A Look Back: Top Stories of 2023

At the risk of giving everybody PTSD flashbacks and in no particular order, these are the top regulatory, corporate integrity and risk management stories of the past 12 months, voted by CCI’s editors and industry experts.

Jump ahead to topic:

Corporate Transparency Act sneaks up on everyone

Coming into law as part of a massive defense authorization bill in 2020, the Corporate Transparency Act has been billed as the most significant reform to U.S. anti-money laundering laws in a generation. Too bad most companies covered by the law have never heard of it.

Despite having a couple of years to get ready to report their beneficial ownership information to the federal government and FinCEN (the Treasury Department agency to which businesses will report) offering guidance on how to do so, a Wolters Kluwer survey in October found that awareness of the new obligations was extremely low. So low, in fact, that about 75% of respondents whose companies will have to report this information were made aware of the requirement only by being asked about it for the survey.

“There was some wishful thinking that Congress would intervene and either repeal the CTA or delay its effective date,” said B. Riney Green, a member at Nashville law firm Bass, Berry & Sims. “And FinCEN didn’t provide practical explanatory guidance until September 2023, although the law was enacted in late 2020.”

Larry Laubach, co-chairman of Philadelphia law firm Cozen O’Connor’s corporate practice group, also blames FinCEN for a poor PR job.

“Neither the federal government nor FinCEN has done a good job of publicizing the CTA,” Laubach said.

This year, we covered the law broadly, as well as exploring how it will affect various types of companies and industries:

FinCEN has estimated that 33 million companies will need to file ownership reports over the next 15 months, but observers agree the impact will not be equal across those 33 million reports. 

“For the average ‘mom and pop’ business with one or two owners, [reporting] will be a nuisance but not a hardship,” Green said. “However, for modest-sized companies with [$2 million to $5 million] of annual revenues and multiple owners, it could be a major headache. Those companies must not only disclose their 25% owners; they will also be required to subjectively determine if any key employees involved in the management of the business exercise ‘substantial control’ of the company. And not everyone will be excited to provide a copy of their driver’s license to the federal government, even though all the CTA filings are by law required to be non-public and confidential.”  

Indeed, fraudsters are already using CTA reporting as fodder for their schemes, with FinCEN issuing a warning that some companies have received fraudulent communications soliciting their beneficial ownership data. The agency notes on its website that it does not send unsolicited requests for information.

Complicating reporting matters for New York-based organizations is a bill that, though it remains in limbo, would create a publicly accessible database of beneficial owners of LLCs operating in the state.

“If the current text [of the bill] becomes effective, limited liability companies operating in New York would have to comply with both the CTA and the [New York LLC Transparency Act] with the downside that, because the two legislations are not perfectly aligned, the information collected to comply with one might not be the same as the information necessary to comply with the other,” Laubach said, adding that he’s heard rumblings of California considering a law similar to New York’s.

BACK TO TOP

AI is all anybody wants to talk about

While AI, machine learning and similar technologies ranked among our top stories last year, 2023 saw a surge in interest among compliance and risk professionals in the ways AI is being used in our industry and what’s on the horizon.

Much of what we reported was speculative — and for good reason, given that regulation of AI remains in its infancy around the world and use cases continue to evolve. But the general consensus seems to be that AI is likely to upend many aspects of the day-to-day life of compliance and risk practitioners, regardless of where the technology stands in the eyes of regulators.

In early December, the EU took the first major step toward comprehensive AI regulation, agreeing to the outlines of landmark rules that would, among other things, restrict some uses of facial recognition software and require human oversight in development and deployment of AI tools. Guidepost Solutions CEO Julie Myers Wood says while the positive aspects of the regulation are clear, including providing a risk-based framework and rules for AI use, the interim period before the rules go into effect could pose a problem on more than one front.

“Despite the fanfare, many provisions of the act won’t go into effect for two years … leaving plenty of time for AI advances to further leap ahead of the regulators,” Myers Wood said. “The act’s lead-in time is beneficial to give companies time to start working through compliance frameworks, but unfortunately also gives time for other jurisdictions to designate competing enforcement regimes and requirements.”

And while the U.S. has yet to adopt broad regulation, the Biden Administration has released an AI-focused executive order that places the burden on government agencies — for now.

