Compliance officers always seem to live in complicated, ever-changing environments, and 2023 has been no exception. From “traditional” issues such as anti-corruption and internal whistleblowers, to emerging ones such as the rise of artificial intelligence, the past 12 months have served up one challenge after another.
A thorough recap of every significant moment for corporate compliance in 2023 is impossible; there are simply too many of them. Below, however, are five major moments compliance officers encountered in 2023 whose implications are likely to reverberate in 2024 and beyond.
New Approaches to FCPA Enforcement
2023 was an unusual year for enforcement of the Foreign Corrupt Practices Act. Despite the usual promises of vigorous enforcement from the U.S. Justice Department, we actually saw relatively few enforcement actions against corporations — but the cases we did see were telling in other ways.
For example, chemicals company Albemarle Corp. settled FCPA charges in September, paying more than $200 million for corruption schemes that involved third-party intermediaries and state-owned oil companies. Most interesting: that as part of its settlement, Albemarle agreed to restructure its entire sales model, scuttling the use of resellers and other intermediaries in favor of a direct sales approach.
Why is that interesting? Because it is a permanent change to Albemarle's operations, and one significant enough that it couldn’t have been adopted without senior management and board approval. In other words, the Justice Department is pushing for structural reforms to reduce the chance of future FCPA misconduct — and companies are agreeing to it.
On the other hand, the Justice Department is extending more olive branches to companies that voluntarily self-disclose FCPA misconduct and remediate those issues. In October, deputy attorney general Lisa Monaco announced a new policy that the department would typically not prosecute FCPA issues a company discovers in acquisition targets, if the company reports those issues within six months of the acquisition and remediates the issues within 12 months. Perhaps to demonstrate the point, in November the Justice Department then announced a declination against a biomedical company that had found FCPA misconduct in a recently acquired subsidiary.
Taken altogether, this means that strong FCPA compliance capabilities — due diligence, voluntary self-disclosure, remediation, and the like — will continue to be crucial for global businesses in 2024 and beyond. The Justice Department wants to see companies take anti-corruption efforts seriously, and will continue to use both carrots and sticks to achieve that goal.
From Crypto to Kyiv, Stepped Up Sanctions Enforcement
Sanctions enforcement is another compliance issue rising swiftly as a concern for global companies. In 2022 deputy attorney general Monaco famously promised “sanctions are the new FCPA,” driven at the time by Russia’s invasion of Ukraine and sweeping new sanctions imposed by the United States, Europe, Japan, and elsewhere.
In 2023 we’ve seen that promise of rigorous enforcement come into focus with specific examples. In April U.S. authorities hit British American Tobacco with a $630 million fine for longstanding sanctions violations in North Korea, the largest sanctions penalty ever imposed on a non-financial company. Just one week earlier, regulators fined Seagate Technology Corp. $300 million for selling computer hardware to Chinese-based Huawei Corp.
Moreover, we’ve seen a steady stream of enforcement action against cryptocurrency firms for failing to implement effective anti-money laundering and customer screening programs. The most famous example is Binance, which pleaded guilty and agreed to $4.3 billion in penalties in November, but numerous smaller firms have been paying smaller civil penalties for their own AML and customer due diligence shortcomings too.
Sanctions enforcement will continue to be a priority for U.S. and EU regulators. That means compliance officers need to keep developing their sanctions-screening and due diligence capabilities, and strengthen their overall policies, procedures, and training for sanctions risk.
New Message for Healthcare Compliance
The U.S. Department of Health & Human Services delivered a surprise in November, when the department’s Office of the Inspector General (OIG) delivered long-awaited guidelines on effective compliance programs in the healthcare sector — including a declaration that chief compliance officers should be fully independent from the company’s legal team, and report directly to the CEO or the board.
The guidelines are voluntary, and apply only to the U.S. healthcare sector. Still, their emphasis on CCO independence is crystal clear: “The compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does… Whenever possible, the compliance officer’s sole responsibility should be compliance.”
The question now is how many companies, both in the healthcare sector and beyond, will embrace that declaration of CCO independence. Plenty of businesses probably won’t, at least until they suffer a misconduct crisis and regulators force the conversation. But the OIG guidance does give compliance officers an opportunity to raise the issue and ask useful questions.
For example, how should the compliance and legal functions operate? Is the general counsel there to “defend” compliance during difficult conversations with senior management? (A position more than a few GCs will take.) Or should the chief compliance officer be elevated to a senior role where he or she can have those difficult conversations directly?
Plus, how will OIG react to misconduct scandals where the compliance function didn’t meet its independence standard? And what should other industries infer from those reactions? Perhaps we’ll find out in 2024.
Another Brisk Year for SEC & Whistleblowers
Another big story in corporate compliance happened all year long: the Securities and Exchange Commission saw record-breaking tips to its whistleblower program, and reported brisk enforcement activity across a host of other metrics.
That news arrived in November, when the SEC announced enforcement results for its fiscal 2023, which ended on Sept. 30. The agency received more than 18,000 whistleblower tips, up 50 percent from the 12,300 tips received in 2022. The SEC also issued nearly $600 million in whistleblower awards — another record, although that $600 million was largely driven by a single award of $279 million, the largest whistleblower award in SEC history.
The SEC also reported a higher number of enforcement actions in total, the second-highest total of monetary penalties imposed in a single year ($4.95 billion, and the highest total happened in 2022), and the highest number of persons barred from serving as directors or officers at publicly traded companies in 10 years.
Quite simply, SEC enforcement had been going nowhere but up, and compliance officers at U.S.-listed companies need to plan accordingly. For example, even though whistleblower tips can take years to investigate, whenever an employee submits a tip your company (1) loses its chance to receive credit for voluntary self-disclosure; and (2) increases its chance of a whistleblower retaliation claim in addition to the underlying offense.
So, as always, companies have a clear imperative to develop a strong culture of internal reporting. The more often you can hear about a whistleblower complaint first, and then bring it to regulators, the better — but the SEC is happy to continue down its enforcement path without you.
Lots of Talk on AI, With More to Come
The biggest technology development in 2022 was the arrival of generative AI, first in the form of ChatGPT and soon followed by a squad of similar artificial intelligence systems. 2023 has been a year of regulators around the world trying to understand how they should respond to the swift rise of AI — and 2024 is likely to be a year where we see those regulatory ambitions take real, substantive shape.
For example, the Biden Administration unveiled an executive order on artificial intelligence on Oct. 30. The order itself doesn’t impose any regulations over AI; instead, it directs other agencies in the U.S. government to adopt new regulations or guidance for AI, following basic principles the Administration spelled out in a previous policy statement about AI from 2022.
The European Union lurched forward with AI regulation with passage of its Artificial Intelligence Act in early December. Many of the details need to be finalized over the next 24 months, but already we do know some uses of AI that will be under strict scrutiny (AI in medical devices, for example), other uses that will have only light oversight (AI to screen your email), and still more uses that will be banned outright (governments using AI to generate “social scoring” of its citizens).
Even as compliance, audit, and cybersecurity professionals wait for those specific regulations, there’s still plenty to do right now. Artificial intelligence is a new technology. So just like other new technologies that have come before it, companies should assure that they have wise policies and procedures in place to govern how your enterprise starts to embrace AI. For example, who is informed when a business unit wants to adopt an AI tool? Who performs a risk assessment to be sure that new use doesn't violate privacy or discrimination rules?
That basic block-and-tackle of risk assessment and internal control applies perfectly well to AI even today. It will only become more important in 2024 and beyond.