. The authors recommend slowing the interaction: let people finish, pause before responding, reinforce the norm when someone is cut off, and rotate facilitation. This is deeply relevant to compliance.

Many corporate failures occur not because no one saw the risk, but because the organization moved past it too quickly. The payment had to go out. The distributor had to be approved. The quarter had to close. The launch date had to be met. The customer had to be retained. In that environment, “speed” can become a cultural value that overwhelms integrity. A CCO should help leaders build an “integrity pause” into decision-making.

Protect the Contribution, Not the Ego

The article also makes an important distinction. Calling out interrupters or turning every interruption into a lesson on etiquette often does not work. It can escalate the moment and personalize the issue. The better approach is to protect the contribution directly. The authors suggest short interventions such as “Let them finish,” “I want to hear the rest of that point,” and “Let’s come back to the idea that was just interrupted.” This is practical guidance for CCOs and compliance professionals.

When someone raises a compliance concern and is interrupted, the compliance professional does not need to accuse anyone of bad intent. This helps to create psychological safety around risk information. They tell the room that compliance concerns are not interruptions to business. They are part of doing business properly.

The CCO as Culture Observer

A CCO cannot improve culture solely by issuing policies. Policies matter, but culture is reinforced through repeated behavior. The DOJ guidance recognizes that policies and procedures must give effect to ethical norms and be integrated into day-to-day operations. That means the CCO must look beyond policy architecture and ask how people actually behave when decisions are being made.

Not every interruption is retaliation. Not every fast-paced meeting is unethical. Not every dominant speaker is a compliance risk. But patterns matter. Repeated interruption of certain people, functions, geographies, or types of concerns is cultural data. A CCO should treat it as such.

Turning the Article into a Compliance Playbook

A practical CCO response could include five steps.

  1. Add meeting behavior to the culture assessment. Ask employees whether they can finish raising concerns in meetings, whether leaders invite dissent, whether objections to risk are credited, and whether certain voices are routinely ignored.
  2. Observe high-risk meetings. Select a sample of decision-making forums and map interruptions, credit, follow-up, and closure. The goal is not surveillance. The goal is to understand whether the company’s values show up when risk is discussed.
  3. Train leaders on protecting concerns. Leadership training should include simple phrases or the preservation of unfinished risk points. A manager does not need to become a compliance expert to say, “Let’s hear the rest of that concern.”
  4. Build structured dissent into key decisions. For high-risk approvals, require a final risk round before the decision. Ask compliance, finance, legal, HR, internal audit, cybersecurity, or local-market leaders whether they see an unresolved issue.
  5. Report cultural signals to the board. Boards should hear more than hotline statistics. They should understand whether the organization’s meeting culture supports candor, dissent, and ethical escalation.

Improving Corporate Culture Around Ethics and Integrity

The broader message for compliance professionals is that ethics and integrity must become observable behaviors. Employees should see integrity in how meetings are run, how concerns are handled, how dissent is credited, how leaders respond to uncertainty, and how the company treats people who slow down a decision for the right reason.

The bottom line is straightforward. The words on the wall do not prove a culture of ethics and integrity. It is proven by who gets to speak, who gets heard, and what happens when someone raises a concern that slows the room down. For the CCO, the lesson from this article is powerful: look at the meetings. That is where the culture is already speaking.

Categories
Blog

The False Alignment Trap in Compliance Transformation

A major compliance initiative rarely fails because the Chief Compliance Officer (CCO) did not work hard enough. It usually fails because the organization never reached a true agreement on what the initiative was supposed to accomplish.

That is the core lesson from The False Alignment Trap by Julia Dhar, Kristy R. Ellmer, and Philip Jameson. The authors argue that many change efforts fail because senior leaders believe they agree on the “why,” “what,” and “how” of change when, in fact, they do not. A stitched-together flower is an apt metaphor for corporate change: from a distance, the initiative may look whole; up close, it may be held together by fragile threads.

For the CCO instituting a major compliance initiative, this insight is critical. Whether the project is a global third-party risk overhaul, a new sanctions screening program, an AI governance framework, a speak-up culture campaign, or a full redesign of the compliance operating model, the CCO cannot settle for polite nods around the executive table. The CCO must secure true agreement.

