Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending February 15, 2025

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings you the compliance professional and the compliance stories you need to know to end your busy week. Sit back, and in 10 minutes, hear the stories every compliance professional should know from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • SEC looks to muzzle shareholders. (WSJ)
  • Was Shell scammed on oil cleanup? (BBC)
  • Acting US Attorney for SDNY quits over Trump interference. (NYT)
  • CFIUS enforcement is likely to continue under Trump. (Reuters)
  • US drops again on TI-CPI. (WaPo)
  • Mike Madigan was found guilty. (Law360) sub req’d
  • A green light for corruption. (FT)
  • CFPB ordered all work to be stopped ‘immediately’. (NYT)
  • Musk is now making referrals to the US Attorney. (Reuters)
  • McKinsey asks if China is too risky. (Bloomberg)

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Everything Compliance

Everything Compliance: Episode 150, The Musk On Edition

Welcome to this edition of the award-winning Everything Compliance. In this episode, Matt Kelly, Jonathan Armstrong, Jonathan Marks, Karen Woody, and Karen Moore join the full gang to examine various issues for compliance professionals under the incoming administration.

  1. Jonathan Armstrong looks at the car crash coming for DeepSeek in the EU. He shouts out to Peter Mandelson, the new UK Ambassador to the United States.
  2. Karen Moore looks at the reframing of DEI. She shouts out about the film on September 5.
  3. Matt Kelly considers the Bondi Memo on changes in DOJ enforcement focus and mentions Alexei Navalny’s memoir.
  4. Karen Woody examines the new SEC Crypto Taskforce and mentions the award-winning play Hadestown.
  5. Jonathan Marks provides a tutorial on the role of internal audit on export controls. He also shouts out to his hometown team, the Philadelphia Eagles (now the Super Bowl-winning Philadelphia Eagles).
  6. Tom Fox shouts out to (conspiracy) Bill Simmons for opining that the Dallas Maverick’s trade of Luka Doncic was a ploy to force the state of Texas to allow gambling in this state.

The members of Everything Compliance are:

The host and producer, rantor (and sometime panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the award-winning Compliance Podcast Network.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, by clicking here.

Categories
Blog

The Rising Tide of CCO and CISO Liability

The issue of personal liability for Chief Compliance Officers (CCOs) and Chief Information Security Officers (CISOs) is not new, but as we move into 2025, it is becoming an increasingly pressing concern. The regulatory environment is evolving, and enforcement trends indicate a growing willingness among prosecutors to target individual executives. The cases of Joe Sullivan, Carlos Abarca, and Tim Brown highlight critical lessons for compliance professionals. These cases—and the broader regulatory framework—underscore the importance of proactive risk management, clear governance structures, and a strong compliance culture. Jonathan Armstrong and I explored these cases, their issues, and the lessons learned from them in a recent episode of the award-winning podcast Life with GDPR.

Personal Liability: A Trend That’s Here to Stay

The SEC has long embraced the idea of holding individuals accountable for corporate misconduct. The rationale is simple: corporations may treat fines as a cost of doing business, while individual prosecutions create a stronger deterrent effect. This approach is particularly evident in cybersecurity failures, data breaches, and financial misrepresentation. Indeed, former SEC Director of Enforcement Gurbir Grewal, in a speech to the New York City Association Compliance Institute in 2023, said that there were “three situations where the Commission typically brings enforcement actions against compliance personnel.” These three are:

  1. Where compliance personnel affirmatively participated in misconduct unrelated to the compliance function;
  2. Where they misled regulators, and
  3. They had a wholesale failure to carry out their compliance responsibilities.

The question facing compliance professionals is no longer whether they could be held personally liable but how to mitigate that risk. We then turned to three key individual cases to see what lessons might be drawn.

Case Studies in Individual Accountability

  • Joe Sullivan and the Uber Case

Joe Sullivan, a former federal prosecutor and Uber’s CISO, was convicted for his role in covering up a data breach. When hackers exploited Uber’s system, Sullivan arranged a $100,000 payment through Uber’s bug bounty program, framing it as a legitimate transaction rather than a ransom payment. The prosecutors argued that he misled regulators and obstructed justice. Though Sullivan avoided prison and received a sentence of three years probation, the judge clarified that future cases might not be met with such leniency. The lesson here? Transparency is non-negotiable. Attempting to manage a breach in secret, even with good intentions, can result in severe personal consequences.

  • Carlos Abarca and the TSB Bank Migration Failure

Carlos Abarca, former CIO of TSB Bank, oversaw an IT migration project that ultimately failed, leading to widespread customer service outages. During board meetings, Abarca assured directors that the project was on track. However, regulators scrutinized his statements when the migration went awry due to supplier failures. He was fined nearly $100,000, with investigators even citing his LinkedIn profile, where he described himself as an expert in change management. The key takeaway? CCOs and CISOs must ensure that their public and internal statements accurately reflect organizational realities. Overstating capabilities—or underreporting risks—can become evidence of liability.

  • Tim Brown and the SolarWinds SEC Action

Tim Brown, SolarWinds’ CISO, faced SEC charges for allegedly misleading investors about the company’s cybersecurity posture. The SEC contended that Brown downplayed known security risks, making generic statements such as “we could be attacked” while failing to disclose specific vulnerabilities that were internally documented. Though these charges were eventually dismissed, it highlighted the increasing role of securities regulators in policing cybersecurity disclosures. For compliance professionals, this underscores the importance of precise, fact-based reporting. Vague assurances will not suffice when regulators uncover internal evidence of known risks.

Regulatory and Legislative Trends: A Tougher Landscape Ahead

The move toward personal liability is not just a U.S. phenomenon. The EU’s Digital Operational Resilience Act (DORA), the Cyber Resilience Act, and similar regulations introduce new accountability mechanisms for compliance and security professionals. These laws emphasize:

  1. Personal responsibility for cybersecurity and compliance failures
  2. Heightened reporting obligations for executives
  3. Potential fines and bans from holding future positions

Furthermore, changes in corporate listing rules, especially regarding cybersecurity disclosures, suggest that more CCOs and CISOs will be in the regulatory crosshairs. With shareholder lawsuits also on the rise, particularly in the U.S., individuals may face government enforcement and private litigation.

Mitigating Personal Risk: What Compliance Officers Can Do

Given these trends, compliance professionals must take proactive steps to protect themselves. We reviewed the following steps a CCO/CISO could take.

  • Due Diligence Before Accepting a Role

If you are considering a new compliance or security leadership position, conduct thorough due diligence on the organization:

  1. Investigate past compliance failures or regulatory issues.
  2. Assess the board’s composition and governance practices.
  3. Evaluate the company’s historical commitment to compliance and cybersecurity.

A company with a poor compliance track record or a weak board structure may pose significant personal risks.

  • Clarify Your Role and Responsibilities

Clearly define your job responsibilities, ensuring that you supervise compliance rather than solely being responsible for it. A well-drafted job description should:

  1. Specify oversight responsibilities rather than direct operational duties.
  2. Ensure a direct reporting line to senior leadership or the board.
  3. Include indemnification clauses in cases of legal action.
  • Secure Adequate D&O Insurance

Directors and Officers (D&O) insurance is a critical safeguard. Compliance professionals should:

  1. Confirm that D&O insurance covers regulatory and enforcement actions.
  2. Negotiate for personal indemnification clauses in employment contracts.
  3. Ensure coverage is broad enough to include cybersecurity incidents and regulatory fines.
  • Strengthen Internal Reporting and Documentation

Proper documentation is one of the best defenses against liability.

  1. Ensure board minutes accurately reflect discussions about compliance and risk.
  2. Maintain records of risk assessments and mitigation efforts.
  3. Encourage formal reporting mechanisms rather than informal communications.
  • Be Cautious with Communications

Emails and internal memos can become evidence in investigations. Best practices include:

  1. Avoid speculative discussions about compliance risks.
  2. Stick to factual reporting and avoid overly optimistic statements.
  3. Encourage employees to use formal reporting channels rather than casual email exchanges.

Looking Ahead: What to Expect in 2025

As regulatory scrutiny increases, compliance and security professionals must remain vigilant. We can expect:

  1. More enforcement actions targeting individuals rather than just corporations.
  2. Greater regulatory focus on cybersecurity disclosures in public filings.
  3. Stronger whistleblower protections increase the likelihood of internal reports leading to investigations.
  4. Continued expansion of liability under new European and U.S. regulations.