“The Biden Administration’s recent executive order reveals the administration’s priorities with respect to AI enforcement,” Wood said. “It tasks an extensive number of agencies to develop and refine guardrails around various AI risks, with a particular focus on the most pressing security risks, such as biotechnology, cybersecurity, critical infrastructure and other national security dangers. The expectations of the government workforce are great, particularly in terms of the current government workforce’s ability to develop standards, assess models and enforce.”

Paola Zeni, chief privacy officer at RingCentral, believes that, as they have with data privacy, states may fill the gap in federal regulation, which could mean a repeat of the patchwork of laws currently in place across the country.

“To prepare for pending regulations, companies should adopt a strong governance by bringing together AI stakeholders, adopting policies around AI use, introducing AI risk assessments into vendor due diligence processes and adding information about AI to their terms and to customer collateral to ensure maximum transparency,” Zeni said.

Indeed, the advancing nature of AI, particularly generative AI, means companies’ actions are, by definition, ahead of regulation — or at least they should be.

“As AI continues to evolve and mature, its uses will be varied and will likely stretch into every corner of an enterprise, from assisting in employment decisions to building out new product lines to driving efficiencies,” Wood said. “Establishing at the outset a strong governance framework and enterprise risk appetite for the integration of AI technologies will be critical in ensuring that organizations approach AI in a thoughtful and considered manner as opposed to simply adopting AI on an ad hoc basis.”

EY’s Kris Pederson warns board members not to get distracted by a new toy, no matter how flashy AI is.

“AI is exciting, there is no doubt about that, and I believe it will be a major transformation driver — but I encourage boards not to get wrapped up in the shiny new technology without focusing on its linkage to a coherent longer-term strategy,” Pederson said. “Boards are in the best position to support management through the strategic application of AI by encouraging them to keep a focus on value and risk management, which is a critical role of the board.”

Generative AI, in particular, has become the topic du jour in all corners of the risk, compliance and governance industry, as it holds the potential to disrupt business in unpredictable ways. One way, says Schellman CEO Avani Desai, has been creating the need for a whole new department.

“Firms will need to offer AI-focused audits, measuring the company’s use of AI against existing frameworks, like Biden’s executive order,” Desai said. “‘AI auditor’ was not a title we needed a few years ago, but moving forward, I predict every firm will have a group of AI subject matter experts. The use of AI across all industries — and the potential risks it causes — mandates the need for these kinds of experts and offerings.”

But proper data governance will be the price of admission for using AI safely, says ActiveNav CTO Rich Hale.  

“GenerativeAI initiatives will garner increasing hands-on experience with AI hallucinations from poor data quality,” Hale said. “Meanwhile, driven by data privacy regulations, outside counsel will direct more stringent requirements for data stewardship across the matter lifecycle.”

And much of the responsibility for how to use AI responsibly will fall to chief compliance officers, says Learning Pool CEO Ben Betts.

“Specifically, CCOs must balance the risk vs. reward when it comes to GenAI and choose to trust the technology in areas that benefit the most — with the least risk,” Betts said. “For example, AI for translation offers a faster avenue to keeping compliance assets up to date — a task previously very time-consuming and costly to manage. For high-risk activity like compliance training, human oversight will remain necessary.”

We brought you extensive coverage of AI this year:

BACK TO TOP

ESG becomes a four-letter word

Few acronyms — maybe DOJ or SEC — garner as much coverage around here as ESG. The abbreviation (of course, standing for environment, social and governance) is seemingly ubiquitous in corporate America and, increasingly, it’s become a target of right-wing politicians who argue it amounts to “woke” capitalism.

ESG is far from a new concept, but the extreme backlash to the use of ESG factors by investors, funds and businesses reached a new, feverish level in 2023, as lawmakers in a dozen states passed laws attacking ESG principles and Republican presidential candidates made ESG a talking point in their stump speeches.

“The origin and meaning of ESG seems to be misunderstood,” said Baker Tilly risk advisory practice partner Mallory Thomas. “The purpose of ESG metrics is to really provide a means for evaluating companies on their environmental, social and governance performance, allowing investors to easily compare companies. Instead of thinking about ESG in terms of politics, I’d encourage thinking about it through the lens of investors.”

