Happy New year, fellow compliance enthusiasts! As you struggle to answer all those emails and calendar alerts you ignored last week, spare a moment contemplate those bigger issues — like, say, those listed in the Radical Compliance annual list of compliance issues worth watching in the next 12 months.
Every January I try to identify those events likely to happen in the coming year that will be most consequential for corporate compliance and audit professionals. Compiling the list is never easy since there’s always so much going on, and 2024 is no exception; but in no particular order, here’s what is on my radar screen…
Implementation of FEPA
Congress enacted the Foreign Extortion Prevention Act in December, making it a crime for foreign government officials to solicit bribes from U.S. companies or persons. This is a huge step forward for anti-corruption overall, and we should welcome it. Still, we’d be foolish to ignore FEPA’s implications for compliance with the Foreign Corrupt Practices Act. So one question I have for 2024 is how the Justice Department will begin to explain its approach to FEPA prosecutions.
For example, will companies under investigation for FCPA violations be expected to help the Justice Department prosecute the corrupt foreign officials as well? If so, what would that cooperation entail? How might compliance officers need to alter your FCPA policies and procedures to make that cooperation as efficient and pain-free as possible?
Right now, we don’t know the answers to any of those questions. I hope Justice Department officials start providing answers in speeches, policy documents, or other guidance, but we’ll need to wait and see.
The NOCLAR Proposal From PCAOB
Last summer the Public Company Accounting Oversight Board proposed a new auditing standard known as the NOCLAR proposal, for “non-compliance with laws and regulations.” As proposed, this standard would require external audit firms to look much more aggressively for compliance and legal violations at their client companies, and report any violations they find more quickly to the company’s senior management and audit committee.
This is a noble idea in theory, and a potential nightmare in practice. It could force audit firms to act as shadow compliance functions, wandering around your enterprise looking for potential compliance violations. It would also require the audit firm to ask the head of internal audit whether he or she knows of any potential violations, which puts the CAE in a terrible position — and totally ignores the chief compliance officer, the person most likely to know about compliance violations. It could also cause audit fees to soar as audit firms hire compliance and legal specialists, while introducing new tensions between auditor and client.
The PCAOb has received a boatload of comments on the proposed standard. Good governance enthusiasts support it, audit committees and other corporate interests hate it, and even the audit industry is wary that this idea could backfire. So I’ll be watching closely to see whether the PCAOB adopts a final rule this year, and what form that rule might take; or whether the agency retreats back to the drawing board.
SEC vs. SolarWinds and CISO
At the end of October the Securities and Exchange Commission filed a lawsuit against IT services firm SolarWinds and its CISO, Timothy Brown, accusing both parties of giving investors misleading assurance over SolarWinds’ cybersecurity in the 2010s. Those assurances were proven disastrously wrong when SolarWinds suffered a massive cyber attack in 2020.
What’s interesting here is the SEC’s attempt to hold Brown accountable for the company’s internal processes to assess its cybersecurity readiness. As the SEC sees matters, Brown knew that lower-level employees were raising alarms about SolarWinds’ poor cybersecurity, and ignored those warnings in favor of rosy statements to investors. Either that, or (less likely) Brown didn’t know about those lower-level warnings over cybersecurity because the company’s internal processes to raise concerns were flawed — in which case, he and SolarWinds are still on the hook for misleading investors.
This lawsuit could have significant implications for risk assurance executives such as chief compliance officers or audit executives, since it seeks to hold a fellow risk assurance executive (CISO Brown) responsible for internal processes to measure and report risk. SolarWinds has vowed to fight in court. In 2024 I’ll be watching to see whether this case settles or hits some other pre-trial motion that tells us what might happen next.
Regulation of AI
Remember the Biden Administration’s executive order on artificial intelligence, released in October? The order was sweeping in scope, directing all federal agencies at least to think about how they might need to regulate AI, and directing several specific agencies to move forward with specific pieces of regulation or guidance. So in 2024 I’ll be watching to see what regulatory agencies might actually do.
For example, the order directs the National Institute of Standards and Technology (NIST) to develop standards for rigorous security testing of AI systems; it also says “the most powerful AI systems” to undergo red-team testing and share those results with the government. And who defines what the “most powerful” AI systems are? The Commerce Department, in consultation with several other agencies, in regulations that will arrive at some future date.
