Categories
Blog

Declinations Are Not Exits: Using Liberty Mutual to Pressure – Test Your Compliance Program

In August 2025, the Department of Justice announced its first FCPA declination of the year, closing its investigation into Liberty Mutual Insurance Company. The facts, while concise, are significant: between 2017 and 2022, employees of Liberty General Insurance, Liberty Mutual’s Indian subsidiary, funneled approximately $1.47 million in bribes to officials at six state-owned banks in exchange for customer referrals. These illicit payments, concealed as marketing expenses and routed through third-party intermediaries, generated $9.2 million in revenue and $4.7 million in profits.

Despite this misconduct, DOJ declined prosecution, citing Liberty Mutual’s early self-disclosure in March 2024 while its internal investigation was still underway; its full and proactive cooperation, including naming individuals involved; and its timely remediation efforts, which included a full acceptance of responsibility, a systematic root cause analysis, and enhanced compliance controls. Notably, the company agreed to disgorge nearly $4.7 million in profits and adopted strengthened policies on third-party oversight, social media use, and ephemeral messaging apps.

Far from a routine declination, Liberty Mutual’s case is a blueprint for how DOJ expects companies to handle potential FCPA violations in 2025 and beyond. For compliance officers, it provides an opportunity to benchmark their programs against the department’s revised Corporate Enforcement Policy and assess whether their own organizations could withstand the scrutiny that Liberty Mutual faced.

What lessons should the compliance community draw from this “plain Jane” declination that is anything but ordinary? Today, we break it down.

Lesson 1: The Risks and Rewards of Early Self-Disclosure

Liberty Mutual’s decision to self-disclose in March 2024, before its internal investigation was complete, reflects the central tension in DOJ’s revised Corporate Enforcement Policy: disclose early or risk losing credit. Under the old guidance, companies were expected to report “immediately upon becoming aware” of potential misconduct, often before facts were clear. The 2025 revision softened the language slightly, but the expectation remains to step forward as soon as you have a clear understanding of the conduct, even if the picture is incomplete.

For compliance officers, this means preparing leadership and boards for tough judgment calls. Waiting for every fact to crystallize risks forfeiting the benefits of voluntary disclosure. Disclosing too early risks exposing the company to liability before it fully understands the problem. Building governance frameworks that allow rapid escalation, provisional risk assessment, and timely board engagement is no longer optional; it is a survival mechanism.

Lesson 2: “Full and Proactive” Cooperation

The declination letter praised Liberty Mutual for its “full and proactive cooperation.” This is a notable evolution in the DOJ’s vocabulary. We know what “full” means: produce documents, facilitate interviews, and respond to requests quickly. Note how this differs from the prior formulation by former Assistant Attorney General Kenneth Polite when discussing the DOJ’s Corporate Enforcement Policy. He defined cooperation as going “above and beyond the criteria for full cooperation” to provide ‘extraordinary’ assistance in demonstrating immediacy, consistency, degree, and impact of the disclosures and support of the investigation. Polite’s use of the term ‘extraordinary’ went well beyond the framing of “full and proactive cooperation.” An extraordinary commitment is required to demonstrate exceptional dedication to the investigation and actively assist the DOJ in achieving its goals.

Liberty Mutual provided relevant facts about individuals, prepared materials the DOJ hadn’t specifically requested, and worked through foreign data privacy challenges to expedite production. That’s proactive.

For compliance professionals, the message is unmistakable: cooperation credit does not just come from answering questions; instead, it comes from anticipating them. Proactive means preparing translations before DOJ asks, synthesizing investigative findings into clear presentations, and offering additional documentation that regulators might find helpful. Companies that want declinations need to train investigative teams to think two steps ahead.

Lesson 3: Navigating Deconfliction and Investigative Boundaries

The Liberty Mutual matter also reminds us of the delicate dance of deconfliction. The DOJ’s practice of asking companies to delay interviewing certain employees so that prosecutors can conduct their interviews first. But cooperation doesn’t end there. The DOJ may also encourage companies to expand their investigations into new geographies or business units.

The 2025 CEP revisions signaled an intent to keep investigations more focused for companies, which provides leverage to push back on overreach while still demonstrating cooperation.

Compliance officers must strike a balance: honor deconfliction requests that allow prosecutors to proceed without interference, but defend investigative boundaries when asked to wander into areas where no evidence exists. A disciplined scope protects both resources and credibility with regulators.

Lesson 4: Fulsome Acceptance of Responsibility

One of the more striking phrases in the declination letter was DOJ’s recognition of Liberty Mutual’s “fulsome acceptance of responsibility.” This signals a shift from perfunctory acknowledgments of wrongdoing to meaningful ownership.

It is the difference between saying, “Yes, our subsidiary made mistakes,” versus declaring, “We, as the parent company, failed to prevent this misconduct, and we own the failure.” Liberty Mutual didn’t stop at distancing itself from bad actors; it accepted enterprise-level responsibility.

For boards and executives, this is a powerful compliance lesson. DOJ expects companies to shoulder responsibility broadly, not hide behind “rogue employees.” The tone set at the top must reflect ownership, contrition, and commitment to preventing recurrence.

Lesson 5: Root Cause Analysis as Compliance Bedrock

The declination also highlighted Liberty Mutual’s systematic root cause analysis. This is not a new concept in compliance circles, but it is increasingly central to the DOJ’s calculus. Simply removing the wrongdoer isn’t enough. The question is: what systemic weaknesses allowed the misconduct to occur?

Liberty Mutual conducted a thorough RCA that examined its control environment, third-party oversight, and cultural gaps. This analysis guided remediation efforts, including structural reorganization, increased compliance resources, and enhanced third-party monitoring.

For compliance officers, the takeaway is straightforward: build RCA into every investigative playbook. Document how each failure occurred, identify the control breakdowns, and map remediation directly back to those findings. DOJ does not just want to see discipline; it wants to see learning.

Lesson 6: Messaging, Social Media, and the New Compliance Frontier

Finally, the Liberty Mutual declination highlighted an issue that has been simmering beneath the surface: the use of ephemeral messaging and social media in business communications. DOJ specifically noted Liberty Mutual’s remediation in this area, a rarity in declinations.

This signals that DOJ expects compliance programs to account for modern communication risks, not just email and enterprise systems, but WhatsApp, Signal, Teams auto-delete, and even Facebook Messenger or Instagram DMs. These channels are increasingly central to both legitimate business and corrupt schemes.

For compliance officers, the challenge is twofold:

  1. Develop clear policies governing employee use of messaging and social media for business.
  2. Deploy monitoring and recordkeeping mechanisms that ensure compliance with legal and regulatory expectations.

This is the new frontier, and companies that fail to adapt may find themselves unable to demonstrate control credibly.

Declinations as Roadmaps

The Liberty Mutual case may have looked routine at first glance, but it is anything but. For the compliance community, it serves as a roadmap for navigating the DOJ’s revised Corporate Enforcement Policy.

The lessons are clear: prepare for early self-disclosure, embrace proactive cooperation, defend investigative boundaries, accept responsibility broadly, conduct rigorous root cause analysis, and modernize oversight of communication.

Declinations are not just quiet exits; they are public teaching tools. Liberty Mutual’s experience demonstrates how a company can turn a damaging bribery scandal into a compliance success by owning the problem, learning from it, and showing a genuine commitment to reform. For today’s CCO, the real question is: if DOJ knocked on your door tomorrow, could you meet the Liberty Mutual standard?