ESG’s underlying principles appear to be safely intact across the business environment, in the U.S. and abroad. Indeed, regulators in Europe and California implemented new climate accountability rules. And the SEC, originally expected to publish its own climate disclosure rules in October, appears poised to release them in April 2024, getting the federal agency on the same implementation schedule as the EU and California. 

“Even if national disclosures aren’t finalized for the U.S., many companies will still have to comply with the EU and California requirements,” Thomas said. “On the other hand, if U.S. rules are finalized, they’ll still be different from the EU’s frameworks. They’ll also provide a starting point surrounding discussions on substituting compliance, where the EU could let listed U.S. companies follow the SEC disclosure requirements instead of the CSRD, as suggested by [SEC Chairman Gary] Gensler in his recent comments about the climate disclosure.”

Despite the political and regulatory unease around climate disclosures and sustainability programs, companies seem to remain committed to their environmental objectives, which experts see as a continuing trend into 2024, though not without a possible shift in tone or approach.

“One message we continue to hear from boards loud and clear is that investors continue to engage companies on environmental and social issues that are material to the company’s business model,” EY’s Kris Pederson said. “Many use the ‘ESG’ acronym less frequently to be more specific and clearer in their communications, but where they believe environmental and social issues pose a material risk or create a material opportunity for the business, they engage companies to understand how those risks and opportunities are being managed.”

And the bottom line will continue to be the bottom line, Thomas believes.

ESG can also create value, reduce risk, and retain and attract talent. It can position businesses to innovate, align product preferences with consumers, and seize increased revenues or market share,” Thomas said. “As companies consider ESG, it’s important they evaluate the perspectives of their stakeholders — both internal and external — to inform their strategy. Do your core customers have ESG-related expectations of their vendors? Do your employees or prospective employees have ESG expectations? Does anyone in your supply chain have their own ESG requirements? Are there any ESG-related regulations you need to be aware of? Is your product or service at risk without ESG considerations or do you need to innovate or adjust your approach?”

Monitoring their supply chains for climate risk will be of particular importance, predicts Certa founder Jag Lamba.

“Companies will need to understand their carbon footprint and disclose their carbon emissions, particularly from their supply chain, which makes up 70% of a company’s carbon emissions,” Lamba said. “Suppliers that aren’t able to meet ESG requirements are going to have trouble finding companies who will work with them. Even smaller companies will need to have a very clear position on ESG; it will not just be a requirement for larger companies.”

A sampling of our ESG coverage this year follows:

BACK TO TOP

Geopolitical upheaval & US sanctions

The world’s attention turned to the Middle East after a Hamas terrorist attack and ongoing Israeli retaliation that has expanded into an invasion of Gaza. But unlike the ongoing Russia-Ukraine war, disagreements over which side to support — and whether to talk about the conflict at all — have many in Corporate America scratching their heads.

OFAC has imposed three rounds of sanctions targeting Hamas-affiliated individuals and entities since the Oct. 7 terrorist attacks in Israel, and it continues to levy sanctions targeting Russia’s military and international finance system.

The Russian sanctions have had a mixed effect, said Bass, Berry & Sims attorney Thad R. McBride.

“U.S. sanctions against Russia have been relatively successful primarily because restrictions generally have been imposed in coordination with allies, including Canada, the EU, the UK and others,” McBride said. “Too many countries continue to conduct business as usual with Russia to make the U.S. sanctions — and those of its allies — truly punishing to Russia’s economy. But the multilateral nature of the sanctions has nonetheless made them far more effective than in the all-too-often case in which the United States acts unilaterally.”

The impact of sanctions could be stronger with some reforms, says FirstAML co-founder Bion Bedhin.

“Sanctions are only as good as the application of them. In many places, the verification of beneficial ownership is not required, and a lot of sectors do very light applications (even when regulated),” Bedhin said. “So, if someone like Alisher Usmanov tried to launder money by buying property in the U.S. under his personal name, he’d be picked up as a sanctioned individual (if the real estate agency did decide to check his name). But unfortunately, he’s likely to have three shell companies owned by overseas entities to mask his ownership. If there is no requirement to check who the beneficial owners are, the application of sanctions on those individuals are essentially useless.”

Thankfully, Bedhin says, change is on the way in the UK.