All that said, compliance officers should also remember that regulators can already take action against companies’ poor use of AI under existing rules and statutes. We saw that just the other month, when the Federal Trade Commission banned Rite Aid from using AI-driven facial recognition technology to identify potential shoplifters. The fundamental offenses there were poor employee training and poor quality control over personally identifiable information (the images of customers potential shoplifters). That Rite Aid was using AI to process the data was incidental; the poor processing was enough to trigger an enforcement action. I’m sure we’ll see more such enforcement in 2024, too.
AI Emerging in GRC Platforms
Aside from potential regulation of AI, there’s still that issue of artificial intelligence changing the world and all — and compliance officers are entitled to reap the benefits of that transformation as much as any other business function. Will 2024 be the year we start to see that happen, as artificial intelligence petrates into GRC technology?
Plenty of GRC vendors will say they already use AI in their products. In a broad sense that’s true, but so far that has mostly been in pilot projects or beta tests with preferred customers. We have yet to see AI — or more specifically, generative AI, such as ChatGPT-like tools — appear as a standard offering in a wide range of GRC technologies for compliance officers’ routine needs.
For example, sometime soon, a compliance officer should be able to type in plain language, “Hey GRC tool, which of my third parties are my biggest anti-corruption risks? Give me a top 10 list.” Then the list appears on your screen, with an ability to drill into each party to see why they’re high-risk.
GRC vendors big and small are working on exactly such functionality; some of them have shown me the beta tests or the pilot projects. The questions are (1) will those AI-driven features arrive this year; and (2) how quickly will compliance officers embrace them?
SEC Disgorgement Powers in Jeopardy
You may not have noticed it at the time, but the 2nd Circuit Court of Appeals delivered quite a fright to the SEC and the corporate compliance community last Halloween: a ruling that threatens the SEC’s ability to seek disgorgement of ill-gotten proceeds in a wide range of fraud cases.
The ruling, SEC v. Govil, declared that the SEC cannot seek disgorgement of ill-gotten proceeds when the agency cannot demonstrate harm to investors. If that decision stands (more on that shortly), no longer could the SEC force companies to disgorge profits from conduct that clearly is illegal, but does not result in obvious harm to investors — like, say, FCPA violations.
The 2nd Circuit’s logic is that under Supreme Court precedent, disgorgement is intended for “victims” — and a victim is “one who suffers pecuniary harm from the securities fraud.” Except, investors typically don’t suffer the harm from an FCPA violation; the victims are people living under the corrupt foreign government official, or the other company that didn’t win the contract because it didn’t pay the bribe. So disgorgement isn’t available as an SEC remedy.
Well, if the SEC can’t force a company to surrender its ill-gotten proceeds, doesn’t that give the company more incentive to engage in lucrative FCPA misconduct? Why listen to that cranky compliance officer saying it’s wrong?
The SEC has asked the 2nd Circuit to reconsider this case. Moreover, the 5th Circuit of Appeals has already ruled that the SEC does have disgorgement powers. That means a circuit split, which is excellent grounds for the SEC to appeal to the Supreme Court if necessary. So this is a mess, and I want to see how circumstances evolve in 2024.
The Return of Trump Risk
What, did you really think we’d go through a list of 2024 events to watch without mentioning Donald Trump? The man is the biggest threat to U.S. democracy and governance at least since the Civil War. Of course compliance officers have to watch whether he returns to power.
The first potential threat from a second Trump Administration would be a breakdown in governmental process. For example, if Trump appoints an attorney general who serves simply to prosecute Trump’s perceived enemies and go easy on his friends, is that person really going to care about holding corporate offenders accountable? Why invest in compliance programs at all? Just give Herr Trump a fat campaign donation and the president will order your case to be dropped. Also expect administrative procedures to go out the window, as Trump tweets out his latest impulse as national policy. Do you really think he’ll care when anyone (including a federal judge) points out that his impulses violate the Administrative Procedure Act?
That brings us to the second, and bigger, threat: Trump tearing the country apart over immigration, abortion, import taxes, higher education, foreign policy, and pretty much everything else. Corporations, with their national reach and nationwide workforces, will see that dissent rip through their own operations too.
Think back to the first Trump Administration, when employees rebelled against their companies doing business with the Administration, or when anti-Trump consumers and anti-Trump employees forged alliances on social media. A second Trump Administration, building migrant concentration camps along the border and moving to ban abortion nationwide, will make that first-term disruption look like a campfire sing-along. Good luck managing your ethical corporate culture in that world.
Those are seven big ethics and compliance issues I’ll be watching in 2024. I could continue, but it’s not about me — what will you be watching for in 2024? Email me at [email protected] and let me know.