The era of heightened personal liability for compliance and security executives stays here. The best defense is a strong offense: conducting due diligence before taking a role, clearly defining responsibilities, securing proper insurance, maintaining meticulous documentation, and ensuring precise internal and external reporting. In this new environment, compliance professionals must not only safeguard their companies but also themselves.

Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending February 8, 2025

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings you the compliance professional and the compliance stories you need to know to end your busy week. Sit back, and in 10 minutes, hear the stories every compliance professional should know from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • Fay Vincent warned MLB of the corruption from gambling. (NYT)
  • Do we need eyes on compliance gatekeepers? (The Regulatory Review)
  • MLB fires ump for shared betting accounts. (ESPN)
  • WVU replaces DEI with “Dept. of Engagement and Compliance”. (12WBOY)
  • Will Trump DOJ drop corruption charges against NYC Mayor? (Reuters)
  • Shien IPO runs into Uyghur issues. (Reuters)
  • Top SEC crypto lawyer reassigned to IT. (WSJ)
  • Pam Bondi confirmed as new AG. (Bloomberg)
  • Bondi cuts back on FCPA enforcement. (Radical Compliance)
  • Is the Rooney Rule still legal? (Bloomberg)

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

You can check out the Daily Compliance News, which features four curated compliance and ethics stories each day here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: February 6, 2025, The Reassigned to IT Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News—all from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • When employees smuggle AI into the workplace. (BBC)
  • Shein IPO runs into Uyghur issues. (Reuters)
  • Top SEC crypto lawyer reassigned to IT. (WSJ)
  • Pam Bondi confirmed as new AG. (Bloomberg)

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out The FCPA Survival Guide on Amazon.com.

Categories
Blog

A Road Trip on the Crypto Regulatory Landscape: A Guide for Compliance and the Board of Directors

Securities and Exchange Commission (SEC) Commissioner Hester Peirce recently announced a ‘crypto road trip’ for the SEC and crypto industry. This trip includes a newly announced Crypto Task Force at the SEC, and she said it will “be more enjoyable and less risky than the crypto road trip the Commission has taken the industry on for the last decade.” She said, “On that last trip, the Commission refused to use regulatory tools at its disposal and incessantly slammed on the enforcement brakes as it lurched along a meandering route with a destination not discernible to anyone.”

Much like past road trips, the journey of crypto regulation has been unpredictable and challenging. In previous years, the SEC has navigated the crypto industry hesitantly, relying heavily on enforcement rather than clear regulatory guidance. However, with the introduction of the SEC’s Crypto Task Force, there is now an opportunity to develop a more structured, transparent, and effective regulatory framework.

Imagine you are a Chief Compliance Officer and get a call from the head of the Board of Directors’ Compliance Committee. They ask you what the company should do to prepare for this new ‘road trip.’ This blog post will provide an overview of the key regulatory challenges, risks, and strategic considerations that a Board of Directors should know as they oversee their organizations’ engagement with the evolving crypto landscape.

Where Did the Journey Start?

Since 2013, the first bitcoin exchange-traded product application was filed, and the SEC has approached crypto with a mix of enforcement actions, limited no-action letters, and ambiguous guidance. This has left many market participants uncertain about compliance requirements and legal risks. Key regulatory concerns include:

  • Legal Uncertainty: Ambiguities in applying securities laws, particularly through the Howey test, have created confusion regarding classifying crypto assets.
  • Enforcement-Driven Approach: Many regulatory decisions have been reactive, leading to litigation, stalled rulemaking, and business operational uncertainty.
  • Market Integrity and Fraud Prevention: The SEC remains committed to protecting investors by cracking down on fraudsters while balancing innovation.
  • Jurisdictional Overlap: The interplay between various regulatory agencies, such as the SEC, CFTC, and global regulators, adds complexity to compliance efforts.

The Crypto Task Force’s Objectives

The newly established Crypto Task Force is focused on developing a framework that:

  1. Defines the Security Status of Crypto Assets – Clarifying when digital assets fall under securities regulations.
  2. Creates a More Predictable Regulatory Environment – Establishing structured compliance requirements to guide businesses.
  3. Facilitates Responsible Market Innovation – Allowing for industry growth while protecting investors from fraud and abuse.
  4. Enhances Inter-Agency and Global Coordination – Ensuring crypto regulation is consistent across jurisdictions.
  5. Supports Transparent and Efficient Markets – Addressing market manipulation, custody solutions, and exchange-traded products.

Key Considerations for Boards

Corporate boards must take a proactive approach to navigating this changing landscape. Some critical areas of focus include:

  • Regulatory Compliance Readiness: Ensuring the organization has the necessary policies and procedures to comply with evolving crypto regulations.
  • Risk Management Strategies: Identifying crypto investments and transactions’ legal, financial, and reputational risks.
  • Engagement with Regulators: Encouraging dialogue with regulatory bodies to stay ahead of compliance expectations and contribute to policy discussions.
  • Governance and Oversight: Establishing clear accountability for crypto-related initiatives within the organization.
  • Investor and Stakeholder Communications: Being transparent with investors about how regulatory developments may impact business strategy.

Preparing for the Road Ahead

As regulatory clarity emerges, organizations should take the following steps:

  1. Monitor Regulatory Developments – Stay informed about SEC, CFTC, and international regulatory body updates.
  2. Develop a Compliance Framework – Implement internal controls that align with anticipated regulatory requirements.
  3. Assess Crypto Engagement Strategies – Determine how the organization should engage with crypto markets while balancing innovation and compliance.
  4. Educate Leadership and Stakeholders – Ensure board members, executives, and investors understand the regulatory landscape.
  5. Stay Agile – Be prepared to adjust business models as new rules and enforcement priorities take shape.

What about Compliance?

For good measure, you should add your thoughts about the role of compliance in this road trip for the new crypto regulatory paradigm. With greater regulatory scrutiny and the increasing use of technology in compliance, companies have an opportunity to bring structure and clarity to their compliance programs. But like any journey, knowing the destination is crucial, and so is staying aware of the risks and opportunities along the way.

Setting the GPS: The Role of a Strong Compliance Program

An effective compliance program is like a well-planned road trip; it ensures the organization stays on the right path while avoiding unnecessary detours. A well-designed compliance framework should focus on:

  1. Clear Regulatory Understanding – Organizations must stay informed about evolving laws and regulations that impact their industry. Regular monitoring and interpretation of compliance requirements are critical.
  2. Proactive Risk Management It is key to identify and mitigate risks before they become major issues. Companies should implement risk assessments and compliance audits to maintain regulatory integrity.
  3. Robust Internal Controls – Just as road safety measures protect travelers, strong internal controls help businesses prevent fraud, misconduct, and regulatory violations.
  4. Employee Training and Awareness – Employees are the front line of compliance. Regular training ensures they understand policies and procedures and recognize compliance risks.
  5. Collaboration with Regulators and Industry Groups – Engaging with regulatory bodies and participating in industry discussions can help shape best practices and ensure a more transparent regulatory environment.

Pit Stops and Road Hazards: Compliance Challenges

For corporate leaders and compliance professionals, regulatory changes present opportunities and challenges. Some key takeaways include:

  • Different Compliance Requirements – Companies should expect increasing oversight and enforcement, requiring them to enhance their compliance efforts.
  • No Blanket Approval from the SEC – Just because an organization adheres to compliance regulations does not mean it is immune to scrutiny. Continuous improvement and adaptation are necessary.
  • A Shift Toward Proactive Compliance – Businesses should focus on building compliance into their operations from the start rather than waiting for enforcement actions.
  • Industry Engagement is Essential – Businesses that engage with regulators and industry peers can better anticipate regulatory trends and shape policy.

The SEC’s approach to crypto regulation is shifting from reactive enforcement to proactive rulemaking. While uncertainty remains, establishing the Crypto Task Force is a step toward greater clarity. Board members must stay informed and strategically align their organizations to navigate regulatory challenges while capitalizing on crypto innovation opportunities.

The road ahead requires vigilance, adaptability, and strong governance. Businesses can thrive in the evolving crypto regulatory environment by taking a proactive stance.

Categories
Great Women in Compliance

Great Women in Compliance – GWIC X Everything Compliance

Welcome to the Great Women in Compliance podcast on the Compliance Podcast Network, sponsored by Corporate Compliance Insights. Today’s episode is a special episode cross-posted with Everything Compliance.

In this episode, host Kristy Grant-Hart joins Everything Compliance panelists Karen Moore and Karen Woody to team up with the Great Women in Compliance regulars Hemma Lomax and Lisa Fine to dissect current issues in the compliance landscape. They look into the implications of the U.S. Constitution’s 10th Amendment on state rights amidst federal executive action, affecting data privacy and ESG regulations. The panel also explores the shifting terrain of DEI programs under recent executive orders, shedding light on both opportunities and challenges for compliance officers in advocating for ethical practices and maintaining organizational morale during these turbulent times, considering the role of the SEC going forward and the current chaos coming out of Washington. The episode concludes with their signature rants and raves, highlighting frustrations and positive notes from the compliance field.

  • Karen Woody on change to require SEC Commission approval to launch investigations.
  • Karen Moore on the importance of the 10th
  • Lisa Fine on morale, destruction, and confusion.
  • Hemma Lomax on change management and employee engagement.
  • Rants and Raves

You can join the LinkedIn podcast community Or the Great Women in Compliance podcast community here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 24 – Internal Reporting and Triage

Welcome to a special podcast series on the Compliance Podcast Network, 31 Days to a More Effective Compliance Program. Over these 31 days of the series in January 2025, Tom Fox will post a key part of a best practices compliance program daily. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6–8 minutes, and will include three key takeaways you can implement at little or no cost to help update your compliance program. I hope you will join us each day in January for this exploration of best practices in compliance.

On Day 24, we look into the critical internal reporting process and triaging of FCPA claims. As the CCO, you will oversee the initial steps when suspicious activities are reported. Jonathan Marks’ five-step process on early assessment of incoming information is explored, providing a structured approach for evaluating the severity of allegations from low-threat level to crisis management mode. Moreover, this episode emphasizes the necessity of effective hotlines, trained managers, and a culture of listening to employees to foster a safe reporting environment. Key takeaways include the DOJ and SEC’s emphasis on internal reporting lines, regularly testing hotlines, and the triage of claims to ensure appropriate investigation levels.

Key highlights:

  • Guidelines for Effective Compliance Programs
  • Jonathan Marks’ Five-Step Process for Early Assessment
  • Key Takeaways

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Categories
Daily Compliance News

Daily Compliance News: January 16, 2025 – The SEC Sues Musk (Again) Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • What is forced labor? (BBC)
  • Is China aiming to sell TikTok to Musk? (NYT)
  • KPMG will open a US law firm in AZ. (Reuters)
  • SEC sues Elon Musk yet again, this time over Twitter purchase. (Bloomberg)

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out The FCPA Survival Guide on Amazon.com.

Categories
Classroom Insiders

Classroom Insiders, Season 2 – US v. Chow and the Personal Benefit Test

Welcome to Season 2 of Classroom Insiders, a podcast with Professor Karen Woody and her Insider Trading Seminar students from Washington and Lee University. They explore the arc and evolution of insider trading over the last century. Each episode will feature a discussion between Karen Woody and students about insider trading and regulation. Find out what the future lawyers of the university think about past and current legislation and learn more about this fascinating area of law.

In this episode of Classroom Insiders, Professor Karen Woody and law students Alex Hudson and Alon Gokovski review the insider trading case of United States v. Chow. And its impact on the Personal Benefit Test. Their discussion sheds light on the sensational facts of this case, including secret code words, live lobsters, and jars of honey, all used in a complex tippers-and-tippees scheme. The episode also examines the legal intricacies of the personal benefit test and its broader implications in insider trading law. The students discuss the trial, the appeal, and the ultimate impact of this case on the interpretation of insider trading laws. Insights are shared on the US Attorney’s crackdown during this period, the discrepancies in sentencing, and where the law stands today post-United States v. Chow and subsequent cases.

Key highlights:

  • Meet the Students: Alex and Alon
  • Introducing the Case: United States v. Chow
  • Understanding Insider Trading Law
  • The Sensational Details of the Chow Case
  • Trial and Sentencing of Winifred Chow
  • Appeal and Legal Implications
  • Final Thoughts and Broader Implications

Resources:

Washington and Lee School of Law

Professor Karen Woody