“This is changing quite rapidly in the UK with the introduction of the Economic Crime Bill, lifting the powers of regulators for bigger fines for non-compliance. Because of this, we expect — and hope that — regulated sectors to start taking this much more seriously.”

As for changes wrought by the prolonged Russia-Ukraine war, international relations are on the list, McBride said.

“From a U.S. trade controls perspective, the most significant implication [of the war] has been the restrictions on business with Russia, which prior to the February 2022 invasion, was a large trading partner for U.S. companies,” McBride said. “While some trade is still permissible, many businesses have decided to halt all operations in or involving Russia. Even if some resolution to the current situation is reached, we would not expect Russia to be an attractive market for U.S. companies for some time.”

Our coverage of geopolitical developments and U.S. sanctions included:

BACK TO TOP

SEC & DOJ address messaging apps, whistleblowing & incentive programs

The SEC kept up its pressure on Wall Street’s use of ephemeral messaging apps and marketing rule failures and sweetened the pot for whistleblowers, including issuing its biggest-ever award to a single whistleblower this year. Meanwhile, the DOJ issued the first update to its “Evaluation of Corporate Compliance Programs” since 2020, which, among other things, offers new guidance on incentive programs.

Following a crackdown that saw 16 firms charged with record-keeping failures to the tune of $1.1 billion in 2022, the SEC fined another 11 firms nearly $300 million for failing to maintain electronic communications, such as ephemeral messaging platforms like WhatsApp.

“My advice to financial institutions is to not take the SEC’s crackdown as a threat to stamp out the use of messaging apps by their employees,” said Steven Spadaccini, chief technology officer at SafeGuard Cyber. “Messaging apps like WhatsApp, Telegram, Signal, Line, SMS, etc. and enterprise collaboration apps like Slack, Teams, Zoom and even social media platforms like LinkedIn are critical for business productivity and give organizations a competitive advantage. In this quest for gaining a competitive edge, it’s important to understand that when it comes to handling sensitive or regulated data, please handle it with care.”

The continued Wall Street crackdown came just a couple of months after the agency issued its largest-ever individual whistleblower award, almost $280 million. Meanwhile, the DOJ sought to reinforce the importance of incentivizing compliance culture within organizations in its “Evaluation of Corporate Compliance Program” update.

As podcaster and author Tom Fox wrote in March, “The first thing I would do as a CCO is go down the hall to speak with the head of human resources to get an understanding of how compensation is based and what factors of doing business ethically and in compliance are reviewed for both salary and discretionary bonus amounts. The same would hold true for promotion into both middle and senior management.”

StoneTurn partner Jonny Frank says the SEC’s record whistleblower settlement will further push companies to actively test their compliance programs for reporting gaps.

“Large whistleblower rewards contribute to a rising trend of employees and third parties reporting misconduct,” Frank said. “We regard this as a generational phenomenon and outgrowth of ESG. There are three long-term implications: proactive testing of compliance programs, self-disclosure and remediation. It used to be that companies did not proactively test their ethics and compliance programs, waiting instead for an incident to occur to test. Companies appreciate there is a greater likelihood that the government will learn about misconduct allegations, which will require them to defend their programs. Many companies now proactively test their compliance programs and controls to prepare for that eventuality.”

Other coverage of the agencies’ actions in this area included:

BACK TO TOP

SEC publishes new cybersecurity rules for public companies

In addition to enforcing existing regulations, the SEC finally published some new ones, as its long-awaited cybersecurity disclosure rules for public companies were finalized, requiring organizations to report “material cybersecurity incidents” within four days of determination of materiality, as well as information regarding the company’s cybersecurity risk management, strategy and governance practices.

Given the scope of these new requirements, experts predict that if it’s not already on their agendas, C-suite executives and board members will need to pay close attention to their companies’ cybersecurity posture.

“Decision-makers will be forced to create a holistic compliance environment that touches every piece of the organization,” said Hugh Barret, chief product officer at Telos Corp., a Virginia-based infosec provider. “Those who succeed will adopt compliance programs that simultaneously mitigate risk while contributing to the bottom line.”

The final rule was largely as expected, as it mirrored what the agency proposed. Changes included removal of a proposal for companies to disclosure the cybersecurity expertise of members of the board of directors. But Veracode CEO Sam King says that though they may not be required to have or disclose their cyber bona fides, board members and other top leaders should have a deep understanding of their organizations’ cyber status.