The authors frame the three questions every change program must answer: why are we changing, what are we changing, and how will the change occur? It also makes an important distinction between “alignment” and “agreement.” Alignment may mean that executives are not actively blocking one another. An agreement means leaders have made a detailed and explicit compact that allows them to move together and hold one another accountable. That distinction should be posted on every CCO’s wall.

Why This Matters to Compliance

A major compliance initiative always changes more than the compliance department. It changes how a sales function approves intermediaries. It changes how procurement selects vendors. It changes how finance reviews payments. It changes how HR handles discipline and incentives. It changes how legal, internal audit, cybersecurity, operations, and the business share data. It may change who can approve a deal, how quickly a transaction can move, and what documentation must be in place before revenue is booked. That means compliance transformation is not simply a compliance project. It is an enterprise change project.

The Department of Justice’s 2024 Evaluation of Corporate Compliance Programs (ECCP) asks three fundamental questions: whether the program is well designed, whether it is applied earnestly and in good faith through adequate resources and empowerment, and whether it works in practice. DOJ also asks whether senior management has articulated standards clearly, disseminated them in unambiguous terms, and demonstrated adherence by example. Those expectations cannot be met if the C-suite is only “conceptually aligned” on compliance.

A CCO may believe the company has agreed to strengthen compliance. The CEO may believe the initiative is about satisfying the board. The CFO may believe it is about reducing investigation costs. The head of sales may believe it is about avoiding bad distributors but not slowing growth. The general counsel may believe it is about reducing enforcement exposure. Operations may believe it is another documentation exercise. HR may believe it is about training completion rates. Everyone says yes. Everyone means something different. That is the false alignment trap.

The First Lesson: Never Launch on Slogans Alone

Compliance leaders love phrases such as “culture of compliance,” “tone at the top,” “risk-based approach,” “speak-up culture,” and “doing business the right way.” These phrases are useful, but they are not implementation plans. The authors warn that executives often think they agree because their conversations are insufficiently specific. Leaders may agree on a broad goal, but disagree sharply on the levers, trade-offs, timeline, funding, and operational consequences.

For a CCO, this means “we need a stronger third-party program” is not enough. The leadership team must agree on what that means in practice. Does it mean fewer third parties? More due diligence? More audits? Centralized onboarding? Automated screening? New contractual rights? Mandatory business justification? Enhanced payment controls? A right to terminate non-responsive intermediaries? A slower sales cycle in high-risk markets? Until those questions are answered, the CCO does not have agreement. The CCO has a slogan.

The Second Lesson: Silence Is Not Commitment

One of the most dangerous moments in compliance transformation is the executive meeting where everyone nods. The authors describe the “false consensus effect,” where leaders overestimate the extent to which others share their beliefs. It also describes the tendency of executives to pretend to agree rather than surface disagreement. In one example, executives used vague phrases such as “I am aligned,” “partly aligned,” and “conceptually aligned,” even though real disagreement remained unresolved.

Compliance professionals see this all the time. A regional president says, “We fully support the new due diligence process.” What she may mean is, “We support it unless it slows down strategic distributors.” A sales leader says, “We support compliance training.” What he may mean is, “We support it as long as it does not take people out of the field during the quarter.” A procurement leader says, “We support vendor controls.” What he may mean is, “We support them for new vendors, but not for legacy vendors.”

The CCO’s job is to make those reservations visible before launch. That does not mean creating conflict for conflict’s sake. It means creating a process where disagreement becomes a source of better design.

The Third Lesson: Invite Dissent Early

The authors recommend provoking an early exchange. Leaders should write down what they agree with, what they disagree with, and what they are unsure about. The authors specifically note that written reactions can reduce groupthink. They also recommend asking questions that invite contrary views, such as “What could go wrong with this approach?”

This is directly applicable to compliance. Before launching a major compliance initiative, the CCO should ask each executive to answer, in writing:

What risk are we trying to reduce?

What business process will this initiative change?

What are you worried this initiative will disrupt?

What resources will your function need?

What decisions are you willing to give up or share?

What part of this proposal do you not support?

Where do you believe compliance is underestimating the operational impact?

These questions are uncomfortable. That is the point. A compliance initiative that cannot survive executive-level dissent in a planning meeting will not survive business-level resistance during implementation.

The Fourth Lesson: Deferred Agreement Becomes Compliance Debt

The authors warn against the idea that leaders can “sort out the details later.” That may work for small experiments, but the authors argue that it is dangerous for transformative organizational change because vague or contradictory premises create confusion, delay, and employee frustration. They describe deferred agreement as a debt that leaders expect to repay quickly but often never repay at all. For compliance, deferred agreement is especially costly.

When the CCO launches without a clear executive agreement, the business will find the gaps. If sales and compliance disagree on third-party approval standards, the business will escalate every hard case. If finance and compliance disagree on payment controls, exceptions will multiply. If HR and legal disagree on discipline standards, investigations will produce inconsistent outcomes. If IT and compliance disagree on data ownership, monitoring dashboards will never mature. The result is not simply inefficiency. It is a control failure.

A CCO should treat unresolved executive disagreement as a known risk. It should be tracked, assigned, escalated, and resolved before the initiative moves from design to deployment.

The Fifth Lesson: Watch for the Three Failure Modes

The authors identify three consequences of false alignment: paralysis, hyperactivity, and tunnel vision. These are also classic symptoms of a failing compliance initiative.

Paralysis occurs when teams are stuck between competing executive priorities. In compliance, this looks like endless working groups, repeated risk assessments, draft policies that never finalize, and technology projects that remain in “requirements gathering” for months.

Hyperactivity occurs when teams launch too many initiatives to please too many stakeholders. In compliance, this looks like a dozen training campaigns, multiple dashboards, overlapping third-party reviews, new certifications, new attestations, and new committees, but no meaningful risk reduction.

Tunnel vision occurs when teams make progress on the wrong thing. In compliance, this may mean achieving 100% training completion while employees still do not know how to raise concerns. It may mean onboarding vendors faster while missing beneficial ownership risk. It may mean closing investigations more quickly while weakening root cause analysis.

The CCO should use these three symptoms as early warning indicators. If the initiative is stuck, too busy, or moving in the wrong direction, the problem may not be execution. It may be false alignment at the top.

Lessons in Building True Agreement for a Compliance Initiative

The authors offer a five-step path to true agreement: set clear parameters, provoke an early exchange, have a substantive debate, reach a formal verdict, and send a unified message. That framework can be translated directly into a CCO playbook.

  1. Set clear parameters. The CCO should define the decision rights before the project begins. Who decides the risk appetite? Who approves the budget? Who owns business process changes? What decisions require CEO approval? What issues go to the board? What happens if a regional business leader disagrees?
  2. Provoke an early exchange. The CCO should require written input from the CEO, CFO, general counsel, CHRO, CIO, internal audit, procurement, and key business leaders. This is where hidden objections should surface.
  3. Have a quality debate. The CCO should hold one-on-one conversations with executives before the group decision meeting. The point is not to lobby for superficial support. The point is to understand red lines, trade-offs, and operational realities.
  4. Come to a formal verdict. The authors recommend asking for each individual’s agreement, documenting the decision, and creating a formal record of the agreed terms. For a compliance initiative, this should become a written executive charter. It should specify scope, budget, timeline, metrics, decision rights, business obligations, and escalation paths.
  5. Send a unified message. The authors warn against each executive’s team receiving its own version of events. Instead, the decision should be broadcast simultaneously in a single format to everyone who needs to know. For compliance, this is essential. Employees should hear one message: this is why we are changing; this is what will change; this is what will not change; this is who owns what; and this is how success will be measured.

The bottom line is clear. A major compliance initiative is not successful because the CCO announces it, the board approves it, or the executive team says it is “aligned.” It is successful when the company reaches true agreement on the risk, the change, the trade-offs, the ownership, and the evidence of effectiveness.

For the compliance professional, The False Alignment Trap provides a powerful reminder: do not launch a transformation on implied consent. Build the compact first. Then execute.