As the holiday season comes upon us and 2022 draws to a close, most compliance officers are probably looking forward to taking some well-deserved time off and a few deep breaths to relax after an eventful year.
I’m not sure how many breaths we can take. The events of 2022 look like they’re going to echo through corporate compliance programs for years to come.
All of those things happened in 2022, but they will affect compliance officers in 2023 and beyond.
The war in Ukraine
We should always remember that Russia’s invasion of Ukraine is above all a moral and humanitarian disaster — but the war does also bring implications for corporate compliance programs, and those issues need attention.
Foremost, the war underlined the importance of sanctions compliance, because sanctions have been the primary tool that Western countries use to push back against Russia. The number of Russian nationals and businesses on sanctions watch lists now changes all the time; that means companies need sophisticated capabilities for sanctions screening, right down to the technologies you use for screening and how you configure those parameters.
The war also fused sanctions compliance and supply chain risks into a single headache for global businesses, since cutting ties with Russian suppliers could then saddle a business with painful supply chain disruptions. Now, a scattershot approach to sanctions compliance could bring significant grief to supply chains, and vice-versa. Compliance and supply chain teams will have to work together more closely to avoid those traps.
Even if the war in Ukraine ends soon, compliance officers should have no illusions that sanctions enforcement will recede thereafter. It won’t. Governments now understand that sanctions can be a versatile tool for geopolitical strategy. That means global corporations will need agile sanctions screening capabilities, tied closely to their sourcing and supply chain management programs.
‘We have to certify what?’
The first few months of 2022 also saw Justice Department officials announce plans that from now forward, CEOs and chief compliance officers would need to certify the effectiveness of their compliance programs as part of corporate misconduct resolutions. The first such arrangement arrived in May (Glencore’s $1 billion settlement for FCPA violations), followed by GOL Airlines, ABB, and Danske Bank.
Compliance officers have responded to this news with predictable, but not unwarranted, discomfort. When certifying that your program is “reasonably designed and effective,” exactly what does that standard mean? Will compliance officers face legal jeopardy if the program they certify subsequently suffers a violation? What if you take a CCO job halfway through a deferred-prosecution deal — would you need to certify a program you didn’t design?
For now, the answers to those questions (and so many more) are unknown. The immediate issue for compliance officers is how companies will respond to that certification requirement. You’ll need some way to assess the effectiveness of your program; that means you’ll need more data, and sharper analysis of it. You’ll also need strong monitoring and internal reporting procedures, so that if a failure does happen, you can find and report it promptly.
The biggest question, however, is how the compliance officer’s relationship with the CEO might change, since the CEO will be certifying the compliance program too. Will that risk of personal liability lead the CEO to give enthusiastic, enduring, and material support for the compliance program? We’ll find out.
Higher standards for data protection
Another issue that quietly built up over the course of 2022: warnings from numerous regulators for companies to do better at data protection.
These warning signs didn’t arrive with a thunderclap, like the EU General Data Protection Regulation in 2018 or the California Consumer Privacy Act in 2020. Instead, regulators published warnings about good data protection practices they want to see; or took enforcement actions against errant companies that offered plenty of lessons for other compliance officers.
For example, in August the Consumer Financial Protection Bureau published guidance that listed three best practices companies should implement if they want to avoid liability under federal consumer protection statutes: multi-factor authentication, password management, and timely software updates. In October, the Federal Trade Commission delivered two enforcement actions against online businesses that let sloppy data protection practices linger for years; in both cases the FTC imposed a suite of reforms that look like an emergent set of best practices — including use of multi-factor authentication, clearly defined roles for cybersecurity oversight, risk assessments, and audits.
The question for compliance officers is how to cobble together all these messages about data protection into one coherent compliance program. That’s going to mean close collaboration with your IT security function, as well as First Line business functions collecting and processing all that data. It’s going to involve more technical controls, and more effective breach response programs.
The bottom line, however, is that from Washington to state capitals to regulators overseas, everyone is pushing for stronger data protection. Compliance teams will be navigating those demands for years to come.
And so much more
We could list lots more significant corporate compliance moments from 2022: the continued push for ESG disclosures, the collapse of cryptocurrency exchange FTX, and even the more practical challenges of budgeting and running a compliance function in an era of inflation and economic uncertainty. As we said at the start, this has been a momentous year, with consequences that will reverberate for years to come.
Nobody truly knows how those consequences will unfold in 2023, but companies need strong ethics and compliance capabilities to get through it all — I’ll take that bet every day of the week.