“Board members and corporate leaders don’t have to be technical experts, but we do need them to understand the critical risks posed to the business especially as they are increasingly reliant on technology and software to pursue their objectives,” King said. 

Michael Clark, S-RM’s U.S. head of advisory, believes the rules give companies adequate leeway to establish or enhance their cyber risk management processes but warns that it’s not just large, publicly traded enterprises that will be affected.

“Non-publicly traded companies will need to understand their business relationships — e.g., business partnerships, suppliers/vendors, technology service providers,” Clark said. “If the non-public company is a service provider, then they may find that their clients will have increased cyber risk management and incident reporting expectations for them.”

The new rules haven’t been met with universal applause, as business groups, including the U.S. Chamber of Commerce, have suggested they’ll be overly burdensome for companies. Igor Volovich, vice president of compliance strategy for cyber compliance firm Qmulos, says that the average large company shouldn’t be too heavily burdened if they’ve been minding the infosec store in the first place.

“While the business community’s concerns are valid, the reality is the SEC’s rule should neither be seen as a surprise or a burden,” Volovich said. “Companies, particularly public firms already subject to significant compliance requirements — provided they’ve been investing into their cybersecurity programs — should find the new rule an incremental step up from their existing regulatory obligations. On the other hand, those firms who have neglected both their security and compliance requirements or, worse yet, have found themselves at a significant difference between their historical compliance reporting and the true security and control maturity posture, will likely find themselves struggling to deal with the need to identify, triage and analyze security incidents to determine ‘materiality’ and the resultant reporting timeline under the new SEC rule.”

And the question of “materiality” remains, well, a question.

“Companies should prioritize defining materiality,” Clark said. “This should be a collaborative effort of management and risk function leaders — e.g., IT, security, ORM/ERM — to determine the thresholds of materiality of a cybersecurity incident as it relates to the company’s operations, reputation, and financials. [Companies should] … empower CISOs and security leaders to have open and honest conversations on the organization’s ability to protect against cyber threats and recover from cyber incidents. Organizations should be honest with themselves and in their 10Ks on the state of their cybersecurity processes.”

It’s also important, EY’s Patrick Niemann says, to remember that the SEC isn’t the only sheriff in town.

“[T]he SEC is not the only governance stakeholder seeking more disclosures about cyber incidents,” Niemann said. “For instance, the Institutional Shareholder Service includes 11 factors that address information security risk management and oversight matters, ranging from information about board members’ information security expertise, the frequency with which the board is briefed on information security matters, whether the company has a cyber risk insurance policy and the existence of and related financial impact of recent breaches.”

Our cybersecurity coverage this year was broad, before and after the SEC released its new rules:

BACK TO TOP

Not your grandmother’s compliance department

The nature of compliance is changing, as continuous compliance, real-time risk management and values-based, employee-friendly ethics and compliance programs continue to proliferate. Empowered in part by enforcement actions in which the presence of a strong compliance program reduced or even eliminated fines and other punishments, compliance practitioners can now point to the real-world impact of what they do.

“A culture of integrity is nothing new; the DOJ and other regulators have stressed the importance of culture for years,” said Laura Greenman, a managing director at compliance and governance advisory StoneTurn. “However, now compliance practitioners have concrete evidence of how an ethics and compliance program with a strong culture of integrity can save companies money. … Compliance practitioners will need to continue to emphasize this benefit and focus on behavioral compliance, i.e., not just considering compliance with the letter of the law but the spirit.”

StoneTurn partner Jonny Frank says compliance teams should continue to make their impact felt, particularly when it comes to their companies’ bottom line.

“Compliance officers often refer to themselves as ‘business partners,’ but the profession needs to do more to change the perspective they are a cost center or, worse, at some companies, a revenue prevention function,” Frank said. “Because for-profit businesses exist to earn profits, the business may reject perceived impediments to profit just as the human body creates antibodies to counteract antigens. Compliance programs can help companies increase profits by enabling the company to accept greater risk to add revenue, applying a risk-based approach to reduce controls, cut costs, plug revenue leakage and safeguard tangible and intangible assets.” 

Alev Viggio, Drata’s compliance director, says intra-office alignment is required for truly continuous compliance.

