That’s it, folks: the hellish 365 days otherwise known as 2020 is now over. It was a brutal, bitter year; and the consequences of pandemic, recession, and political rancor will echo for years to come.
Those consequences, however, will start to come immediately. So before we return to the grind of emails to answer and Zoom calls to avoid, let’s spare a few moments to ponder how the corporate compliance landscape in the coming year. To wit, then: my annual list of compliance issues worth watching in the next 12 months.
Vaccinations and Return to Work
Covid vaccinations and a return to some semblance of work as we used to know it will be the most important issues of 2021, by far and away. Ethics and compliance teams will face several challenges.
Foremost, how will the company develop and roll out a vaccination policy? Will you require all employees to be vaccinated, or some, or none? What about obtaining evidence of employee vaccination, and keeping that health data secure? How will senior management integrate this divisive public health measure into daily operations?
Second, how will the company unwind any policy changes you adopted in 2020, that might no longer be necessary as normalcy resumes? Travel restrictions, working from home, access to offices, workplace safety, mask requirements — businesses improvised a host of policy changes in 2020. How will you reassess, and perhaps reverse, those policy changes in 2021?
The Anti-Money Laundering Act
This is one 2021 compliance event that’s already happened: Congress enacted the Anti-Money Laundering Act (AMLA) on Jan. 1, as part of overriding President Trump’s veto of a defense spending bill. Now we spend the next year or so implementing AMLA at a more practical level, and the law will affect compliance officers in several ways.
First are the shell companies. AMLA directs the Treasury Department to build and maintain a registry of beneficial owners of shell companies, essentially ending the existence of anonymous shells in the United States. How will financial firms then use that registry of shell companies to improve their customer due diligence operations? More precisely, will law enforcement and other regulators eventually expect you to do a better job rooting out sketchy customers hiding behind shell companies, because those names and business ties will be more readily available?
Second is the whistleblower program. AMLA creates yet another whistleblower awards program, letting the Treasury Department collect tips on violations of the Bank Secrecy Act. As written, the law seems that compliance and audit professionals will be eligible to submit tips and pursue awards even without reporting misconduct allegations internally. At first that idea struck me as counter to how CCOs and internal audit chiefs are supposed to work with senior executives. Now I’m warming to it: reporting tips would also allow you to claim anti-retaliation protections included under AMLA.
The First Biden Announcement
We all want to know the Biden Administration will take a starkly different approach to oversight of corporate conduct than the Trump Administration; we just don’t know how. So one event I’ll be looking for is the first signal from an actual Biden Administration official — a speech, an enforcement action, a policy change — that will tell compliance officers what to expect.
For example, in November we saw the senior Democratic commissioner on the Federal Trade Commission give a detailed dissent in an FTC enforcement action against Zoom Technologies. That sounded to me like a precursor of how the Biden Administration might approach consumer protection. Allison Herren Lee, senior Democratic commissioner at the Securities and Exchange Commission, has made similar statements about securities law.
So by mid-2021, we can expect a deputy attorney general or an SEC chairman or some other fairly senior Biden Administration official to start making formal policy announcements. I don’t believe we’ll see any substantive departure from, say, the FCPA Corporate Enforcement Policy — but we’ll see lots of other departures. I’d like to know what those are.
Climate Change Disclosure
2021 will see movement on climate change in multiple forms: from the Biden Administration, from institutional investors, and possibly from Congress. The goal with any and all of these efforts will be more disclosure from corporations about their climate change risks. So compliance and audit executives need to start thinking now about how to collect useful and accurate data on those issues.
For example, one likely action is that the SEC will revisit its current rule for disclosing climate change issues. We could see the agency adopt a much more far-reaching version, where public companies are required to assess and disclose risks according to a specific framework. (One potential candidate: the frameworks provided by the Sustainability Accounting Standards Board, which just launched a climate-change disclosure standard last month).
Even if the SEC takes its time with a new rule, institutional investors and consumers are exerting more pressure on businesses to tackle climate change anyway. It’s already a governance and reputation issue; the question is when climate change will also start becoming a regulatory issue, and pull compliance, audit, and risk teams into the issue even further.
The SolarWinds Cybersecurity Disaster
If you want a succinct analysis of the SolarWinds attack, read the hair-raising article summary published by the New York Times on Jan. 2. Then gaze out the window and think, “Yikes, this is going to send the vendor risk management crowd into orbit” — because that’s exactly what will happen, and for good reason.
The SolarWinds attack demonstrated a multitude of weaknesses in the software supply chain: everything from how tech firms develop software, to how businesses (including government agencies) purchase and use that software, to how regulators oversee and police against security threats in the software world. Also remember that corporations were victims here just as much as the government, so even if regulators don’t respond with more scrutiny of tech vendors and cybersecurity, your boards will still be going bananas over this too.
Compliance officers may want to brace themselves for several scenarios:
- Will we see new national security laws allowing intelligence agencies to conduct domestic surveillance and operations, including against computer servers located in the United States?
- Will we see greater emphasis on vendor risk management, particularly for government contractors and the vendors in their supply chains?
- Will we see tighter security standards around confidential unclassified information (CUI)?
All three questions speak to weaknesses the Russians used to gather information in the SolarWinds attack. I don’t see a scenario where the Biden Administration does nothing about any of them.
Bonus: A 2021 Compliance Conference
In a certain sense, this strikes me as the most personal compliance question of all for 2021. When will we see each other again?
The compliance community is small and close-knit. We help each other with good ideas, job leads, and supportive text messages when the boss is driving you nuts. It’s fun to attend conferences, because the people we meet are fantastic and good friends. You even learn stuff useful for the job. So the one thing I want to see more than anything else this year? Fellow compliance professionals.
The first in-person significant event of the year seems to be the Society of Corporate Compliance & Ethics conference for higher education in June; or if that goes virtual, then the annual national conference in Las Vegas in September.
Honestly, I don’t care. As soon as an in-person conference is scheduled, if I’m vaccinated and allowed to travel, I’m going. You’ll find me standing on my chair in the conference hall clapping and cheering — because 2020 threw terrible stuff at us, and we still prevailed.