Categories
All Things Investigations

All Things Investigations – DOJ’s Evolving Guidelines: Implications from Liberty Mutual’s FCPA Case

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, host Tom Fox welcomes back Mike DeBernardis to discuss the recently released first Foreign Corrupt Practices Act (FCPA) enforcement action, a Declination involving Liberty Mutual Insurance Company.

Mike DeBernardis, partner at Hughes Hubbard & Reed, and Tom delve into the first FCPA enforcement action of 2025 involving Liberty Mutual. They discuss the nuances of self-disclosure during ongoing investigations, the challenges facing defense attorneys, and the expectations set by the new corporate enforcement policy. Key topics include proactive cooperation, dealing with deconfliction, and the importance of root cause analysis. The conversation provides valuable insights into how the Department of Justice communicates its expectations through enforcement actions and the evolving landscape of corporate compliance.

Key highlights:

  • Exploring the Liberty Mutual Case
  • Challenges of Early Self-Disclosure
  • Corporate Enforcement Policy Changes
  • Full and Proactive Cooperation
  • De-confliction in DOJ Investigations
  • Root Cause Analysis Importance
  • Social Media and Ephemeral Messaging

 Resources:

Hughes Hubbard & Reed website

Mike DeBernardis

Categories
Blog

Using AI to Embed Compliance into Business Operations

Ed. Note: This week, we present a week-long series on the use of GenAI in a best practices compliance program. Additionally, for each blog post, I have created a one-page checklist for each article that you can use in presentations or for easier reference. Email my EA Jaja at jaja@compliancepodcastnetwork.net for a complimentary copy.

Compliance programs have long wrestled with a central challenge: how to move from “bolt-on” to “built-in.” Too often, compliance has been perceived as an overlay, a set of policies and reviews that operate parallel to business activity. The Department of Justice has repeatedly emphasized that compliance should be integrated directly into operations, not treated as an afterthought.

Generative AI offers compliance professionals a new tool to achieve this, as Elisa Farri and Gabriele Rosani argue in an HBR article How AI Can Help Managers Think Through Problems, that AI is not just a productivity enhancer but a thought partner. Instead, it is capable of helping leaders frame problems, test assumptions, and engage in structured dialogues that improve decision-making.

I aim to utilize their article to support compliance officers in leveraging AI to enhance our ability to embed compliance into business processes more effectively. Today, I conclude my five-part blog post series on using GenAI in compliance to explore how AI can assist in building compliance into the business and what it means for the future of compliance programs. I also provide five key takeaways for compliance professionals on how to do so.

1. AI as a Co-Thinking Partner for Embedding Compliance into Workflows

One of the article’s most powerful insights is the concept of “co-thinking”; AI as a partner in structured dialogue rather than just a tool for quick answers. For compliance, this is transformative. Imagine using AI not simply to draft a policy, but to help you think through how that policy should be embedded in day-to-day operations.

For instance, when designing a gifts-and-entertainment approval process, AI can walk compliance through stakeholder perspectives: What does sales need? What would regulators expect? What friction will finance raise? By simulating these perspectives, AI helps compliance professionals design workflows that are practical and embedded, rather than abstract and detached.

This approach also makes compliance more proactive. Instead of reacting to risks after violations occur, AI-enabled co-thinking allows compliance to anticipate where policies may clash with business objectives and design operational solutions upfront. The compliance lesson is to treat AI as a structured dialogue partner to design compliance that lives inside the workflow, policies, and processes that are not just documented but operationalized.

2. Enhancing Stakeholder Engagement Through AI Simulations

Embedding compliance into business operations requires more than rules; it requires buy-in. The article highlights how AI can role-play different stakeholders, challenging managers to anticipate reactions. Compliance can use this capability to stress-test initiatives before rollout.

Suppose compliance is introducing a new due diligence system for third-party onboarding. AI can simulate how procurement might respond (“slows down vendor onboarding”), how business development might object (“hurts competitiveness”), and how regulators might evaluate (“strong demonstration of risk-based management”). This multi-stakeholder dialogue allows compliance teams to refine both process design and messaging before rollout.

The implication for compliance programs is clear: embedding compliance requires deep cultural alignment. AI makes it possible to test and rehearse that alignment at scale, reducing resistance and building smoother adoption. The compliance lesson is to use AI simulations to bring stakeholder voices into the design process, ensuring compliance is not bolted on but built with empathy for business realities.

3. AI-Assisted Root Cause Analysis Strengthens Business Integration

Compliance programs are expected to conduct root cause analysis after misconduct, but too often these reviews remain siloed. AI-enabled co-thinking helps expand root cause analysis into an exercise that strengthens business operations.

For example, when analyzing repeated travel and expense violations, AI can guide compliance through structured questions: Were training gaps to blame? Were approval workflows too weak? Were sales incentives misaligned? Then, critically, AI can help map remediation back into operations—tightening finance approvals, adjusting incentive structures, and embedding compliance flags directly into expense systems.

This is not about AI making the decision. It is about AI helping compliance think through operational integration of lessons learned. Instead of merely complying with regulations by writing a report that sits on a shelf, the outcome becomes operational adjustments inside business processes. The compliance lesson (or rather, perhaps implication) is that the DOJ expects compliance programs to prevent recurrence through systemic fixes. AI co-thinking can ensure those fixes are operational, not theoretical.

4. Scaling Compliance Culture and Mindset Shifts Across the Organization

The article notes how AI can be used to coach managers through mindset shifts, helping them reflect on new behaviors and practices. Compliance can use the same approach to embed cultural expectations directly into business teams. For example, AI can be configured as a compliance coach embedded in daily tools, guiding managers through ethical dilemmas, prompting reflection during approval requests, or reinforcing company values during project planning. Instead of compliance being external and episodic, it becomes internal and continuous.

This democratizes compliance development. A frontline manager in Asia can interact with AI that reinforces compliance culture in real time, rather than waiting for annual training or sporadic compliance visits. It also gives compliance leaders data on where employees are struggling, revealing cultural gaps that can be addressed systemically.

The implication is that embedding compliance is not just about systems but about mindset. AI can make culture-building a daily, distributed activity rather than a centralized, one-time effort.

5. Ensuring Human Judgment Remains Central in AI-Enabled Compliance

Finally, while AI can enhance problem-solving and integration, the article underscores that co-thinking only works when humans stay actively engaged. Compliance cannot abdicate responsibility to machines. This has profound implications for compliance programs. AI can help frame problems, simulate stakeholders, and propose operational fixes, but it cannot weigh reputational risk, interpret regulatory expectations, or balance competing global obligations. Those decisions require human judgment.

The key is balance: AI accelerates and deepens thinking, but compliance leaders must build governance frameworks to ensure outputs are reviewed, validated, and contextualized. Embedding compliance into business operations does not mean letting AI run the show; it means letting AI augment human reasoning so that compliance becomes more practical, strategic, and defensible.

The compliance lesson, based on both the DOJ’s FCPA Resource Guide and the 2024 ECCP, is clear that compliance must be risk-based, well-resourced, and continuously improved. AI helps compliance think through integration, but humans remain accountable for ensuring it meets regulatory standards and ethical expectations.

AI as a Pathway to Embedded Compliance

The future of compliance is embedded, not bolted on. DOJ expects it. Boards demand it. Employees need it. The challenge is figuring out how to make it real. AI offers compliance professionals a powerful new tool: not as an oracle, but as a co-thinker. By helping compliance frame problems, simulate stakeholders, strengthen root cause analysis, scale cultural coaching, and reinforce human judgment, AI can accelerate the shift from compliance as oversight to compliance as an integrated business practice.

The call to action is simple: use AI not just to make compliance faster, but to make compliance inseparable from business. That is how compliance earns trust, drives culture, and meets regulatory expectations in the age of AI.

Categories
Blog

Trust and Verify: How Compliance Can Harness AI Agents Safely

Ed. Note: This week, we present a week-long series on the use of GenAI in a best practices compliance program. Additionally, for each blog post, I have created a one-page checklist for each article that you can use in presentations or for easier reference. Email my EA Jaja at jaja@compliancepodcastnetwork.net for a complimentary copy.

When we think of “trust” in compliance, our minds usually go to whistleblowers, employees, or third parties. But increasingly, the question of trust must extend to a new category of actors: AI agents.

As Blair Levin and Larry Downes explain in their provocative Harvard Business Review piece, titled “Can AI Agents Be Trusted?“, AI agents are not just smarter chatbots. They are software systems that can collect data, make decisions, and even act autonomously based on rules and priorities. For compliance professionals, this changes the game. If AI agents can act on our behalf, can they also be trusted to uphold compliance principles?

The answer is yes, but only if we design and monitor them with the same rigor that we apply to employees, third parties, and business partners. Today, we look at five key takeaways from their article to guide compliance professionals in building AI agents into trustworthy components of their programs.

1. Trust Requires Oversight, Just as with Human Agents

The article makes a simple but powerful analogy: think of an AI agent the way you would think of an employee or contractor. Before delegating sensitive responsibilities, you conduct background checks, put controls in place, and possibly even require bonding. The same must hold for AI.

For compliance, this means creating oversight structures before deploying agents into live workflows. If your compliance AI assistant can monitor transactions for red flags, you must ensure that a human compliance officer reviews its outputs. If it can escalate potential whistleblower complaints, you must validate that escalation logic against regulatory requirements.

AI oversight also means testing for vulnerabilities. As Levin and Downes note, AI agents are susceptible to hacking, manipulation, and even misinformation. Compliance should require penetration testing of any agent integrated into company systems, just as IT would test network defenses.

Trust is never blind in compliance. It is built on verification, monitoring, and accountability. AI agents can and should be trusted, but only when they operate within a compliance framework that mirrors the controls we already use for human agents.

2. Recognize and Manage Bias and Conflicts of Interest

One of the major risks highlighted in the article is bias, whether introduced by marketers, advertisers, or flawed training data. Just as a conflicted employee can steer decisions for personal gain, an AI agent can be subtly manipulated to favor sponsors, advertisers, or even certain viewpoints.

For compliance professionals, this should raise alarms. Imagine an AI agent used for third-party due diligence. If biased data shapes its recommendations, you could end up onboarding a high-risk vendor while rejecting a low-risk one. Worse, if regulators discover that your system relied on biased algorithms, you’ll face serious questions about program effectiveness.

The solution is conflict-of-interest monitoring for AI. Just as employees must disclose outside interests, AI agents should be tested and audited for hidden preferences. Compliance should insist on transparency from vendors about training data sources and sponsorship arrangements. In some cases, contracts with AI providers may need explicit clauses guaranteeing independence from commercial influence.

Compliance has always been about spotting and mitigating conflicts. In the age of AI, that vigilance must extend to our digital agents. Only then can we claim that our programs are fair, impartial, and defensible.

3. Treat AI Agents as Fiduciaries of Compliance

Perhaps the most compelling insight from Levin and Downes is that AI agents should be treated as fiduciaries. Just as lawyers, trustees, and board members owe a heightened duty of care to their clients, AI agents entrusted with compliance responsibilities must be designed and governed under similar standards.

For compliance officers, this concept aligns directly with DOJ expectations. The Evaluation of Corporate Compliance Programs (2024 ECCP) emphasizes accountability, transparency, and independence. By treating AI agents as fiduciaries, compliance leaders can extend these principles to technology.

What does fiduciary duty look like in practice?

  • Obedience: AI must follow company policies and regulatory standards.
  • Loyalty: AI must prioritize the company’s compliance objectives over any hidden commercial interests.
  • Confidentiality: AI must protect sensitive compliance data from leaks or misuse.
  • Accountability: AI actions must be traceable, with clear logs and audit trails.

This fiduciary framing provides compliance professionals with a powerful tool. It not only reassures stakeholders that AI can be trusted, but it also sets a benchmark that regulators can understand and evaluate. In short, fiduciary AI is defensible AI.

4. Build Market and Insurance-Based Safeguards

The article notes that beyond regulation, market mechanisms such as insurance and independent oversight will be critical to ensuring AI trustworthiness. For compliance leaders, this presents both a risk management strategy and an opportunity.

Just as identity theft insurance evolved alongside online banking, AI liability insurance will likely become a standard corporate requirement. Compliance officers should begin engaging with insurers to explore coverage for AI-related risks, such as data leaks, wrongful denials of due diligence clearance, or biased decision-making.

Equally important are third-party oversight tools. The article envisions AI “credit bureaus” that could audit agent behavior, set decision thresholds, or freeze activity when risks escalate. For compliance, such independent monitoring could provide an external layer of assurance that your AI systems are behaving as intended.

The takeaway is clear: do not rely solely on internal controls. Pair them with market-based safeguards and external verification. Doing so not only strengthens trust in AI agents but also demonstrates to regulators that your program embraces both proactive and independent oversight.

5. Design for Data Security and Local Control

Finally, Levin and Downes stress the importance of keeping decisions local; that is, ensuring sensitive data stays on company-controlled devices and servers, rather than in external clouds. For compliance professionals, this echoes a familiar principle: control the data, control the risk.

Agentic AI, by definition, processes vast amounts of sensitive information. If compliance agents are reviewing hotline reports, transaction monitoring data, or due diligence files, any data leakage could be catastrophic. That’s why strong encryption, local processing, and secure enclaves are essential.

Compliance officers should demand that AI vendors support:

  • On-device or private cloud processing for sensitive tasks.
  • Encryption of all data in transit and at rest.
  • Independent verification of security claims by external auditors.
  • Full disclosure of sponsorships, promotions, and paid influences.

By designing AI agents with local control and transparency, compliance teams can build systems that are both effective and trustworthy. Data security is not just an IT concern; it is a compliance imperative.

Trust, But Never Blindly

AI agents hold immense potential for compliance programs. They can streamline monitoring, accelerate due diligence, and support real-time risk management. But as Levin and Downes remind us, they must also be carefully governed to prevent bias, manipulation, and misuse.

For compliance leaders, the path forward is to treat AI like any other agent (or channel your inner Ronald Reagan: trust, but verify. With oversight, fiduciary framing, market safeguards, and strong data controls, AI can become a trusted partner in compliance—one that strengthens, rather than weakens, the ethical fabric of the organization.

Categories
Blog

Building Your Own AI Assistant: Compliance Lessons in Customization

Ed. Note: This week, we present a week-long series on the use of GenAI in a best practices compliance program. Additionally, for each blog post, I have created a one-page checklist for each article that you can use in presentations or for easier reference. Email my EA Jaja at jaja@compliancepodcastnetwork.net for a complimentary copy.

In the ever-changing world of compliance, resource constraints remain one of our biggest hurdles. Whether you’re drafting policies, conducting risk assessments, or preparing investigation summaries, the work is often repetitive, labor-intensive, and subject to tight deadlines. Enter the AI assistant, not as a futuristic dream, but as a practical, buildable tool available to compliance professionals right now.

Alexandra Samuel’s article in Harvard Business Review titled How to Build Your Own AI Assistant, makes one point crystal clear: if you can describe a project in plain English, you can build your own AI assistant. And for compliance professionals, this represents a transformative opportunity to reduce administrative burdens while increasing consistency, accuracy, and adaptability.

But building your compliance AI assistant isn’t about chasing efficiency alone—it’s about making intentional design choices that reinforce compliance objectives, protect corporate culture, and ensure regulatory defensibility. Today, we consider five key takeaways for compliance professionals, each showing how you can harness AI assistants to enhance, not replace, your compliance program.

1. Start with the Right Use Cases

Before building, compliance leaders must ask: What problems do we want AI to solve? Samuel notes that AI assistants excel in four domains: writing and communications, troubleshooting, project management, and strategic coaching. For compliance, this translates into use cases like:

  • Drafting first-pass policy updates aligned with global regulations.
  • Summarizing enforcement actions for Board reporting.
  • Automating responses to routine employee compliance questions (e.g., “Can I accept this client gift?”).
  • Tracking investigation timelines and automatically extracting action items from meeting transcripts.

Choosing the right use case ensures your AI assistant is a force multiplier rather than a shiny distraction. Importantly, you want to start with low-risk, high-volume tasks. Drafting an anti-corruption annual training memo? AI can handle the boilerplate. Deciding whether to disclose a potential FCPA violation to the DOJ? That still belongs squarely in the human domain.

The real lesson here: compliance officers should not let “AI hype” dictate priorities. Instead, define pain points within your compliance workflow and build assistants targeted at those specific, recurring problems. Start small, iterate, and scale responsibly.

2. Design Clear Instructions—Your Assistant Is Only as Good as Its Guidance

According to Samuel, the “heart” of a custom AI assistant is the set of instructions you provide. For compliance teams, this is where risk and opportunity intersect. If your assistant doesn’t know who it is, what standards to apply, and what tone to use, it will produce outputs that undermine your credibility.

Think of instructions as your assistant’s Code of Conduct. Instead of saying “you are a compliance assistant,” you can be more precise:

  • “You are a corporate compliance officer drafting policies for a multinational company. You must ensure all content aligns with DOJ guidance on effective compliance programs, uses a professional but approachable tone, and provides practical examples for employees.”

These custom instructions allow you to “bake in” compliance frameworks from day one. For example, you can require the assistant to reference the COSO Framework for Internal Controls, ISO 37001, or the DOJ’s Evaluation of Corporate Compliance Programs whenever relevant.

The key compliance insight: good AI assistants reflect great compliance design. Just as vague compliance policies create ambiguity, vague AI instructions create unreliable outputs. Invest time in precise persona-building for your assistant, and you’ll reap consistent, defensible results.

3. Feed It Knowledge—Without Losing Control of Sensitive Data

Samuel emphasizes that AI assistants become truly powerful when equipped with background documents, such as policies, reports, contracts, or training decks. For compliance, this is both a gold mine and a minefield.

On one hand, uploading prior investigation reports, risk assessments, or compliance training modules allows your assistant to generate outputs that reflect your company’s real history and regulatory environment. Imagine an assistant that can instantly pull together a cross-border risk assessment using your own prior filings and internal guidance.

On the other hand, compliance officers must stay vigilant about data protection, privilege, and confidentiality. Sensitive HR records, whistleblower reports, and privileged investigation materials should never be indiscriminately fed into a platform without proper safeguards.

Here lies the balancing act: compliance teams must create AI assistants that are well-informed but tightly governed. This may involve anonymizing data, working through secure enterprise-grade AI platforms, or restricting inputs to public and non-sensitive internal documents.

The compliance lesson is simple but non-negotiable: context matters, but confidentiality reigns supreme. Building a compliance AI assistant means establishing protocols for what can and cannot be shared.

4. Iterate Constantly—Think Like a Compliance Monitor

Just as compliance programs require continuous improvement, so too do AI assistants. Samuel makes it clear that assistants won’t be perfect out of the box. They require ongoing feedback, refinement, and adjustment.

For compliance professionals, this is second nature. We already think in terms of monitoring, auditing, and revising. Apply the same discipline to your AI assistant:

  • Audit its outputs for accuracy, tone, and regulatory defensibility.
  • Track where it consistently underperforms (e.g., misinterpreting data privacy rules) and feed corrective instructions.
  • Periodically, “refresh” its context files to reflect updated regulations, new enforcement actions, or changes in corporate policy.

Samuel suggests asking your assistant to write their own revised instructions based on your feedback. That’s a compliance monitoring exercise in itself—your assistant becomes both subject and participant in continuous improvement.

The compliance takeaway: treat your AI assistant as a dynamic system, not a static tool. Just as DOJ expects ongoing risk assessments and remediation, regulators will expect that AI tools in compliance are actively managed, not blindly trusted.

5. Embed Ethical Guardrails and Accountability

The most important compliance lesson in building your own AI assistant is ensuring accountability. As Samuel warns, assistants can hallucinate or produce flawed outputs. In compliance, this is not simply an annoyance; more importantly, it is a potential liability.

That means your assistant must operate under ethical guardrails:

  • Always include a human-in-the-loop review before any AI-generated compliance document is finalized.
  • Require disclosures when AI was used in drafting policies, reports, or training.
  • Train employees not to treat AI outputs as gospel but as drafts for critical evaluation.
  • Align your assistant’s objectives with compliance KPIs, accuracy, transparency, and defensibility, rather than raw speed.

This mirrors the DOJ’s emphasis on corporate accountability. An AI assistant may help draft your gifts and entertainment policy, but it cannot stand before prosecutors and defend your compliance program. That responsibility remains squarely with leadership.

The compliance lesson here is unmistakable: AI is a tool, not a scapegoat. Build it to augment compliance decision-making, not to absolve it.

From Experiment to Integration

Building your own AI assistant is not a technical challenge. It is a compliance design challenge. As Alexandra Samuel reminds us, if you can describe your project, you can build your assistant. For compliance officers, that means thinking intentionally about use cases, precision in instructions, safeguards for sensitive data, iteration, and ethical guardrails.

The opportunity is immense. With thoughtfully designed AI assistants, compliance professionals can shift their focus from repetitive drafting to higher-order strategy, from administrative overload to proactive risk management. But the responsibility is equally immense. An AI assistant reflects the design choices of its creators, choices that must always prioritize compliance culture, accountability, and trust.

Categories
Blog

When the Captain Isn’t the Captain: Star Trek’s Turnabout Intruder as a Root Cause Analysis Case Study

One of the Department of Justice’s most consistent themes in its 2024 Update to the Evaluation of Corporate Compliance Programs (ECCP) is the need for companies to conduct effective root cause analysis following misconduct or control failures. It’s not enough to identify what went wrong; you must understand why it happened and implement measures to prevent it from happening again.

That principle is front and center in the Star Trek: The Original Series finale, Turnabout Intruder. In this episode, Captain Kirk is on an archaeological survey mission when he encounters Dr. Janice Lester, an old acquaintance from Starfleet Academy. Through a mysterious alien device, Lester transfers her consciousness into Kirk’s body, trapping his mind in her own body. What follows is a tense series of events in which “Kirk” behaves increasingly erratically, prompting suspicion among the crew.

For compliance professionals, the episode is a surprisingly apt case study in the perils of failing to dig past the surface when something seems off. Just as the crew needed to piece together the real cause of their captain’s strange behavior, compliance teams must be adept at peeling back layers to discover the true root cause of problems.

Here are five key root cause analysis lessons from Turnabout Intruder.

Lesson 1: Unusual Behavior Should Trigger an Investigation

Illustrated by: Shortly after the mind swap, “Kirk” begins making uncharacteristic decisions, belittling subordinates, ignoring Starfleet protocols, and punishing dissent in ways that are entirely out of character for the captain.

Compliance Lesson:

Behavior that deviates from established patterns should be a red flag. In corporate compliance, abrupt changes, whether in employee conduct, financial reporting patterns, or transaction activity, often indicate deeper issues.

Too often, organizations rationalize away early warning signs: “He’s under stress” or “That’s just her style.” But effective root cause analysis begins with the willingness to ask, Why is this happening now? Early detection is often the difference between a manageable problem and a full-blown crisis. Develop and maintain behavioral baselines for key personnel and functions. If something deviates sharply, investigate promptly rather than waiting for more evidence to emerge.

Lesson 2: Multiple Data Points Build a Stronger Case

Illustrated by: Several crew members—Spock, McCoy, Scotty—each notice something odd about “Kirk.” At first, their observations are anecdotal and separate. Only when they share information do they begin to see a pattern that suggests something is seriously wrong.

Compliance Lesson.  Root cause analysis is stronger when it integrates multiple perspectives and sources of data. If you rely on a single source, one audit, one complaint, you risk drawing incomplete or biased conclusions.

In the episode, no single crew member had enough to prove that Kirk wasn’t himself. But when their observations were combined, the collective evidence pointed toward an anomaly that needed urgent action. Create processes that encourage information sharing across departments. Compliance, audit, HR, and operations should have mechanisms to cross-reference findings because the root cause may only emerge when different pieces are put together.

Lesson 3: Be Alert to Hidden Motives

Illustrated by: In Kirk’s body, Lester uses her new authority to sideline suspected opponents, reassigning or threatening crew who question her behavior. Her motive isn’t mission success; it’s consolidating her stolen command.

Compliance Lesson. The apparent cause of a problem may mask deeper personal or organizational motives. Misconduct often occurs because someone is pursuing goals that conflict with corporate policy, whether financial gain, personal vendettas, or reputational enhancement.

If your analysis stops at “This person violated policy,” you miss the opportunity to uncover why they were willing to risk consequences. In many cases, systemic issues, misaligned incentives, toxic culture, and weak oversight are the true drivers. In every investigation, ask “What’s in it for them?” Understanding incentives, pressures, and personal agendas can reveal root causes that process analysis alone won’t uncover.

Lesson 4: Authority Structures Can Delay Recognition of the Problem

Illustrated by: Even when evidence mounts, the crew is reluctant to challenge “Kirk” because of the chain of command. Starfleet discipline dictates deference to the captain, making it harder to act on suspicions.

Compliance Lesson. In organizations, hierarchy can be a barrier to identifying root causes. Employees may hesitate to report misconduct by senior leaders, or they may assume questionable directives are “above their pay grade” to question.

This dynamic often allows problems to persist far longer than they should. A compliance program must be designed to bypass those bottlenecks, giving employees safe, confidential, and credible ways to report concerns, even about top executives. Ensure that escalation procedures allow for independent review of senior management conduct. Whistleblower protections, ombuds functions, and anonymous hotlines can help surface issues that otherwise stay buried.

Lesson 5: Validate Assumptions Before Acting

Illustrated by: Spock eventually confronts “Kirk” and demands an explanation. Through logical analysis and a mind meld, he confirms the body-swap truth. Only then can the crew take decisive action to restore the captain to his rightful body.

Compliance Lesson. One of the biggest pitfalls in root cause analysis is acting on unverified assumptions. If you jump to conclusions too early, you may “fix” the wrong problem—or make it worse. Spock’s mind meld was the ultimate verification step. In compliance, your “mind meld” might be corroborating whistleblower claims with independent documentation, or testing an internal control in multiple scenarios before concluding it’s defective.

Build verification into your root cause analysis process. Don’t settle for the first plausible explanation; pressure-test your conclusions before implementing remediation.

Connecting Star Trek to DOJ Expectations

The DOJ’s ECCP explicitly asks:

  • “What is the root cause of the misconduct?”
  • “Were prior opportunities to detect the misconduct missed?”
  • “What systemic failures contributed to the issue?”

Turnabout Intruder illustrates the importance of addressing these questions. If the crew had stopped at “the captain is acting oddly” and focused on damage control, they might never have uncovered the deeper truth of Lester’s body swap. Similarly, in corporate investigations, stopping at the surface level (“employee violated policy”) without probing the environment that allowed it to happen fails both the DOJ’s expectations and your prevention mandate.

Final ComplianceLog Reflections

In Turnabout Intruder, the crew’s slow realization of the true problem nearly cost them their captain and perhaps the Enterprise itself. In the compliance arena, a slow or shallow root cause analysis can allow misconduct to persist, control weaknesses to remain unaddressed, and systemic issues to metastasize.

Effective compliance leadership means not just spotting what’s wrong, but relentlessly pursuing why it went wrong. That’s how you fix the problem in a way that prevents recurrence.

Like Spock confronting “Kirk,” we must be willing to gather evidence methodically, test our conclusions, and take decisive action once the truth is clear. Root cause analysis isn’t about blame—it’s about ensuring your organization emerges stronger, more transparent, and more resilient than before.

Because in the end, just like the Enterprise, your mission depends on having the right people in the right roles, operating with integrity, and that’s a result only a thorough, well-executed root cause analysis can guarantee.

 Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Blog

Institutional Justice and Fairness in Compliance: Lessons from Star Trek’s ‘The Cloud Minders’

Institutional justice and institutional fairness are not abstract ideals; they are operational requirements in a corporate compliance program. They define how policies are enforced, how decisions are made, and how employees perceive the integrity of their workplace. One of the most vivid illustrations of the dangers of systemic injustice and perceived unfairness comes from Star Trek: The Original Series in “The Cloud Minders.”

The DOJ’s 2024 Evaluation of Corporate Compliance Programs (ECCP) reinforces this point: for a compliance program to be effective, it must not only exist on paper but also operate fairly in practice. The DOJ expects companies to show that their compliance processes are applied consistently across the organization, regardless of seniority, revenue generation, or personal connections.

Why the DOJ Cares About Justice and Fairness in Compliance

In the ECCP, the DOJ focused on institutional justice and institutional fairness as key mandates for the compliance function. Why? It was rooted in practicality: a compliance program that is seen as biased or inconsistent will fail. Employees will not report misconduct, will hide mistakes, and will disengage from ethics initiatives.

Prosecutors know that when misconduct occurs in such an environment, it’s often a symptom of deeper cultural problems. That’s why, during investigations, they ask:

  • Are policies applied equally to all levels of the organization?
  • Is discipline consistent and documented?
  • Do employees believe the process is fair?
  • Has the company addressed the underlying causes of misconduct?

If the answers to these questions are unsatisfactory, the DOJ is more likely to view the compliance program as ineffective, regardless of its written policies.

The Tale 

The Enterprise is sent to the planet Ardana to collect zenite, a mineral needed to stop a plague on another world. Captain Kirk and Mr. Spock beam down to Stratos, a floating city inhabited by the planet’s elite, only to discover a deep societal divide. The surface of Ardana is worked by “Troglytes,” a laborer class forced to mine zenite under hazardous conditions, denied access to the comforts and education of Stratos.

The elites justify this arrangement as necessary for stability, while the Troglytes see it as systemic exploitation. The episode becomes a study in the consequences of entrenched inequality, distrust, and the refusal to address legitimate grievances, exactly the kinds of dynamics that can erode trust in a corporate compliance program if not addressed.

From this story, we can extract five compliance lessons on institutional justice and institutional fairness.

Lesson 1: Consistency in Standards Is Non-Negotiable

Illustrated by:  The leaders of Stratos apply rules differently depending on social status. The elite enjoy cultural and political freedoms, while Troglytes face restrictions and harsher punishments for similar conduct.

Compliance Lesson. The DOJ has repeatedly emphasized that policies and disciplinary measures must be applied consistently. If employees perceive that “rainmakers” or executives receive lighter sanctions, or none at all, for policy violations, trust in the compliance function evaporates. In The Cloud Minders, the double standard deepens resentment and drives conflict, precisely what can happen inside a company when justice is selective.

Why It Matters to DOJ: Prosecutors evaluate whether discipline is enforced “consistently across the organization, regardless of position or power.” Inconsistency is a red flag that the program is a paper exercise rather than a living system.

What should you do?

  • Establish clear, documented disciplinary protocols.
  • Apply them uniformly, with oversight from the compliance function.
  • Communicate to the workforce that no one is above the rules.

Lesson 2: Address Root Causes, Not Just Symptoms

Illustrated by: The Troglytes’ performance and health are impaired because mining zenite exposes them to toxic vapors. The elites interpret this as proof of inferiority, ignoring the environmental cause.

Compliance Lesson. Organizations sometimes treat compliance failures as isolated misconduct rather than symptoms of deeper issues, such as inadequate training, unrealistic sales targets, or flawed incentive structures. In Ardana, fixing the air quality in the mines would have solved much of the productivity gap, just as fixing systemic drivers of noncompliance prevents repeat issues.

Why It Matters to DOJ: The DOJ looks for root cause analysis after misconduct. They want to see whether the company took corrective action to address systemic issues, not just discipline the individuals involved.

What should you do?

  • Investigate not only “who” did something wrong, but “why” it happened.
  • Use findings to improve processes, incentives, and controls.
  • Share non-confidential lessons learned with the workforce to demonstrate fairness and transparency.

Lesson 3: Perceived Fairness Matters as Much as Actual Fairness

Illustrated by: Even when Kirk offers protective gear to the Troglytes, they are slow to trust his intentions. Years of mistreatment have convinced them that promises from the elites are empty.

Compliance Parallel: Employees judge compliance programs not only by their design but by how fair they feel in practice. If people believe investigations are biased or that whistleblowers will be punished, they will avoid reporting, even if the official policy says otherwise. On Ardana, the absence of trust kept both sides from engaging in good-faith solutions—something corporate leaders must avoid at all costs.

Why It Matters to DOJ: Prosecutors assess whether employees trust the compliance program enough to use it. A hotline no one calls is not evidence of a healthy culture—it may be proof of fear or cynicism.

What should you do?

  • Publicize examples where issues were raised and resolved fairly.
  • Protect whistleblowers from retaliation and make that protection visible.
  • Use employee surveys to measure trust in compliance processes.

Lesson 4: Leadership Must Model Ethical Behavior

Illustrated by: Stratos’s leaders speak about justice and stability, but are unwilling to live under the same risks or hardships as the Troglytes. Their detachment from the reality of mining life fuels the unrest.

Compliance Lesson. Leaders who preach ethics but cut corners for themselves undermine institutional fairness. Employees take cues from the top; if executives are exempt from rules, the rest of the organization will follow suit. In The Cloud Minders, the Stratos elite’s credibility collapses because they refuse to share the burdens of those they govern, a mistake no corporate leadership team should make.

Why It Matters to DOJ: The DOJ examines “tone at the top” and “conduct at the middle.” They want to see that leadership’s actions match their words and that managers reinforce the message through daily decisions.

What should you do?

  • Ensure executives participate in the same training and certifications as all employees.
  • Make leadership accountable for compliance metrics.
  • Publicly acknowledge when senior leaders are held to account for violations.

Lesson 5: Dialogue and Inclusion Are Tools for Justice

Illustrated by: Spock approaches the Troglytes with genuine respect, listening to their grievances and acknowledging their intelligence. His willingness to engage earns him credibility that Stratos leaders lack.

Compliance Parallel: Institutional fairness is strengthened when employees feel heard and included in shaping solutions. This doesn’t mean every request can be granted, but the act of listening and considering input builds trust. Just as Spock bridged the divide on Ardana, compliance leaders can bridge gaps in trust by treating all stakeholders with respect and dignity.

Why It Matters to DOJ: A compliance program is stronger when it incorporates feedback from the workforce. The DOJ favors companies that regularly assess the program’s effectiveness through interviews, surveys, and focus groups.

What should you do?

  • Include employee representatives in policy review committees.
  • Hold listening sessions for employees and other stakeholders after major incidents or policy changes.
  • Act on feasible suggestions and explain when ideas can’t be implemented.

Practical Compliance Takeaways from The Cloud Minders

  1. Apply Rules Equally: Avoid double standards by holding everyone—from the C-suite to front-line staff—to the exact requirements.
  2. Investigate Root Causes: Fix systemic issues, not just individual mistakes.
  3. Build Trust in the Process: Ensure employees perceive the program as fair and protective.
  4. Lead by Example: Leadership must model the ethical behavior expected of all.
  5. Listen and Include: Use dialogue to bridge divides and strengthen buy-in.

Final ComplianceLog Reflections

The Cloud Minders is more than a parable about class division; it is a warning for any institution that neglects fairness and justice. In Ardana, injustice created resentment, distrust, and rebellion. In a corporation, those same dynamics can lead to silent disengagement, hidden misconduct, and public scandal.

The DOJ’s message is clear: fairness and justice are not optional add-ons to compliance; they are the foundation of a program that works. As compliance leaders, our role is to be the “Spock” in the room, listening, respecting, and bridging divides while ensuring that the rules are fair, transparent, and consistently applied.

When we do that, we do not just comply with the DOJ’s expectations; we build organizations where people trust the system enough to make it work.

Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Blog

Business Ethics Lessons from Star Trek’s Requiem for Methuselah

In corporate life, ethical decision-making is not only a question of right and wrong. It is also a test of leadership, trust, and long-term vision. Missteps in ethics erode corporate culture, destroy reputations, and invite regulatory and shareholder scrutiny.

Few Star Trek episodes present an ethical crucible as layered as Requiem for Methuselah. In this episode, the Enterprise crew, seeking an urgently needed medical cure for a deadly illness sweeping the ship, beams down to a remote, seemingly uninhabited planet. There, they meet the enigmatic Flint, a man who turns out to be immortal, having lived for over 6,000 years under various identities, from Methuselah to Da Vinci. Flint lives with Rayna, a beautiful, brilliant young woman who, as the crew later learns, is not human but an android he has created.

The story unfolds into a complex web of secrecy, autonomy, manipulation, and unintended consequences, a rich territory for ethical reflection. From this episode, we can draw five business ethics lessons directly applicable to today’s corporate compliance environment.

Lesson 1: Transparency Is Essential to Trust

Illustrated By: Flint initially hides critical facts from Kirk, Spock, and McCoy: his true identity, the fact that Rayna is an android, and the location of the life-saving mineral ryetalyn they came to obtain. His secrecy stems from a desire to control the situation, but it breeds mistrust and escalating tension.

Ethics Lesson. In business, withholding material information, even with ostensibly good intentions, undermines trust—stakeholders, whether employees, customers, or regulators, expect honesty. Concealing facts creates suspicion, damages credibility, and can lead to decisions made on false assumptions. A compliance culture grounded in transparency prevents misunderstandings and reinforces stakeholder confidence.

What should you do?

  • Communicate openly about relevant facts, especially those impacting health, safety, or financial stability.
  • Establish disclosure protocols for potential conflicts of interest.
  • Recognize that partial truths can be as damaging as outright falsehoods.

Lesson 2: Autonomy Must Be Respected, Even with Good Intentions

Illustrated by Flint, Rayna was designed to be his companion, controlling her environment and limiting her exposure to the outside world. He claims to be protecting her, but in doing so, denies her agency. When she begins to form independent thoughts and feelings, particularly toward Kirk, Flint’s inability to let go leads to tragedy.

Ethics Lesson. Corporations sometimes restrict employee autonomy under the guise of protection, micromanaging, withholding career opportunities, or blocking external engagement. Even if the motive is to “protect” the employee or company, the result can stifle growth and foster resentment. Ethical leadership means equipping people to act responsibly, not controlling every move they make.

What should you do?

  • Empower individuals to make informed choices within ethical boundaries.
  • Provide access to opportunities and resources without paternalistic gatekeeping.
  • Respect the right of employees to voice concerns and explore options.

Lesson 3: Ends Do Not Justify the Means

Illustrated By: Flint’s primary objective, immortality, has allowed him to amass vast knowledge and wealth. Yet to achieve his goals in this episode, he manipulates the Enterprise crew, withholds the cure they need until his conditions are met, and engineers circumstances to force emotional outcomes for Rayna.

Ethics Lesson. In business, leaders may justify cutting corners or bending rules to achieve short-term results, winning a contract, securing market share, or hitting quarterly targets. But compromising ethics for results can cause long-term damage far outweighing the immediate gain. A sustainable corporate culture is built on the principle that ethical processes matter as much as business goals.

What should you do?

  • Evaluate not just what you achieve, but how you achieve it.
  • Build decision-making frameworks that weigh both outcomes and methods.
  • Reinforce that compliance and ethics are integral to success, not obstacles to it.

Lesson 4: Emotional Intelligence Is Critical in Ethical Decision-Making

Illustrated By: Kirk’s growing attachment to Rayna closes his eyes to the urgency of his mission. McCoy warns him about becoming too emotionally involved, but Kirk underestimates the impact on his judgment. Flint, likewise, fails to foresee that forcing Rayna to choose between him and Kirk will overwhelm her, leading to her breakdown.

Ethics Lesson. In corporate environments, emotions, whether loyalty, rivalry, or fear, can cloud ethical judgment. Leaders may overlook red flags, delay action, or make decisions based on personal feelings rather than principles. Ethical clarity often requires stepping back and separating personal attachment from professional responsibility.

What should you do?

  • Train leaders to recognize when emotions may be influencing decisions.
  • Encourage second opinions and peer review in high-stakes decisions.
  • Create safe spaces for voicing concerns about potential bias.

Lesson 5: Ethical Leadership Includes Considering Long-Term Impact

Illustrated By: Flint’s immortality has given him a unique long view of history, but in this episode, he fails to account for the long-term consequences of his actions toward Rayna and the Enterprise crew. His choices have immediate, tragic outcomes and lasting emotional scars.

Ethics Lesson. Businesses that focus solely on short-term gains, without assessing long-term impacts, risk harming their reputation, eroding stakeholder trust, and creating systemic problems. Ethical leaders anticipate not just the next quarter, but the next decade. Considering long-term consequences ensures ethical decisions hold up under the scrutiny of time.

What should you do?

  • Incorporate long-term risk and ethical impact into strategic planning.
  • Assess how today’s decisions will be perceived by future employees, customers, and regulators.
  • Prioritize sustainability, both in environmental and cultural terms.

Why “Requiem for Methuselah” Matters for Business Ethics

The drama in Requiem for Methuselah is driven not by alien threats or galactic battles, but by human (and android) ethical dilemmas: secrecy, autonomy, manipulation, emotional entanglement, and shortsightedness. These are the same challenges corporate leaders face when navigating business ethics in the modern era.

An ethical corporate culture:

  • Practices transparency to build trust.
  • Respects the autonomy of individuals.
  • Rejects “ends justify the means” thinking.
  • Recognizes and manages the role of emotions in decision-making.
  • Considers the long-term legacy of choices made today.

The compliance department is not just a rules enforcer. According to the DOJ, it is the ethics steward of the organization, ensuring that decisions at every level meet both legal and moral standards.

Final ComplianceLog Reflections

Requiem for Methuselah is ultimately a cautionary tale about the cost of ethical missteps, even for someone with the wisdom of centuries. Flint’s intellect and resources could not compensate for a failure to act with transparency, respect, and foresight.

For today’s corporate leaders, the lesson is simple: ethical decision-making is not a luxury—it is the foundation of sustainable success. The compliance function’s role is to embed these values so deeply into the corporate DNA that they guide every choice, from the boardroom to the front line.

Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Blog

Cross-Atlantic Fraud & Corruption Enforcement: Intersections and Divergences

In today’s dynamic compliance landscape, navigating the complexities of international corporate wrongdoing requires vigilance, foresight, and strategic action, as highlighted in A recent article entitled “Cross-Atlantic Impact: DOJ and SFO Self-Reporting and Enforcement Priorities,” by lawyers from McDermott, Will & Schulte. The article is an excellent review of areas where the fight against fraud and corruption aligns between the two countries and areas where they diverge. Today, I will review the article and consider what it means for the US company doing business in the UK or with UK companies.

The Serious Fraud Office (SFO) in the United Kingdom has made clear its expectations regarding self-reporting corporate misconduct, mainly aligning in philosophy, if not always in exact details, with its U.S. counterpart, the Department of Justice (DOJ). American companies must understand these nuances and adapt their compliance programs accordingly. Here are five critical reasons why U.S. businesses must closely monitor and adhere to the UK’s evolving fraud and bribery enforcement regime.

Prompt Self-Reporting Weighs Heavily in Favor of DPAs

The SFO guidance unequivocally states that companies demonstrating prompt self-reporting of corporate wrongdoing significantly increase their chances of obtaining a Deferred Prosecution Agreement (DPA). Conversely, any delay in self-reporting suspected wrongdoing “within a reasonable time of it coming to light” adversely impacts the company’s standing with the SFO.

Much like the DOJ, the SFO does not insist on complete internal investigations before self-reporting. Indeed, in many ways, both sets of prosecutors want companies to step forward as soon as possible. The degree of the inquiry expected depends on the clarity and strength of evidence. Where evidence indicates wrongdoing, companies are expected to self-report swiftly. Ambiguities may permit a more extensive preliminary investigation, but American companies should note that delays can risk losing the advantages offered by early disclosure.

Jurisdictional Triggers Demand Simultaneous Reporting

For American companies dealing with potential misconduct spanning jurisdictions, awareness and agility become paramount. According to SFO guidance, companies reporting suspected misconduct to another agency, such as the DOJ, should also inform the SFO simultaneously or immediately thereafter. Failure to do so negates any potential credit for self-reporting.

Consider a scenario where a company seeks a declination from the DOJ through prompt self-disclosure. Identifying a UK jurisdictional nexus, such as conduct occurring partly in the UK or financial impact felt within the UK, is crucial. The UK’s “failure to prevent bribery” and new “failure to prevent fraud” offenses can impose liability based on international conduct linked to a business presence or financial repercussions in the UK. Understanding and navigating these jurisdictional nuances quickly is imperative to safeguard against regulatory pitfalls and secure favorable treatment.

Increasingly Aggressive Fraud Enforcement

Fraud has emerged as a prominent enforcement priority for both the DOJ and SFO. American companies should pay particular attention to the UK’s new “failure to prevent fraud” (FTPF) offense, effective from September 1, 2025. This robust enforcement tool targets UK and non-UK entities whose associates engage in fraudulent conduct impacting UK interests.

American companies operating internationally must proactively establish “reasonable fraud prevention procedures” to counteract potential liability under this legislation. The urgency conveyed by the SFO, highlighted by senior officials expressing eagerness to utilize these new powers aggressively, cannot be overstated. Companies that neglect preparation risk being among the first prosecuted examples of this powerful legislation.

Coordination Between DOJ and SFO Enhances Risk Exposure

With the DOJ emphasizing fraud in areas affecting U.S. interests, ranging from healthcare and procurement fraud to investment scams, there is considerable overlap with misconduct addressed by the UK’s FTP fraud offense. The authors note that the US Supreme Court held in Kousisis v. United States that a defendant may be convicted of wire fraud for inducing a victim to enter a contract under material pretenses, even if there was no economic loss to the victim. This ruling may allow US prosecutors to pursue a broader range of fraud cases.”

A cross-jurisdictional approach is therefore essential. American companies uncovering fraud that victimizes both U.S. and UK entities or markets must carefully assess reporting obligations to both jurisdictions. The simultaneous or nearly simultaneous reporting requirements heighten the stakes and complexity, demanding robust internal mechanisms for rapid assessment and disclosure.

Continuing Vigorous Anti-Bribery Efforts Globally

Despite temporary uncertainties in the DOJ’s stance toward anti-bribery enforcement, global initiatives indicate relentless international focus. The SFO has intensified anti-bribery efforts through initiatives like the International Anti-Corruption Prosecutorial Taskforce, collaborating closely with French and Swiss authorities. The SFO’s involvement in the International Anti-Corruption Coordination Centre (IACCC) further underscores its commitment. The authors report that “the IACCC aims to facilitate international cooperation on ‘grand corruption’ investigations, including concerning intelligence and evidence gathering.”

In addition to the IACCC, “In March 2025, the SFO established an ‘International Anti-Corruption Prosecutorial Taskforce’ with the French Parquet National Financier (PNF) and the Office of the Attorney General of Switzerland (OAG) (Taskforce). Through the Taskforce, the SFO, PNF, and OAG commit to strengthening their existing cooperation and collaborating to deploy their wide-reaching anti-bribery legislation to prosecute overseas conduct.”

The DOJ’s recent reaffirmation of anti-bribery efforts through its White-Collar Enforcement Plan, highlighting bribery and money laundering harming U.S. interests, may complement these international initiatives. American companies must remain vigilant regarding potential liabilities under both the FCPA and the UK Bribery Act, carefully calibrating their compliance programs to meet rigorous enforcement expectations across jurisdictions.

Practical Steps for American Companies

Given these compelling reasons to pay close attention to the SFO guidance and evolving UK legislation, American companies must take proactive steps to fortify their compliance efforts:

  • Enhance Internal Controls: Companies must quickly develop comprehensive “reasonable fraud prevention procedures,” supported by thorough risk assessments and regularly updated policies.
  • Cross-Jurisdictional Risk Assessments: Implement rigorous processes for promptly assessing jurisdictional ties when misconduct emerges, allowing immediate and coordinated reporting where necessary.
  • Integrated Compliance Training: Ensure global compliance teams, legal counsel, and executive management understand SFO and DOJ expectations clearly, fostering prompt, informed responses.
  • Monitoring International Developments: Maintain continuous awareness of evolving enforcement policies and initiatives, particularly regarding fraud and bribery, to swiftly adapt compliance programs accordingly.
  • Preparedness and Responsiveness: Establish clear protocols for internal investigations and self-reporting decisions, emphasizing speed and comprehensiveness to maximize potential cooperation credit.

Conclusion

Navigating the intricate and often intersecting expectations of the SFO and DOJ presents ongoing challenges for American companies. However, understanding the strategic implications of prompt self-reporting, jurisdictional coordination, aggressive fraud enforcement, international collaboration, and robust anti-bribery efforts is vital.

Proactive compliance management, aligned closely with evolving international regulatory landscapes, is not merely advisable but something that every multinational needs to put in place. American corporations should approach compliance with the understanding that today’s oversight environment demands swift and strategic decision-making to mitigate risks effectively and position themselves favorably in the face of potential regulatory scrutiny.

Categories
FCPA Compliance Report

FCPA Compliance Report – 10 Core Principles for Effective Internal Investigations with Michelle Peirce

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Michelle Peirce from Hinckley Allen, where she co-chairs the White Collar and Government Enforcement Group.

They take a deep dive into Michelle’s article on the 10 Core Principles Common to Internal Investigations, discussing topics such as the importance of understanding the investigation’s purpose, maintaining privilege, the role of an engagement letter, deciding between written reports and verbal summaries, and the significance of billing and internal communications. Michelle also shares her insights from her professional background, including her experience as a special assistant district attorney, and touches on current pressures on compliance tied to self-disclosure to the DOJ. The conversation offers a comprehensive guide for organizations on conducting successful internal investigations.

Key highlights:

  • Role and Challenges in Internal Investigations
  • Core Principles of Internal Investigations
  • Importance of Privilege and Engagement Letters
  • Written vs. Verbal Reports
  • Order and Structure of Investigations
  • Professionalism and Billing in Investigations

Resources:

Michelle Peirce on LinkedIn

Michelle Peirce at Hinckley Allen

10 Core Principles Common to Internal Investigations

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the use of AI in compliance programs, my new book is Upping Your Game. You can purchase a copy of the book on Amazon.com.