“As regulatory penalties become steeper and organizations increasingly prioritize adherence to new and existing compliance frameworks, security and compliance teams will work to align their objectives,” Viggio said. “Both will recognize that they have a critical role to play in protecting the organization’s infrastructure and data and minimizing security risks.”

Our coverage of the changing nature of compliance this year included:

BACK TO TOP

US goes another year without federal data privacy law, but states continue to step into the breach

Data privacy laws continue to spread on the state level, but the U.S. remains without a modern data privacy regime. Eight states enacted comprehensive consumer privacy laws in 2023, joining the five that already had them, while lawmakers in most other states at least considered them.

While a comprehensive federal law could seem like an inevitability, Roy Wyman, a member at Bass, Berry & Sims, says not so fast.

“The proliferation of state privacy laws may be giving a false sense of security to federal lawmakers that privacy is starting to be addressed,” Wyman said. “Given the overall inability of Congress to act on a number of issues, the pressure to address privacy concerns may need to be almost overwhelming for something to happen. In short, I wouldn’t underestimate the ability of the U.S. to do nothing for the foreseeable future.”

In the absence of a federal law, the data privacy patchwork continues to create confusion and inconsistency, both for consumers and for businesses, which can add to companies’ compliance burden.

“To address the challenges with the country’s current patchwork approach to privacy, it will be important for enterprises to evaluate their compliance standards and consider adopting consistent standards across the nation,” said Paola Zeni, RingCentral’s chief privacy officer. “By enforcing requirements from the most stringent state in which the business operates, organizations can better be equipped to handle new state-level bills as they arise.”

But unless and until federal legislators act in a meaningful way, consumers and companies will suffer, Wyman said.

“[T]he FTC and other agencies will try to step in to put a Band-Aid on the issues. At this stage, much of the U.S. is missing out on rights of access, rights to have their personal information deleted, and even the right to opt out of sales of personal information. There is also an unseen but significant tax on the population as companies are forced to waste money addressing this mass of confused and inconsistent regulation.”

Our coverage of the data privacy landscape this year included:

BACK TO TOP

Labor movements pick up steam & the workforce continues to evolve

A summer of strikes in Hollywood ended with studios making major concessions to both actors and writers, and the longest auto strike in a generation yielded higher pay and better benefits. Meanwhile, office workers pushed back against calls to return to the office on a full-time basis, and generational changes continued to transform the workplace.

These evolving risks will influence both board and risk management teams, experts said.

“Every company has faced talent shortages alongside the emergence of a younger generation of workers — Gen Z — which has very different expectations of employers and the businesses they patronize,” said Kris Pederson of EY. “This is a growing area of focus in 2024 for boards to understand the influence of Gen Z, the demands of a new employee experience and a pro-worker mindset, what drives this growing segment of the population and how their behaviors are already inciting great shifts for the future of their companies.” 

Economic forces are at play, too, as interest rates have kept the squeeze on businesses, particularly small- and mid-sized ones.

“I anticipate challenges like managing cashflow with fluctuating inflation and hiring and keeping talent in a tight labor market will continue to keep business owners up at night,” said Frank Fiorille, VP of risk management, compliance and data analytics at Paychex. “But the good news is the market will continue to loosen — just perhaps not at a dramatic pace as the Fed works to orchestrate a soft landing.”

Economic and labor coverage this year included:

BACK TO TOP

Newsflash: Crypto can be risky

Former crypto executive Sam Bankman-Fried went to prison for fraud, and investigators have suggested that Hamas at least partially funded its Oct. 7 attack in Israel using crypto financing. Meanwhile, the EU sought to bring order to the volatility with its Markets in Crypto-Assets Regulation (MiCA), which covers crypto assets that are not currently regulated by existing finserv legislation.

New regulation notwithstanding, cryptocurrency and digital assets remain a risky bet.

“The Basel AML Index for 2023 revealed a regressive trend in the fight against financial crime,” said Silvija Krupena, head of financial crime at RedCompass Labs. “Risks have increased, the quality of AML and CTF frameworks are getting worse, transparency, legal and political risks are increasing, and compliance with new tech such as AI and virtual assets including crypto is plummeting. The industry is losing the fight against financial crime and needs to take a new approach.”

Here’s a look at our crypto and blockchain coverage this year: