On March 20, 2025, the UK’s Serious Fraud Office (SFO), France’s Parquet National Financier (PNF) and the Office of the Attorney General of Switzerland (OAG) announced the formation of the International Anti-Corruption Prosecutorial Taskforce (Taskforce) to strengthen collaboration in the fight against bribery and corruption. This announcement came just over a month after U.S. President Donald Trump issued an executive order “pausing” criminal enforcement of the FCPA (FCPA EO), following which several DOJ investigations and cases have been delayed, dismissed or closed.

In the Taskforce’s founding statement, the agencies note the significant threat of bribery and corruption and the severe harm it causes, and they offer a full-throated reaffirmation of their commitment to tackle this threat within both national and international legal frameworks. They stress that success relies on working closely and effectively together and building further on the strong existing relationships, and they say that they intend to invite other like-minded agencies to participate in the Taskforce.

This clear divergence between the signals and statements of some of the world’s most significant anti-corruption enforcement agencies leaves companies, individuals and counsel to wonder what such enforcement will look like in the months and years to come. Early signs suggest the U.S. will indeed retreat to a noticeable degree from criminal anti-corruption enforcement and, in this article, we discuss how the FCPA EO may open up space for other enforcement authorities, such as the new Taskforce, to step into the void.

For insights from the SFO, PNF and OAG, see “2024 in Review: International Cooperation Continues to Drive ABAC Enforcement” (Dec. 18, 2024).

The State of U.S. Enforcement

The change in the U.S. presidential administration has led to some significant changes in anti-corruption enforcement from both the DOJ and SEC.

FCPA EO

The FCPA EO asserts that the FCPA “has been systematically, and to a steadily increasing degree, stretched beyond proper bounds and abused in a manner that harms the interests of the United States,” and instructs the DOJ not to open any new FCPA investigations or engage in any “FCPA enforcement” for 180 days, unless the AG makes “an individual exception” for a particular matter, based on as-yet-unclear criteria.

During this 180‑day period (which the AG can extend for a further 180 days), the AG is instructed by the FCPA EO to conduct a review of all existing investigations, enforcement actions, policies and guidelines related to the FCPA. The AG is further instructed to “issue updated guidelines or policies” related to FCPA investigations and enforcement actions, and thereafter to “determine whether additional actions, including remedial measures with respect to inappropriate past FCPA investigations and enforcement actions, are warranted.” Like the criteria for making “individual exceptions” to the “pause,” the criteria by which past FCPA investigations or enforcement actions might be deemed “inappropriate” are not articulated in the FCPA EO and have not since been announced by the DOJ.

Finally, in a significant departure from historical practice, the FCPA EO directs that all FCPA investigations and enforcement actions “initiated or continued” after the AG issues new guidance must “be specifically authorized” by the AG.

Bondi Memo

On her first day at the DOJ, and just five days before President Trump issued the FCPA EO, newly appointed AG Pam Bondi issued a memo to DOJ employees titled “Total Elimination of Cartels and Transnational Criminal Organizations” (Bondi Memo), in which she directed that the DOJ Criminal Division’s FCPA Unit prioritize investigations related to cartels and transnational criminal organizations (TCOs). For any such investigations, the memo also suspended DOJ policies requiring authorization by and participation of the DOJ’s Criminal Division in FCPA matters.

While the FCPA EO’s “pause” rendered this requirement largely moot, many observers expect that any “updated guidelines or policies” issued by the AG pursuant to the FCPA EO will incorporate similar requirements.

Some Cases Abandoned, Others Continue

The ultimate impact of the FCPA EO on existing and prior DOJ investigations and prosecutions remains unclear, but early signs indicate that it will not lead to a complete discontinuation of DOJ FCPA enforcement.

For example, although a high-profile FCPA trial in the District of New Jersey was delayed and ultimately dismissed at the request of the newly installed U.S. Attorney for that district, and several ongoing FCPA investigations reportedly have been closed by the DOJ in recent weeks, at least three other FCPA trials, including two in the Southern District of Florida, reportedly have been exempted from the “pause” and are expected to occur in the coming months.

That said, the DOJ reportedly sent no representatives to the March 2025 meeting of the OECD Working Group on Bribery, an important multilateral event in which the U.S. historically has played a leading role. The U.S.’ absence, which came a month after several former Working Group on Bribery officials attempted to convince the AG of the value of participation via letter, sent an unmistakable signal to the U.S.’ anti-corruption enforcement partners and the rest of the world about what they might expect from the U.S. in the remaining years of the Trump administration.

Is Bribery “Back in Business?”

Unsurprisingly, the FCPA EO has fueled speculation that a decline in anti-corruption enforcement will lead to a proliferation of unethical business practices. Members of the press have queried whether bribery is “back in business,” and the executive director of Transparency International U.S. stated in a social media post that the FCPA EO “diminishes - and could pave the way for completely eliminating - the crown jewel in the U.S.’ fight against global corruption.” However, companies should hesitate before rolling back anti-corruption compliance measures, for several reasons.

The FCPA EO Doesn’t Shut Down FCPA Enforcement

The FCPA EO does not amend the FCPA; that can only be done by the U.S. Congress. And while it unquestionably was designed for maximum publicity impact, the FCPA EO is limited in scope – it only pauses certain DOJ FCPA enforcement activities, leaving unaffected the investigative and enforcement activities of the SEC, Commodity Futures Trading Commission (CFTC) and foreign enforcement authorities, and at least one U.S. state – California – has suggested it will continue to hold accountable those who engage in bribery and corruption. Moreover, the DOJ has already demonstrated that, despite the “pause,” certain FCPA investigations and prosecutions will proceed, and after the expiration of the “pause,” the DOJ may well ratchet up FCPA enforcement that aligns with the priorities articulated in the Bondi Memo and elsewhere.

The FCPA EO May Be (Relatively) Short-Lived

FCPA violations generally are subject to a five-year statute of limitations; this means that any violations committed during the current administration could be prosecuted under President Trump’s successor beginning in January 2029. DOJ priorities also could shift during the Trump administration itself. Any expectation of non-enforcement of the FCPA for violations committed today or during the remainder of the Trump administration must be tempered by this mathematical and statutory reality.

Moreover, it is possible that the most enduring aspect of the FCPA EO will be the opportunity it provides the 93 U.S. Attorneys’ Offices throughout the U.S. to open new FCPA matters without DOJ Criminal Division approval and participation. The extent to which any of those offices exploit that opportunity successfully and at scale remains to be seen, but it likely will be difficult for the Criminal Division to reassert its historic level of primacy over DOJ FCPA enforcement in the future, leaving a multitude of prosecutors across the country with little standing in their way when it comes to initiating large-scale corporate anti-corruption investigations.

Enforcement Gaps May Open, but the U.S. Isn’t Going Away

Importantly, the “pause” on FCPA enforcement only affects the DOJ, not the SEC and CFTC which may still bring civil enforcement actions for FCPA violations. Therefore, even if the DOJ retreats from its traditionally aggressive FCPA enforcement, other U.S. authorities may still pursue FCPA investigations.

Equally, it is already clear that the “pause” will not end all existing DOJ FCPA investigations, in which evidence will continue to be developed and (potentially) shared by the DOJ with its overseas counterparts. The FCPA EO also does not shut down any of the plethora of DOJ whistleblower programs announced in recent years (much less SEC or CFTC whistleblower programs), which reportedly already have yielded a significant number of tips.

Additionally, even during the “pause” on criminal FCPA enforcement, the AG is empowered to grant exceptions for new investigations and enforcement actions. No criteria are offered for this purpose, and therefore it remains unclear how readily exceptions will be granted, but the DOJ’s retreat from FCPA enforcement could be less dramatic than immediate reactions to the FCPA EO predicted.

Foreign Enforcers: Filling the Void?

Prior to the FCPA EO, the SFO and other enforcement agencies would have faced familiar challenges of investigation deconfliction with an active DOJ investigating and prosecuting FCPA violations. The enforcement field may now be more readily available to the SFO, the PNF and others, although the presence of multiple agencies will still require some deconfliction.

The UK and France in particular have anti-bribery laws similar to the FCPA, as well as active anti-corruption enforcement agencies in the SFO and PNF that have developed a track record of wide-ranging and largely successful investigations and prosecutions in recent years. Whereas previously these agencies may have refrained from exercising the full scope of their enforcement capabilities in matters the U.S. was also investigating, these (and other) agencies may face far fewer impediments to more aggressive deployment of their tools and exercise of their jurisdiction.

SFO

Wielding the Bribery Act 2010 and, in particular, its failure to prevent bribery offense, the SFO is well-positioned to claim territory that might be ceded by the U.S. The SFO has been a key DOJ partner in many cross-border matters, including high-profile anti-corruption matters such as the Rolls‑Royce, Airbus and Glencore cases. However, cross-border cooperation between the U.S. and the UK has not been without challenges, due to key differences between the jurisdictions on issues such as compelled testimony, privilege, corporate criminal liability, discovery/disclosure and double jeopardy.

Most SFO cases have an international element, according to the SFO’s five-year strategy published in 2024 (Strategy), and since 2014, the SFO has entered into 12 deferred prosecution agreements (DPAs), eight of which were linked to bribery. The SFO currently has an active caseload of around 130 cases and is operating with a budget of £95.5 million and a staff count of over 500 people, the Strategy says. Its budget was increased by the UK government in November 2024 to enable modernization to take place.

SFO Director Nick Ephgrave KPM has expressed a desire to adopt a bold, pragmatic and proactive approach to enforcement, and also to pursue large, international corruption cases, including in partnership with the SFO’s international counterparts. Under his leadership, the SFO reportedly has launched several new investigations, arrested 15 individuals and revived the use of dawn raids, according to its annual report. In January 2025, it obtained its first Unexplained Wealth Order, and, in 2023, it pursued its first prosecution of a breach of a Serious Crime Prevention Order. It also has commenced proceedings against Güralp Systems for the company’s breach of its 2019 DPA, and, just last month, the SFO announced charges against a UK reinsurance broker alleged to have paid millions of dollars in bribes to Ecuadorean officials in exchange for contracts, as well as new guidance on corporate cooperation that signals an appetite for increased corporate criminal enforcement in the bribery context and beyond.

One area in particular Ephgrave is looking to develop is the treatment of whistleblowers. Departing from the view that rewarding whistleblowers is incompatible with British legal culture, Ephgrave has stated that whistleblowers should be compensated in order to enhance efficiencies in SFO investigations. Naturally, the proposals for any new UK whistleblower scheme would be subject to a consultation process with a cross section of the legal profession, which would take time – certainly beyond the 180 (or 360) days of the “pause” on DOJ activity. But looking to the future in light of the (unpredictable) new policies and guidelines to be introduced by the U.S. AG, a new UK whistleblowing scheme – if introduced – could prove to be effective in increasing the UK’s prosecution of international bribery.

A key question will be whether the SFO is sufficiently resourced and committed to fill any enforcement gap that the FCPA EO might create. The SFO has been criticized in the past for being slow-moving and having a lower rate of conviction or other successful outcome than the DOJ. Taking on a heavier workload would put sizeable demands on the SFO’s resources, which are more limited than the DOJ’s, and technological resources and disclosure will present further complications, with disclosure failures having led to collapses of prosecutions of individuals in the Unaoil, G4S and Serco cases.

Nevertheless, the entrepreneurialism and initiative demonstrated by the SFO in co‑founding the Taskforce suggest that the agency does not intend to shy away from these challenges, and companies with an actual or potential UK nexus must ensure their anti-corruption compliance programs and internal controls are not lessened in response to the FCPA EO.

See “UK Launches U.S.‑Style Whistleblower Reward Program to Combat Tax Fraud and the SFO May Be Next” (Apr. 23, 2025).

PNF

Over the past decade, the PNF has joined the anti-corruption fight in earnest, and after the FCPA EO’s publication, a PNF prosecutor stated publicly that despite the FCPA EO, “[t]he PNF will keep its watch on foreign bribery.”

The PNF’s key tool is the Law on Transparency, the Fight against Corruption and Modernization of Economic Life (known as Sapin II), which expanded the extraterritorial reach of French anti-corruption laws, laid the foundation for increased penalties and introduced conventions judiciaires d’intérêt public (CJIPs), which are roughly equivalent to DPAs. Sapin II authorizes criminal prosecution for offences committed abroad, not only by a natural person of French nationality, but also by any natural person or legal entity habitually residing or exercising all or part of their economic activity on French territory.

The PNF’s enforcement efforts have been productive in recent years. As of the publication of its 2024 annual report, the PNF had secured 532 convictions (of which 129 related to bribery), recovering €12.3 billion. Overall, it has concluded more than 20 bribery-related CJIPs. In the past two years, ongoing cases have numbered between 766 and 781 annually, with corruption-related offenses accounting for 46.6 percent of cases. The PNF has also played a key role in the development of the guilty plea procedure (comparution sur reconnaissance préalable de culpabilité), which, in contrast to the CJIP, entails an admission of guilt.

The PNF also has been a key enforcement partner for the U.S. and the UK in recent years, perhaps most prominently in the Airbus case, which resulted in a CJIP. In 2023, the PNF issued guidelines to further align its practice with the sentencing and leniency approaches adopted by the DOJ and SFO, and last year, approximately one-third of its cases required international legal assistance. The PNF also uses advanced international cooperation tools, including Eurojust coordination meetings and joint investigation teams, and has proved itself dependable when it comes to international cooperation.

As with the SFO, it remains to be seen to what extent the PNF – with 20 prosecutors and 11 specialized assistants – will be capable of coping with any increased volume and intensity of cases created by an FCPA enforcement “pause,” but its enthusiastic support for the Taskforce is an important early signal of its commitment to meet the challenge.

See “How the New DOJ and PNF Corporate Enforcement Guidelines Affect Self-Reporting, Cooperation and Remediation” (Mar. 29, 2023).

Switzerland (and Beyond?)

With its participation in the Taskforce, Switzerland has clearly expressed a desire to step up and join the UK and France as the anti-corruption leadership team. In recent years, Switzerland has acted in parallel to the DOJ and others in anti-corruption cases such as the Gunvor, Trafigura and Glencore matters.

Switzerland’s key anti-corruption legislation is found in the Swiss Criminal Code, the relevant parts of which have some extraterritorial reach. Moreover, the Judicial Affairs Committee of the Swiss Parliament is exploring the possibility of introducing DPAs.

Other countries have also stepped up their anti-corruption enforcement efforts. For example, foreign bribery enforcement has increased in the Netherlands, and in Poland, several corruption investigations are ongoing, some of which are proceeding in parallel with foreign law enforcement agencies. Hong Kong and Singapore are also active players, and Australia, South Africa and others have also ramped up their efforts.

What It All Means for Companies

Though not explicitly framed as such by its founding members, the Taskforce surely comes partially in response to early indicia of a DOJ retreat from anti-corruption enforcement and, if implemented robustly, the Taskforce may meaningfully counterbalance any such retreat. Details of implementation, diligent follow-through, and enduring commitment by the founders will determine the extent of the Taskforce’s impact, but, at a minimum, its existence must remind companies that disinvesting from anti-corruption compliance based on the FCPA EO would be a mistake.

Companies (and individuals) are currently facing something very new: a non‑U.S.‑led anti-corruption enforcement landscape. And there is little by way of precedent to guide them, as the U.S.’ FCPA enforcement efforts have long served as a leading indicator and driver of global anti-corruption enforcement. While the Taskforce represents an important effort at cross-border cooperation and coordination, it remains unclear (and perhaps unlikely) that it, much less any single country, is prepared to fill the U.S.’ outsized role in that regard. Rather, companies should expect a far more fragmented and uncertain enforcement landscape, and one in which companies may be without the refuge historically provided by the U.S.’ (relatively) transparent and tested enforcement regime.

In addition, no matter how powerful the Taskforce turns out to be, it still will have to contend with a muscular but far more unpredictable U.S. approach to anti-corruption enforcement. How and when the U.S. will seek to exercise its more traditional role of global anti-corruption leader, and whether it will do so in ways that complement or frustrate the efforts of the Taskforce (and others) remain to be seen, multiplying the already significant challenges of multi-jurisdictional deconfliction.

Further counselling against disinvestment from anti-corruption compliance and controls are numerous familiar and longstanding concerns that will remain irrespective of the ultimate impact of the Taskforce and the ongoing role of the U.S. in anti-corruption enforcement. These include the obvious reputational risks arising from allegations of bribery, as well as, among other things: (1) civil litigation or arbitration by private parties (e.g., business partners and shareholders) for, inter alia, securities law violations, breaches of contract, torts and civil RICO violations; (2) antitrust law issues; and (3) issues when dealing with auditors, international organisations – such as development banks – and other parties.

The promise and ambitions of the Taskforce are great, and its potential cannot be overlooked. Companies and their counsel will do well to prepare for continued anti-corruption enforcement, which is likely to look very different from – and proceed less predictably than – what professionals and practitioners in this space have become accustomed to in recent years.

 

Albert Stieglitz is a partner in the Washington, D.C., office of Alston & Bird, and a member of the firm’s white collar, government and internal investigations team. A former senior federal prosecutor with 13 years of experience at the DOJ, SFO and (UK) Financial Conduct Authority, he advises companies and individuals on anti-corruption investigations, litigation and compliance issues, as well as securities fraud and other complex and cross-border conduct.

Kelly Hagedorn is a partner in the London office of Alston & Bird, and a member of the firm’s privacy and cyber regulatory enforcement team. She defends clients in regulatory and enforcement matters in the E.U. and UK, and advises clients on incident response and white-collar investigations, litigation, and parliamentary investigations, particularly those involving data breaches, fraud and financial crimes, and securities laws.

Sophia Lekakis is a senior associate in the London office of Alston & Bird and a member of the firm’s international arbitration and dispute resolution team. She advises companies and individuals on complex cross-border disputes in the E.U., UK and other jurisdictions.

Given click-through training’s ease of deployment, scalability, and trackability, its status as a compliance mainstay seems unlikely to decline. Yet, for all of click-through training’s efficiencies, it can also be seen as a perfunctory check-the-box chore – click, pass and forget. To deliver and reinforce long-lasting behavioral change, click-through trainings need to be embedded within a broader compliance training framework that mixes asynchronous online learning with live learning (ideally, the in-person sort) and leadership engagement.

This third article in a three-part series discusses how companies can embed click-through compliance training into a broader program and offers suggestions for choosing the right training vendor. The first article addressed the merits and drawbacks of click-through training. Part two offered suggestions on customization and strategies for measuring effectiveness.

See “Compliance 5.0: A Culture-Centered Approach” (Jan. 17, 2024).

Where Click-Through Training Fits

Compliance training serves multiple purposes. The focus is often on fulfilling enforcers’ expectations and providing a good defense should an issue arise down the line. However, at its most basic, training is about relaying information to employees.

Compliance training is “a really important channel for communication,” Nitish Upadhyaya, director of behavioral insights at Ropes & Gray Insights Lab, told the Anti-Corruption Report. It is a significant way for companies to communicate their expectations of employees. “The training is really the voice of the company,” he said, and it “informs people about how the company does things.”

A well-designed compliance program “should be about more than just avoiding fines,” opined Andrea Falcione, chief ethics and compliance officer and head of advisory services at Rethink Compliance. “It should help to foster a culture where employees feel responsible for ethical decision-making.”

To that end, compliance training should encompass “a suite of tools, not a one-size-fits-all approach,” Christopher Annand, senior director of governance, data, and operations in the ethics and compliance office at Cargill, told the Anti-Corruption Report.

The impact of click-through trainings can be enhanced when it is integrated into a broader compliance training program that includes live learning and individualized content.

“The ultimate win in anti-corruption training is behavioral change,” Birkhold said. Indeed, when training resonates, when it is relevant, nuanced and supported, compliance evolves from being perceived as a burden on business to being a common goal.

Live Learning

Click-through training is most effective when a company has straightforward information it needs to impart to a wide base of employees. Because click-through training is not the best place for employees to work through trickier situations, live trainings, where employees can interact with their colleagues and knowledgeable leaders, are more impactful when there are more nuanced issues to be addressed.

Space for Discussion

Rather than just pushing out a single, or even a series, of static and mandatory click-through training modules, a company should enrich that “teaching-to-the-test” content with in-person, role specific and leader-led sessions that address real-world dilemmas but also provide space for a more nuanced discussion. Where questions and answers on a multiple-choice quiz often default to a “take-the-high-road” approach to any ethical or legal quandary, live sessions provide an opportunity to address situations that employees may find themselves in and offer practical, acceptable solutions that reflect the complexities of actual decision-making.

Synchronous sessions where employees are learning together, whether through small-group discussions or town halls, can reinforce lessons and foster greater understanding and trust. In an ideal scenario, learners should be provided the opportunity to practice what they learned from click-through training modules in post-training sessions, Upadhyaya suggested. “A company might consider presenting a scenario at a town hall a few months after a training,” he advised. It may also be “helpful to have a few people share stories of compliance challenges they faced,” he said.

A leadership-led discussion of compliance in a live forum with an opportunity for back-and-forth between speaker and learner signals that ethical behavior is not just policy but a priority.

Confronting Gray Areas

By moving beyond the sterility of a prerecorded lecture and multiple-choice questions with one “correct” answer and several distracters to choose from, compliance training that features a live component can delve into workplace compliance dilemmas that do not necessarily have black-and-white, either-or answers.

For example, Upadhyaya recalled a training program he helped develop where a sales leader shared a dilemma about meeting end-of-year targets and navigating a questionable deal. “It was coming up to the end of the year, and someone came to him with a proposal that was going to take them over the target,” he explained. The problem was that the proposed arrangement “also sounded a bit like a bribe. The salesperson was trying to navigate this tension between making the deal and meeting the target and not making the deal and not meeting the target.” Many sales teams have likely confronted similar situations. At a synchronous training, the salesperson “told the story authentically. He told the learners they would face pressures like this, too. That sort of training will stay in a learner’s mind,” he said.

Dynamic training where an iterative approach is taken can help learners articulate their discomfort and navigate uncertainty. “People can then have conversations where an employee might acknowledge some of the nuance as they carry out their job responsibilities, and they might identify areas where they are uncomfortable and issues that they might want to raise with the legal team,” Birkhold observed.

More nuanced live sessions that address a range of responses to any prospective workplace compliance quandary can be invaluable. “Training should actually help people make mistakes,” opined Upadhyaya. “It should give them a safe space in which to make errors so they do not make those errors in the real world.”

A Two-Way Exchange of Information

Because it is hard to determine what is really happening in the field when a compliance instructor is just squinting at someone on a Zoom screen, another “value of in-person training is the pull-asides afterward where someone tells you what is happening,” said Alexander Birkhold, a partner at ArentFox Schiff.

Upadhyaya agreed, noting that a drawback of click-through training “is its lack of genuine feedback from learners about the key risks that they are facing.” When there is a face-to-face get-together, “learners might approach the instructors afterwards and say, ‘I was confused about this thing,’ or ‘having heard that presentation, I am reflecting about whether or not I should have reported something,’” he observed. “That is what a company really should want out of the training.”

Where there is a live instructor in an actual physical environment, “the educator is providing information but also is learning information from employees,” Upadhyaya added. It can be a two-way street, with a compliance instructor imparting learning, and learners imparting important information. “The employees might talk about where they feel the least supported, and then a company can respond in a helpful way,” he posited.

See “Survey Finds Increased Value in Having a Culture of Compliance” (Feb. 26, 2025).

Individualized Content

One of the greatest complaints about trainings in general is that they are a waste of time. When a company rolls out a single click-through training to all employees at all levels in all departments, there is a significant risk that the training will be irrelevant to many audience members. “If compliance training is perceived as an annoyance, employees will be less likely to reach out when a problem arises,” cautioned Nicole Di Schino, executive creative director and principal consultant at Spark Compliance Consulting, a Diligent brand.

Making Trainings Relevant

To counter this, more companies are “thinking creatively about their compliance training and are looking for ways to make it more engaging and relevant,” Di Schino reported. She described creative materials she designed for a client that was hosting a workshop for its internal investigations team – a virtual investigation that combined click-through training and live training. “The ability to use branching logic, which is one of the strengths of click-through training, gave participants the ability to walk through an investigation in a more realistic way than if learners were just being handed files,” said Di Schino. She has also developed a game called Compliance Competitor, which can be facilitated in person or over Zoom. The game is scenario-based and requires participants to engage with each other, she said, which means mindlessly reading and clicking is not an option.

“The best way to educate people is to provide content that feels relevant to them, whether through examples, reading level adjustments, or interactive design,” Di Schino stressed.

A combination of custom click-through training and facilitated sessions training can reinforce a culture of transparency and present the compliance team as a helpful resource rather than a dreaded enforcer. “Online learning should be just one piece of a company’s training strategy,” Falcione advised.

See “30 Creative Ideas for Compliance Messaging” (Mar. 4, 2020).

Fostering Understanding With AI

“One of the primary drawbacks of click-through training is that a learner cannot talk back to their computer and say, ‘I did not understand that,’” Annand pointed out. “There is a risk that an employee can pass a training assessment but still misunderstand critical compliance information,” he noted. Because click-through training lacks real-time interaction, “employees who misunderstand concepts may not seek clarification.”

Artificial intelligence (AI) can provide some mechanized relief. “AI has the potential to improve training by offering chat-based assistance, similar to a modernized version of Clippy, the animated paperclip that used to provide help in Microsoft Word,” explained Annand. “With chat-based assistance, employees can ask for real-time explanations,” he added.

See our three-part series on AI for anti-corruption compliance: “Foundations” (Oct. 28, 2020), “Building a Model” (Dec. 2, 2020), and “Five Workarounds for Asymmetric Data Sets” (Feb. 3, 2021).

Timing Properly

One asset of online training is that it can be offered at the very moment it is most relevant. “Point-in-time” click-through training can be very useful in narrow circumstances “where an employee is actually experiencing a risk or facing some sort of issue,” opined Upadhyaya.

If, for example, an employee has to fill out a particular form, “a quick pop-up click-through training on how to fill out the form properly can be very effective,” Upadhyaya explained. “That is useful training in the moment where the learner can apply the content straight away,” he said.

“Training should not just be an annual or end-of-year event,” Forrest Deegan, a lecturer who teaches corporate compliance and business integration at the University of Chicago Law School, instructed. “If someone is booking international travel for work, send reminders about travel and expense training,” he suggested. “If someone is using a corporate credit card, send reminders about training on getting expenses approved,” he suggested. “If the company is responding to an RFP with an international element, that should trigger reminders about anti-corruption training,” he added.

Making It Memorable

No matter the form of compliance training, the experience should be one where “participants feel that their time has been well spent,” advised Upadhyaya. By providing a worthwhile training experience, “a company creates a much more receptive audience for future compliance communications.” That can be achieved by making training relevant and entertaining.

Upadhyaya pointed to training innovations by well-known tech leaders, noting that “Microsoft and Meta [formerly known as Facebook] created some Netflix-style training involving episodes where characters faced real moral dilemmas, and people were tuning in regularly to find out what happened.”

Microsoft introduced “videos with characters that are semi-beloved,” Birkold observed. “The training is hyper-tailored and highly produced,” he observed, “which indicates that someone who is a Microsoft employee sees not only the investment in the training but the effort to make training engaging and relatable.” The company has managed to make training fun, and, as a result, “Microsoft has helped shape its compliance culture through its training.”

See “How Ericsson Made Compliance Training Must-See TV” (Mar. 12, 2025).

Considering Test-Out Options

Of course, not everyone has Microsoft money to develop a streaming miniseries. Organizations with more modest budgets can still be respectful of employees’ time and intelligence by offering test-out options so a learner who has retained a training’s content does not have to retake it as a “refresher” every year.

“With any anti-corruption training or code of conduct training program, a company should establish a baseline through a foundational course that covers all relevant aspects,” Deegan said. “As a program matures, long-tenured employees will have a track record of completing training,” he noted. Providing a quiz at the start of a course that allows experienced employees to skip content “boosts engagement and makes employees feel respected,” he suggested. “If people feel that they have an opportunity to get back 30 minutes of their day, they feel that they have gotten a little win,” he said, which “can be a compelling motivator to perform well on a compliance quiz.”

As a lawyer, Falcione acknowledged being “a little averse” to a test-out option. A perhaps more palatable approach is to provide an initial foundational training and then, two or three years later, “present learners with a challenging test upfront,” she suggested. Depending on the learner’s score, “they will be routed to more content or to less content or, in some cases, no content except for a thank-you message indicating the learner knows the information,” she explained.

Choosing a Vendor

Integrated into a comprehensive training plan, click-through training can be a powerful tool for setting employee expectations, but not all click-through trainings are created equal. Choosing the right vendor – with the right content, delivery system and price point – is critical.

Understanding Internal Limitations

The first step in choosing a vendor is to understand any internal limitations on how content can be distributed to employees.

For many compliance teams, the learning management system through which a compliance training is deployed may be predetermined – which, in turn, may limit vendor choice as well as restrain flexibility in training format.

“There are a lot of situations where compliance departments get shoehorned into using a particular training platform because other departments in the company are using it,” Di Schino observed.

Taking Vendor Size Into Account

When considering vendors, it is important to consider the benefits of larger operations as well as small outfits.

“Large vendors offer extensive content libraries and streamlined deployment, while smaller vendors provide more customization and flexibility,” noted Deegan.

Bigger, established vendors “offer extensive features and professional-quality training, but smaller vendors can provide more flexibility and cost-effective customization,” Annand concurred.

For large companies in search of training for large workforces, a large vendor may be able to offer much-needed consistency and infrastructure. “Generally, for the larger, broad-based courses that are going to a wide audience, I will choose a larger partner because I know they are going to be around, and I understand their pricing model,” Annand shared. “A larger partner will be able to offer some features that smaller shops will not be able to offer,” he observed. “Smaller vendors might excel in a particular area for a course that is more targeted,” he said.

Testing for Freshness

No matter the size of a vendor, one should consider how current the vendor’s offerings are. “Over time, a vendor’s training platforms can feel outdated,” said Annand. Even a training with up-to-date content can seem stale if presented in the same format year after year. “A training created by a vendor should not have the same look as it did five or 10 years ago,” he cautioned. “It is important for vendors to periodically refresh content and visuals to maintain engagement.”

Negotiating Wisely

Understanding what is negotiable can help a compliance team obtain better value and avoid unpleasant surprises.

First, it is important to understand how each vendor’s pricing works and what is included in that price. “When negotiating with a vendor, understand if licensing is a piece of the price,” said Annand. “Licensing models can be tricky,” he cautioned. “Some vendors charge per user,” Annand explained. Thus, “it can be helpful to clarify early on whether the price a company will be paying to a training platform is an overall contract price for the development of a training course” or a license to provide the training to a certain number of users.

From a buyer’s perspective, “if a company is hosting a course on its own learning management system and is fielding all of the questions that the course might generate, it seems unfair to have to pay for additional licenses,” Annand maintained. In his view, whether five people or 500 people are taking a course, “the fee for the development of the course should be the same.” Nevertheless, in his experience, licensing models have been prevalent, he said.

It is also important to think about whether content updates are included in the price. “One of the biggest vendor negotiation lessons I learned is to clarify update policies,” Annand recalled. Find out how often training content can be updated and what additional costs are associated with those updates, he suggested.

See “MGM’s Approach to Compliance Messaging: An Updated Code, Engaging Training and Unique Messaging” (Nov. 28, 2018).

In February 2025, President Donald Trump and AG Pam Bondi signaled that the direction of criminal FCPA enforcement is changing.

On February 5, 2025, AG Bondi issued a memorandum (Bondi Memo) directing the DOJ, in part, to prioritize FCPA investigations related to cartels and transnational criminal organizations. Cases without such connections would be deprioritized.

On February 10, 2025, President Trump issued an executive order (FCPA EO) pausing all FCPA investigations and enforcement actions by the DOJ for 180 days. According to the FCPA EO, “overexpansive and unpredictable FCPA enforcement against American citizens and businesses . . . not only wastes limited prosecutorial resources that could be dedicated to preserving American freedoms, but actively harms American economic competitiveness and, therefore, national security.” The FCPA EO directs AG Bondi to review FCPA enforcement guidelines and ongoing cases in order to prioritize American economic interests and competitiveness.

These are uncertain times for criminal FCPA enforcement, and this uncertainty is particularly acute for companies with ties to China. The broad jurisdictional reach of the FCPA has meant historically that companies with commercial ties to China and jurisdictional ties to the United States were prime targets for FCPA enforcement. As FCPA enforcement increased dramatically, beginning around the early 2000s, the DOJ and SEC took particular interest in China. To date, there have been more FCPA enforcement actions relating to China than to any other country.

While the FCPA EO has temporarily “paused” FCPA enforcement, foreign companies subject to FCPA jurisdiction – and, in particular, companies with operations in or ties to China – must not assume that the era of aggressive FCPA enforcement is over. As the FCPA EO specifically directs the AG to protect “American citizens and businesses,” the FCPA seems poised to remain a powerful tool that the U.S. government can wield against foreign businesses to promote U.S. policy interests.

See this two-part series on the FCPA executive order: “The Future of U.S. Enforcement” (Mar. 12, 2025), and “Staying the Course in the Face of Continued Risk” (Mar. 26, 2025).

Foreign Companies and China: Consistent FCPA Targets

Many of the largest FCPA settlements have involved foreign-headquartered corporations. Notable settlements have included Mobile Telesystems Pjsc ($850 million in 2019), VimpelCom Ltd. ($795 million in 2016) and Alstom S.A. ($772 million in 2014). Moreover, China has consistently been a key theme in FCPA enforcement.

More FCPA enforcement actions (75) have involved conduct in China than any other country. Between 2015 and 2024, for example, there were almost twice as many actions (44) involving China than the next most-implicated country, Brazil (24).

The long-standing FCPA enforcement focus on China reflects the scale of multinational corporate activity in the country, the perceived extent of corruption, the scope of state involvement in the domestic economy, the fact that employees of state-owned enterprises and instrumentalities are considered “foreign officials” under the FCPA (even in purely commercial business contexts) and the prevalence of third-party intermediaries. In a country like China, where a significant percentage of business transactions may involve state-owned or controlled counterparties and/or intermediaries, FCPA risk increases significantly. Early landmark cases set the tone for expansive FCPA enforcement in China. For example, Siemens AG’s 2008 resolution remains one of the largest in FCPA history, totaling over $1.6 billion globally. While the corruption spanned multiple countries, the conduct in China was emblematic: systemic use of intermediaries and off-book accounts to funnel bribes to government officials to win infrastructure and industrial contracts. The Siemens case ushered in a new era of FCPA enforcement, marked by broad investigations and coordinated international settlements.

Subsequent years saw a steady stream of China-focused cases, often tied to the healthcare sector. GlaxoSmithKline’s 2016 $20‑million SEC settlement highlighted how pharmaceutical companies were using travel and entertainment spending to improperly influence prescribing behavior among doctors at state-run hospitals. Philips’ 2023 $62‑million resolution focused on bribery risks tied to tender processes and distributor relationships in the medical device industry. In both cases, improper payments were routed through third parties or masked as legitimate business expenses. Books and records violations played a central role.

More recent cases, such as Albemarle’s 2023 $218‑million resolution, and Clear Channel’s $26‑million settlement the same year, demonstrate how enforcement expanded beyond life sciences into sectors like chemicals and advertising. Meanwhile, the SEC’s 2023 action against 3M for paying for overseas trips for Chinese officials underscores that even relatively modest benefits can trigger enforcement when coupled with poor internal controls. Although not solely focused on China, the 2024 BIT Mining case illustrates how companies with substantial Chinese operations may still be exposed to U.S. enforcement risk even when the alleged bribery schemes extend into other countries.

Together, these cases illustrate a pattern: China’s regulatory environment, coupled with diffuse distribution networks and the common use of third-party intermediaries, as well as frequent interactions with state-linked entities, has made China a hotbed for FCPA enforcement. Companies cannot afford to treat China as just another high-risk jurisdiction. They must build robust compliance programs specifically calibrated to the country’s unique business environment.

See “The Emperor Is Far Away: The Evolving Nature of Third-Party Risk in China” (Sep. 9, 2015).

The Trump Administration’s China Focus

To understand where China-related FCPA enforcement may be headed, one should begin with the Trump Administration’s broader national security and economic focus on China. This focus began during President Trump’s first term, including under the DOJ-led “China Initiative,” which was aimed at countering perceived national security threats from the Chinese government. Launched in 2018, the China Initiative focused particularly on economic espionage, intellectual property theft and infiltration of U.S. research institutions – but was formally ended under the Biden administration in 2022.

Since taking office again, President Trump has continued to signal that countering Chinese economic and military influence is a top priority of his administration. While no formal announcement has been made regarding a China Initiative revival, the Administration is nevertheless poised to maintain a broad and aggressive national security focus on China. This focus is likely to involve scrutiny of technological and academic collaboration, restrictions on China-related investments, and a push for still-tougher export controls, sanctions and tariffs.

The use of sanctions, export controls and tariffs as enforcement tools against China undoubtedly will intensify as part of a broader Trump Administration strategy to confront Beijing on a range of issues. The U.S. expanded its use of the Treasury Department’s Specially Designated Nationals list during Trump’s first term, as well as in the subsequent Biden Administration, to target a host of Chinese officials and entities engaged in conduct deemed detrimental to U.S. interests. Simultaneously, the Commerce Department tightened export controls on advanced technologies – especially semiconductors and AI-related components – effectively limiting China’s access to cutting-edge U.S. technology. The imposition of China-related sanctions, export, investment and supply chain controls appears to be accelerating under Trump’s return to office, coupled with aggressive China-related tariff measures as part of the April 2, 2025, “Liberation Day” tariffs announcement.

See “The Developing Anti-Corruption Battle Between the United States and China (Mar. 20, 2019); and “Revisiting the China Initiative: Will the Focus on FCPA Prosecutions of Chinese Companies Produce Results? (Jul. 10, 2019).

Foreign Companies Should Remain Vigilant

Given the Trump Administration’s strategic focus on China, it seems likely that China-related FCPA enforcement will not be abandoned. The FCPA EO and Bondi Memo potentially mark a significant shift in the federal government’s approach to criminal FCPA enforcement, which reflects this administration’s “America First” strategic emphasis on protecting U.S. national security and economic interests, including several other executive orders designed to prioritize American interests in international trade and tax. As stated expressly in the FCPA EO, however, the Trump Administration’s pause on criminal FCPA enforcement is focused on protecting “American citizens and businesses,” “American freedoms” and “American economic competitiveness.” No similar priority is expressed for foreign businesses or those with ties to China.

Given the Trump Administration’s “America First” approach to FCPA enforcement, companies with cross-border operations are well-advised to continue identifying and mitigating bribery and corruption risk for many reasons. This is particularly true of companies with operations in or links to China.

Avoiding Future FCPA Issues

The FCPA EO’s “pause” in criminal FCPA enforcement is temporary. Only time will tell how the DOJ ultimately revises its approach to FCPA enforcement. In the meantime, the FCPA is still valid law, with limitation periods that exceed a presidential term (and which can be tolled for even longer based on a variety of factors). Additionally, it remains to be seen whether SEC civil enforcement will change and, if so, in what ways.

Moreover, the FCPA has been a moneymaker for the U.S. government. The DOJ and SEC have collected over $32 billion from entities and individuals since the statute’s enactment, and a significant percentage of these cases involved foreign companies and China. Even if the Trump Administration were to stop all FCPA enforcement against U.S. persons going forward – which seems unlikely – it might be loath to give up the political and economic benefits of penalizing foreign companies that pay bribes to obtain undue commercial advantages over their American competitors.

Avoiding Other Criminal Liability

The conduct underlying FCPA violations may violate U.S. fraud, racketeering, money laundering and other laws, meaning that federal prosecutors might still have an avenue – other than the FCPA – to bring foreign bribery cases under federal statutes.

Additionally, bribery and corruption are often illegal in foreign jurisdictions. Even if U.S. criminal enforcement declines, foreign regulators – such as the U.K.’s SFO and French Parquet National Financier – have ramped up their own investigations.

Business Sense

There are strong business reasons to prevent bribery, as well.

The corporate compliance infrastructure developed historically for FCPA compliance – in particular, the internal controls, compliance resources and testing mechanisms – are still critical for global businesses faced with U.S. sanctions, export controls, data privacy, data security and other national security risks.

Additionally, the payment of bribes can have significantly adverse commercial and reputational impact on a business, and may violate contractual terms with investors, business partners and other third parties.

Finally, a company’s board of directors still has a fiduciary obligation to implement effective reporting systems and compliance controls to monitor, assess and document significant risks to the business, including global corruption risks.

Unique Challenges for Foreign Companies

As foreign companies – including those with ties to China – evaluate their ongoing FCPA enforcement risks, it is important to recognize that FCPA compliance can be challenging for any company. Even the DOJ and SEC note in the “Resource Guide to the U.S. Foreign Corrupt Practices Act” (FCPA Guide), a joint DOJ and SEC publication first released in 2012 and updated in 2020, that “no compliance program can ever prevent all criminal activity by a corporation’s employees.” The FCPA Guide further notes that the DOJ and SEC “do not hold companies to a standard of perfection.” Even so, the challenges of FCPA compliance are often greatest for foreign companies.

Compliance Challenges for Foreign Companies

FCPA compliance challenges can be significant for foreign companies for many reasons. These companies may exist within business cultures where it is common, for example, to build personal relationships with government officials through gifts or hosted events that could be prohibited by the FCPA. They may not be as familiar or comfortable as their American peers with the significant commitment to resources and personnel needed to maintain an effective corporate compliance program. Foreign employees may find it difficult to understand why their conduct in a foreign country is subject to U.S. law. In addition, foreign companies may have extensive operations in countries that, like China, have data privacy, cybersecurity, national security and other regulations that restrict a company’s ability to comply with U.S. regulators’ inquiries and demands. Companies with exposure to both Chinese and U.S. regulators, for example, may find themselves “between a rock and a hard place” as they attempt to comply with potentially conflicting legal requirements. None of these factors is an excuse for FCPA violations, of course, but the reality is that foreign companies have posed a rich target for FCPA enforcement historically because of such factors.

See “Navigating Recent Changes to China’s Data Privacy Laws in Internal Investigations” (Jun. 5, 2024).

FCPA Guide

Despite the challenges, foreign companies exposed to FCPA jurisdiction are well-advised to keep investing in compliance programs that meet international standards. For now, the FCPA Guide continues to define U.S. government expectations with respect to FCPA compliance programs. The FCPA Guide emphasizes that “the adequacy and effectiveness of a company’s compliance program at the time of the misconduct and at the time of the resolution” are key factors used to determine penalties in enforcement actions. The FCPA Guide (along with other DOJ and SEC guidance) also makes clear that a robust anti-corruption compliance program is a baseline expectation of companies facing corruption risk.

See “China and India Pose Compliance Challenges With Legal Shifts” (Apr. 24, 2024).

ECCP

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP), most recently updated in 2024, provides further guidance to companies looking to maintain effective compliance programs. The ECCP is a guidance document used by prosecutors to assess the effectiveness of a company’s compliance program when making charging and penalty decisions in corporate criminal cases. Originally released in 2017, the ECCP was significantly updated in June 2020 and most recently revised in September 2024.

The ECCP establishes a framework for assessing how effectively a corporate compliance program works in practice, with more recent updates emphasizing areas such as how companies manage the use of personal devices and messaging apps, the role of compensation structures in promoting compliance, and the integration of artificial intelligence and other developing technologies into compliance monitoring.

For companies doing business in or with high-risk jurisdictions like China, the ECCP is critically relevant – it outlines DOJ expectations around risk assessment, third-party management, and how companies are expected to detect and respond to misconduct in challenging legal and regulatory environments.

See this three-part series on the DOJ’s 2024 edits to the ECCP: “Some History and AI Expectations“ (Nov. 6, 2024), “Data Analytics to Find Risks and Measure Effectiveness“ (Nov. 20, 2024), and “Speaking Up, Compliance Resources and Lessons Learned“ (Dec. 4, 2024).

What Comes Next?

While Trump Administration directives indicate that changes are coming to criminal FCPA enforcement, they do not suggest that companies should de-emphasize anti-corruption compliance. To the contrary, foreign companies operating in both China and the U.S. may actually need to give heightened scrutiny to FCPA compliance given the Trump Administration’s focus on the prioritization of American economic interests and national security – as well as bipartisan efforts in Congress to enhance trade enforcement laws, signaling a rare U.S. government consensus regarding the strategic threats posed by China. Given the U.S. government’s focus on China, it seems likely that any “pause” in FCPA enforcement may be limited with respect to companies –especially non-American companies – doing business there.

Even if AG Bondi concludes that FCPA enforcement has unfairly disadvantaged American companies’ global business efforts, the FCPA can still provide the Trump Administration with a powerful weapon to counteract China’s global economic influence by targeting foreign entities engaged with China in a manner deemed adverse to U.S. economic interests. Foreign companies – and companies with links to China – should thus remain vigilant in their compliance efforts, as they may still present attractive enforcement targets for the DOJ and the SEC. Foreign persons and companies with links to China are likely to face rigorous examination under various regulatory frameworks, including the FCPA. In this environment, a thoughtful approach to anti-corruption compliance and a careful monitoring of U.S. policy developments will be essential.

 

Adam Goldberg is a partner in Pillsbury’s San Francisco office. Resident in Hong Kong for over a decade and fluent in Mandarin Chinese and Spanish, his practice focuses on cross-border corporate investigations and disputes involving Asia and Latin America, compliance program building, and white-collar crime. Adam has defended dozens of DOJ and SEC FCPA investigations, and has been involved in four FCPA monitorships.

Richard Donoghue, Pillsbury’s corporate investigations & white collar defense practice group co-leader, is a partner in Pillsbury’s New York office. A former Acting Deputy AG of the United States, U.S. attorney for the Eastern District of New York and senior official in the DOJ, Rich oversaw the entire DOJ prior to joining Pillsbury, including its litigation and law enforcement divisions, and supervised 94 U.S. Attorneys’ Offices.

Internal reporting mechanisms enable employees to bring business- and workplace-related issues to the attention of their organizations. Each year, NAVEX, a provider of risk and compliance management software, analyzes the incident reports and inquiries logged by its customers. It studies reporting and substantiation rates, reporting mechanisms, report outcomes, reporting by risk category, anonymous reporting and other metrics, as well as changes in those metrics over time. The NAVEX 2025 Whistleblowing and Incident Management Benchmark Report (Benchmarking Report) indicates that incident reporting remains at a record-high level – and more reports are being substantiated. This article distills those and other key findings from the Benchmarking Report and the insights offered during a related webinar featuring Carrie Penman, chief risk and compliance officer at NAVEX; Jane Norberg, partner at Arnold & Porter and former Chief of the SEC Office of the Whistleblower; and Anders Olson, senior manager of the NAVEX data science team.

See “NAVEX Study Finds Record Level of Incident Reports and Substantiated Claims” (Jun. 5, 2024).

NAVEX Dataset and Methodology

The dataset that forms the basis for this year’s report includes a record 2.15 million reports (Reports) received in 2024, up from 1.86 million in 2023. The data encompasses a record 4,077 organizations, up from 3,784 in the prior year, noted Olson. Those organizations had about 69 million employees. Retail, healthcare and finance/insurance remain the top three industries represented.

The Reports were made either by hotline (29%), via the web (33%) or by “other” means (37%), a category that includes walk-in reports, emails and letters. Four-fifths of the Reports were from North America.

The six categories covered in the Benchmarking Report are the same as last year:

1. accounting, auditing and financial reporting (accounting);
2. business integrity, which includes bribery and corruption as a subcategory (business integrity);
3. workplace conduct (previously called human resources, diversity and workplace respect);
4. environment, health and safety (EHS);
5. misuse or misappropriation of assets (misappropriation); and
6. other.

As in its other studies, to ensure statistical accuracy, NAVEX only included organizations that received at least 10 Reports in 2024. Additionally, the Benchmarking Report often uses the median data point in a dataset rather than the average data point. Use of medians provides metrics that are comparable regardless of an organization’s size. They are less affected by outliers, which are likely to occur in such a large sample size, explained Olson.

No Change in Reports per 100 Employees

“Report volume remains at record levels for the second year in a row,” noted Penman. There were a median 1.57 Reports per 100 employees, the same as the record level in 2023. However, the middle 50% of the distribution narrowed slightly toward the median, she observed.

Report volume depends on how NAVEX customers use their systems, continued Penman. Some capture only web and hotline Reports. Not surprisingly, organizations that track all three sources – web, hotline and “other” – had a median of 2.21 Reports per 100 employees, versus just 1.04 per 100 for organizations that track only web and hotline. Companies that do not track all three could be missing valuable data points, she added.

The smallest organizations – those with less than 2,500 employees – had by far the highest median volume of Reports. They had 3.11 Reports per 100 employees, roughly in line with last year. At the other end of the spectrum, the largest organizations – those with more than 100,000 employees – had 1.24 Reports per 100 employees, a 10% increase in volume over the prior year.

See “Addressing Employees’ Perception That Internally Reporting Compliance Violations Is Futile” (Aug. 10, 2016).

Web Reporting Overtakes Hotlines

The median reporting value of web Reports was 58%, versus 26% for hotline Reports and 23% for “other” Reports. For the first time, however, the frequency of web reporting (33% of all Reports) was greater than hotline reporting (29%). “Other” Reports remained the most frequent overall (37%). This reflects that employees want a variety of ways to report. Thus, it is advisable to make multiple channels available, according to Penman.

The web remains the most common vehicle for anonymous reporting, with a median of 71%, versus 50% for hotlines and just 2% for “other” Reports. Even though anonymous web Reports are most common, they are also the most likely to be substantiated, according to Penman.

See “Speak-Up Technology: Can It Move the Needle on Workplace Culture?” (May 10, 2023).

Inquiries Versus Allegations

Most Reports (92%) were “allegations” of various types of potential misconduct; and the remaining 8% were “inquiries,” roughly in line with last year. The proportion of Reports consisting of inquiries has declined steadily since 2019, when they accounted for 15% of all Reports.

Inquiries can provide valuable insights because they may be the precursors to allegations, said Penman. For example, a person who asks about a company’s conflicts of interest policy may later report the problematic behavior that prompted the inquiry. Tracking inquiries can also help organizations understand where employees need more clarity on compliance matters, added Olson. More than half of the inquiries in the Benchmark Report involved compensation/benefits or conflicts of interest. The next eight most frequent inquiries concerned:

• health and safety;
• data privacy and protection;
• confidential and proprietary information;
• bribery and corruption;
• harassment;
• accounting;
• misappropriation; and
• substance abuse.

A Decrease in Anonymous Reporting

Just over half of all Reports (54%) were made anonymously. That proportion has been declining steadily since 2009, when 65% were anonymous. The median reporting value of anonymous Reports ranged from 50% for accounting and “other” Reports, to 60% for EHS and misappropriation Reports. Workplace conduct Reports are the most likely to be reported anonymously. Thirty-eight percent of bribery and corruption Reports were anonymous.

As in 2023, the overwhelming majority of anonymous Reports were made either via the web (71% median) or hotline (50% median). Generally, larger organizations had somewhat lower median rates of anonymous reporting than smaller organizations.

“The follow-up rate to anonymous reporting remains terribly low,” said Penman. For the past few years, it has hovered at around 26%, down significantly from a high of 36% in 2019. “This is an opportunity to remind employees, as part of your training, that it is okay to report anonymously, but please stay engaged and please check back,” she advised.

Anonymous reports can be challenging to address, because the reporting person might not provide enough information, noted Norberg. Regardless of how much information a company receives in a report, the company should carefully document how it handled the matter. For example, it could document that it received a report, investigated to the extent it could and then hit a dead end because it did not have access to the person who reported.

See our two-part series taking a fresh look at hotlines: “Responding to a Global Focus on Whistleblowers” (Sep. 2, 2020), and “Fostering a Speak-Up Culture and Leveraging Data” (Sep. 16, 2020).

Workplace Conduct Remains Biggest Risk Area

When viewed by risk category, reporting is relatively consistent year over year, said Penman. Workplace conduct Reports continue to account for about half of all Reports. The five most frequently reported subcategories of workplace conduct Reports were civility, discrimination, health and safety, conflicts of interest, and data privacy and protection, each accounting for between roughly 5% and 8% of total workplace conduct Reports. Nearly half of workplace civility Reports were substantiated, she noted.

During the pandemic year of 2021, there was a median of 8.7% for EHS Reports, which fell to 6.1%. Within that category, “imminent threat to a person, animal or property” increased to a median of 1.53%, the highest in four years – and had a substantiation rate of 90%. It is “unfortunately, a very important risk type and one to take very seriously,” said Penman.

The median reporting value of bribery and corruption Reports was 2.28%. Such Reports accounted for just 0.50% of all Reports, down from a four-year high of 0.69% in 2022. Median accounting Reports have fallen from 5.1% in 2021 to 4.3% in 2024.

Substantiation Rates Rising

NAVEX examined the number of Reports containing allegations that organizations closed after investigation as being either partially or fully substantiated. The overall median substantiation rate hit an all-time high of 46%, up from 36% in 2012.

Over the past four years, the median substantiation rate for each of the six main risk categories has either increased or stayed the same. In 2024, the median rates were:

• EHS – 57%;
• misappropriation – 56%;
• accounting – 50%;
• business integrity – 50%;
• workplace conduct – 40%; and
• other – 33%.

In each category, median substantiation rates were unchanged year over year, with the exception of misappropriation, which rose six percentage points. The two most commonly substantiated Reports included imminent threats to a person, animal or property (90%), and insider trading (80%). Thirty-nine percent of bribery and corruption Reports were substantiated. At the opposite end of the spectrum, just 18% of retaliation Reports were substantiated – the lowest by a wide margin.

The median overall substantiation rate of “named” (i.e., not anonymous) Reports was 50% in both 2023 and 2024, up from 46% in 2021. The median for anonymous Reports was 34%, up from 33% in each of the past three years.

The median substantiation rate for hotline Reports has held steady at 33% over the past four years. The median for web Reports has risen to 40% from 37% in 2021. The median for “other” Reports is 61%, versus 53% in 2021. Companies should ensure they track “other” Reports, which have a high probability of being substantiated, noted Penman.

Case Closure Times Continue to Fall

Median case closure times have fallen from 24 days in 2021 to 21 days in 2024. However, the range of closure times has expanded, meaning that there are some Reports that are taking longer to close, noted Penman. A significant proportion of Reports in each of the six risk categories took more than 100 days to close, ranging from 10.7% of misappropriation cases to 21.7% of accounting cases. Bribery and corruption Reports took a median 92 days to close, by far the longest of any risk type. There was no difference in closure time between anonymous and named Reports, she added.

Additionally, the percentage of Reports closed on the same day that they were opened has grown significantly year over year to roughly one-quarter of Reports, versus less than one-fifth last year. It is possible that some are closed because companies have moved them to a different system – not because they have been resolved, noted Penman. When companies do transfer Reports internally, they should continue to track them to ensure they are addressed.

As in 2023, there was a “median of medians” of eight days between incident and Report and a “median of means” of 25 days. The much higher median of means value reflects the significant impact of outliers in the dataset. The median and mean days between incident and Report were highest for accounting Reports (16 and 25 days, respectively) and lowest for EHS Reports (four and eight days, respectively).

Report Outcomes

Navex’s system can trace cases from their initial report through final resolution, which reveals some interesting trends.

Separations Increase, Other Discipline Declines

Although “discipline” remained the most common outcome of substantiated Reports, its frequency has declined in each of the past four years, from 35.7% in 2021 to 30.7% in 2024. Policy change as an outcome also declined during that period, from 10.2% to 7.6%. In contrast, the frequency of separation (termination of employment) has risen during that period from 12.4% to 20.2%. Just over half of substantiated misappropriation Reports resulted in separation, noted Penman.

A significant proportion of substantiated Reports in each of the six risk categories resulted in “no action,” including about one-fifth of business integrity and “other” Reports, and 17% of accounting and EHS Reports. Additionally, the smallest organizations took no action in nearly 42% of substantiated Reports, versus not more than 16% of other organizations.

See our three-part series on employee discipline for anti-corruption issues: “Predictability and Consistency in the Face of Inconsistent Laws” (Nov. 1, 2017), “Investigation and Documentation to Smooth the Discipline Process” (Nov. 15, 2017), and “Due Process for a Just and Effective System” (Nov. 29, 2017).

Rising Retaliation-Related Risk

The median reporting rate for retaliation was 3.08%. It has increased in each of the past four years. However, just 18% of retaliation Reports were substantiated, observed Penman. Moreover, 45% of such substantiated Reports did not result in discipline or termination of employment – and nearly 14% resulted in no action.

These results are surprising because, in most companies, retaliation is a violation of the code of conduct, which usually results in some form of discipline, noted Norberg. Retaliation is “a huge risk” for companies. First, there is risk of litigation. Second, it may cause other employees to distrust the system, making them less likely to report internally – and more likely to report to a government agency. Companies must do thorough investigations of claims of retaliation, even when they come from employees with less than stellar track records.

See “Whistleblower Protection and Compliance: A Comparative Study of the United States and Japan” (Jul. 31, 2024).

Third-Party Reports

As it did last year, NAVEX examined Reports filed by individuals outside the subject organization. In 2024, about one-tenth of Reports were filed by third parties, versus 82% by employees and 8% by individuals whose relationship was not known.

The median reporting value for web Reports by third parties was 65%, versus 60% for employees. The medians for hotline and other Reports were 50% and 25%, respectively, versus 33% and 19%, respectively, for employee Reports. Median web reporting by third parties increased modestly over 2023. Reporting via hotline remained flat and “other” reporting fell modestly.

A median 44% of Reports by third parties were anonymous, versus 57% for employee Reports. A median 33% of third-party Reports were substantiated, versus 45% for employee Reports. Both anonymous reporting and substantiation findings were consistent with the 2023 findings. With respect to substantiated Reports, separation was a more common outcome for employee Reports (17.6%) than third-party Reports (9.1%), while “no action” was more common for third-party Reports (17.2%) than employee Reports (10.5%).

Differences Among Organizations

For the first time, NAVEX categorized the organizations in the dataset as either public companies, private companies, government organizations or educational organizations. Public and private companies make up most of the dataset, noted Penman. Government organizations are mostly state and local entities.

Government organizations had a median 2.38 Reports per 100 employees, versus 1.80/100 at private companies, 1.10/100 at public companies and 1.41/100 at educational organizations. Reports to government organizations, private companies and public companies were relatively evenly divided among web, hotline and other media. In contrast, about 60% of Reports to educational organizations were made via the web.

The median substantiation rate at private companies was 50%, versus 43% at public companies and just 39% and 40%, respectively, at educational and government organizations.

Private companies imposed discipline or separation in about 49% of substantiated cases, versus about 55% for public companies and less than one-third for educational or government organizations. On the other hand, private companies took no action in nearly 17% of substantiated Reports, versus roughly one-tenth of each other type of organization.

Risk From Whistleblowers Remains High

Whistleblowers a “Force Multiplier” for SEC

The SEC’s whistleblower program has been a “force multiplier” for the agency since its 2011 inception, Norberg said. As of end of September 2024, it had received more than 93,000 tips from inception, including about 11,000 in fiscal 2024 and 12,000 in 2023.

Critically, as of 2020, 75% of employees who reported to the SEC and received an award had reported internally first, cautioned Norberg. Although it is hard to know precisely what happened, it is likely that someone at those companies knew a problem existed and the company missed the opportunity to investigate, address the issue and possibly self-report.

Additionally, the SEC has brought 39 actions involving whistleblower protections, including five for retaliation against whistleblowers and 34 for impeding communications with the SEC, Norberg explained. The SEC expects confidentiality agreements to have carve-outs for government reporting.

See “2024 SEC and CFTC Whistleblower Reports Reflect Continuing Vitality of Programs” (Jan. 29, 2025).

DOJ and FinCEN Programs

In 2024, the DOJ’s Fraud Section announced a whistleblower rewards program. It is intended to fill gaps in other programs, according to Norberg. Consequently, if a whistleblower is entitled to an award from the SEC, Commodity Futures Trading Commission (CFTC) or Financial Crimes Enforcement Network (FinCEN), the whistleblower will not be eligible for a DOJ award. The DOJ program was targeting FCPA violations and certain money-laundering schemes. To date, the DOJ has probably received about 200 tips.

FinCEN also has a whistleblower program that mirrors the SEC’s, added Norberg. Although it does not yet have final rules in place, it is receiving tips and can still pay awards. It is important for compliance professionals, board members and executives to be aware of whistleblower regimes “because if an employee doesn’t feel heard internally, they can easily turn around and report to these programs externally,” she said.

See our two-part series on the DOJ’s Corporate Whistleblower Awards Pilot Program: “A Look at Forfeiture and Culpability” (Aug. 14, 2024), and “Exclusions, NDAs and Goals” (Sep. 11, 2024).

Tips for 2025

Use Data Proactively

“Looking backwards at your data is very helpful, but it is really not sufficient,” said Olson. Organizations should take a more proactive stance, identify new vectors for growing risks and identify emerging reporting trends.

Organizations should pay attention to increases in same-day Report closures, advised Penman. Compliance must stay on top of cases, even when they are referred to other areas. Additionally, organizations should not lose sight of workplace culture indicators tied to the workplace conduct risk category.

Whistleblowers, DEI and Retaliation Matters

“Whistleblowers are not going away,” cautioned Norberg. The SEC and CFTC programs were put in place by Congress and are unlikely to disappear despite political upheaval. Moreover, regardless of politics, few people oppose efforts to report harm to individual investors or pensions. Although all new administrations have their own priorities, the whistleblower laws remain on the books.

Although FCPA enforcement may be scaled back by the Trump administration, organizations should not be complacent, Norberg warned. If organizations fail to maintain robust compliance programs, conduct internal investigations and remediate issues, they could be in the hot seat four years from now under a different administration. They should enable employees to report without fear of retaliation and investigate and take seriously tips regarding retaliation.

Finally, given the new administration’s hostility to diversity, equity and inclusion (DEI) initiatives, organizations should think about how they will respond to DEI-related reports, advised Norberg.

Share Data With Employees

“I do think it is important to share some statistics with employees,” Penman said, so that employees know that the company has received complaints and is doing something about them. For example, a company might provide information on substantiation rates and state that it has taken appropriate action up to and including termination of employment on such matters. How much detail to share depends on an organization’s own circumstances.

See our two-part series on the FCPA Executive Order: “The Future of U.S. Enforcement” (Mar. 12, 2025), and “Staying the Course in the Face of Continued Risk” (Mar. 26, 2025).

Compliance, once a function that followed innovation – auditing, correcting and controlling – must now move ahead of it. The paradigm is shifting as organizations transition from responding to regulatory demands to embedding compliance directly within product design, development and delivery. That shift is not just philosophical – it is operational.

This article discusses how compliance must evolve from an oversight function into a foundational enabler and includes practical steps for shaping the way compliance teams achieve that goal.

See our AI Compliance Playbook: “Traditional Risk Controls for Cutting-Edge Algorithms” (Jun. 23, 2021), “Seven Questions to Ask Before Regulators or Reporters Do” (Jul. 21, 2021), and “Adapting the Three Lines Framework for AI Innovations” (Aug. 4, 2021).

The Industry Is Shifting Faster Than Compliance

The digital economy is evolving at breakneck speed. Artificial intelligence (AI), real-time services, decentralized platforms and product-led innovation are becoming the primary drivers of value and growth. In this reality, where consumer expectations and regulatory scrutiny evolve in parallel, traditional models of compliance are increasingly misaligned.

The move from reactive to proactive compliance parallels a broader business evolution. AI is enabling exponential gains in speed, decision-making and operational efficiency. But the introduction of AI across the technology stack also redistributes risk, shifting responsibility from specialized compliance functions to cross-functional teams, especially those building and deploying technology. Trust is no longer a governance checkpoint; it is now a core product attribute.

Integrating compliance into product design and service delivery is not a theoretical exercise. It is a strategic imperative. Compliance must become an embedded capability that scales with the business, aligns with engineering and co‑creates the experience of trust. The question is no longer if this is the future – it is whether organizations can make the leap in time.

From Compliance As Oversight to Compliance As Infrastructure

The compliance function has traditionally been defined by its ability to assess, report and intervene. But today’s technology ecosystems demand real-time assurance, not retrospective validation.

Practical Steps to Reorient Compliance

“Shift left” thinking – bringing quality and security upstream in the development lifecycle – must now extend to compliance. Product and engineering teams must internalize compliance as a native design requirement, not a post-launch fix. This calls for a reorientation of compliance from external oversight to operational infrastructure.

In practice, this means taking the following steps:

• codifying privacy and data handling requirements into application logic;
• embedding risk scoring logic into feature flag systems;
• automating, and executing by application programming interfaces (APIs), decision trees for regulatory workflows; and
• dynamically generating audit trails from execution logs, and not manually maintaining them.

What Leading Organizations Are Doing

As enterprises scale the use of AI agents across customer service, IT, marketing and finance, compliance must evolve from retrospective control to real-time enablement. These agents are no longer passive tools. They act – triggering system changes, making decisions, and interfacing directly with users and data. This creates a new surface area for misuse, leakage and regulatory exposure that traditional compliance models were not designed to handle.

Leading organizations are already moving away from traditional compliance models by doing the following three things:

1. using AI agents to pre-screen product designs for regulatory missteps;
2. deploying orchestration layers that enforce compliance as a service; and
3. creating agentic AI policies where compliance logic runs in flow, not in review.

Reframing compliance as infrastructure empowers teams to move fast without breaking trust. It also allows compliance to become more measurable. By turning obligations into observable, testable conditions, compliance teams can quantify performance, track risk exposure, and deliver transparency to executives and regulators alike.

The Rise of Product-Centric Trust and Strategic Risk Ownership

As companies pursue faster iteration cycles and direct-to-consumer value models, trust must be built from within. Product managers, engineers and data scientists are now frontline actors in trust creation. They hold the levers of decision-making, transparency, fairness and privacy.

This shift in accountability presents new opportunities and risks. Companies like Meta, through its Community Notes and transparency efforts, have reimagined content moderation as a community-involved, product-native function. Conversely, X.com’s deregulatory stance on moderation has revealed how product-centric decisions can invite reputational, regulatory and ethical scrutiny when trust is not proactively managed.

Steps for Implementing Product-Enabling Principles

Compliance teams must act not as watchdogs but as strategic risk partners by translating regulatory goals into product-enabling principles. To achieve this, compliance professionals should do the following:

• provide decision frameworks that help teams make tradeoffs in ambiguous spaces;
• design playbooks for responsible innovation (e.g., how to test sensitive features, how to interpret AI-driven outputs);
• embed risk analytics into product telemetry to detect emerging threats; and
• facilitate “trust sprints” within agile cycles to review and preempt issues.

Risks to Consider

Rather than fighting for visibility after launch, compliance professionals must influence feature conception. Risk is not something to control; it is something to shape.

Some risks that could arise without proper compliance input include:

• a payroll agent writing personally identifiable information-laden exports to a misconfigured cloud drive;
• a marketing agent injecting outdated legal copy into a personalized campaign; or
• a data subject access request agent sharing sensitive data without logging or retention controls.

These are not edge cases. They are the emerging norm. Without real-time governance, agentic actions introduce risk faster than legacy controls can respond. Strategic alignment comes from integration, not escalation.

Building Continuous Trust in the Service Delivery Model

The shift from product to service delivery means compliance can no longer rely on static controls or quarterly reviews. Trust must be continuous, contextual and responsive.

In a service delivery model, product features evolve dynamically, not in release waves. User expectations and risk contexts shift in real time, and regulatory triggers (like data subject access requests, consent revocations and breach thresholds) can happen mid-cycle.

The shift demands an operational compliance function that is:

• API-connected to the systems that drive user interaction and data handling;
• embedded within observability stacks (e.g., alerted when business logic deviates from approved patterns); and
• configurable and runtime-aware (e.g., can adjust controls based on region, audience or data sensitivity).

Examples of specific compliance functionalities include:

• real-time compliance scoring engines that monitor live system behavior;
• automated evidence collection pipelines that support audit readiness 24/7; and
• consent observability tools that surface conflicts between user choices and backend behavior.

Service-based compliance also demands a feedback culture. Signals from customer support, telemetry and risk incident data must loop back into control refinement. Ultimately, this creates a trust feedback loop: Users act → systems respond → compliance monitors → teams improve.

The shift also reframes compliance from a burden to a differentiator. Services that are auditable, explainable and configurable can earn more trust and retain more customers.

Redesigning the Compliance Team for a Product-Led Era

The compliance team of the future does not operate in silos. It sits alongside product teams, understands platform architecture, speaks the language of developers, and brings a lens of trust, safety and governance to every planning session. To have the right team in place requires a rethinking of hiring, structure and capabilities.

Necessary Skills

Important skills for compliance professionals in a product-led era include:

• deep product fluency;
• cross-functional advisory skills;
• risk-informed design thinking;
• “what could go wrong” modeling; and
• ability to decompose complexity into decision flows.

The compliance team can augment people skills with template-driven assessments, static control mapping and document-based evidence collection.

To build this future-proof team, organizations must invest in early-career hires who are:

• curious about systems and AI;
• fluent in process decomposition and signal modeling;
• able to construct “chain of thought” decision flows that mirror how AI and humans interact; and
• comfortable using collaborative tools like decision logs, large language model (LLM) copilots and vector-enabled search tools.

Training

New compliance team hires should be trained. Training must emphasize the distinction between the roles of compliance, which ensures regulatory alignment; privacy, which governs data rights and expectations; and security, which protects from threats.

Business acumen must become part of the compliance toolkit. Professionals must understand:

• how the product delivers value;
• what metrics drive roadmap decisions; and
• where friction can erode user trust or performance.

Just as important, compliance professionals must become fluent in how AI agents behave. That includes tracing actions across:

• interaction/origination (how the agent is triggered);
• processing (what systems and data it touches);
• decisioning (what logic is applied); and
• reporting/logging (what is captured, exposed and stored).

Every compliance function should map these stages and assign controls.

See our three-part series on rethinking click-through training: “The Pluses and Minuses” (Feb. 26, 2025), “Maximize Effectiveness With Customization” (Apr. 9, 2025), and “Integration Into a Comprehensive Training Program” (May 7, 2025).

Risk Literacy and Mitigation

As organizations implement LLMs, retrieval-augmented generation (RAG) and autonomous agents into business processes, compliance must adapt from AI user to AI evaluator.

Key risks compliance should be aware of include:

• Prompt Injection: where users manipulate model behavior through crafted input;
• RAG Poisoning: where external or internal data injected into AI contexts creates biased or misleading outcomes;
• Opaque Decision Chains: where compliance cannot trace how an automated decision was made, hindering accountability; and
• Uncalibrated Generalization: where LLMs overreach into decisions they were not scoped or validated to make.

To mitigate those risks, compliance must collaborate with AI/ML teams to:

• establish model governance frameworks;
• define acceptable use cases and override logic;
• implement AI “shadow modes” for risk-sensitive tasks;
• implement judge models where necessary; and
• create AI-literate compliance testing environments.

AI will scale compliance, but it will also scale risk. The ability to distinguish when AI enhances versus undermines trust is the new critical literacy.

Keeping Humans in the Loop

Crucially, when organizations are using AI, humans must remain in the loop. Compliance teams must:

• validate AI-generated evidence;
• review regulatory responses and breach notifications;
• escalate novel scenarios where policy interpretations are unclear; and
• participate in model audit reviews and validation trials.

Agentic systems require even more scrutiny. Misuse can now originate not just from bad inputs, but from orchestrated flows, including:

• insecure APIs that pass unrestricted access tokens;
• orchestration layers that skip policy checks; and
• autonomous loops that fail to respect user rights or legal obligations.

Enabling Innovation

The era of compliance as a gatekeeper is over. In its place must rise a new identity: compliance as a builder of trust, an enabler of responsible innovation and a partner in the product journey.

This pivot is not semantic. It changes how teams are structured, how outcomes are measured and how value is delivered. Compliance must be able to:

• operate at the speed of product and platform teams;
• scale its advice through playbooks, reusable design patterns and embedded policy modules;
• speak to regulators and developers with equal fluency; and
• influence culture, not just process.

Success will depend not just on strategy, but on posture. Compliance must show up as a constructive force, one that accelerates growth by embedding safety, predictability and clarity where uncertainty once lived.

The organizations that thrive in this next chapter will not see compliance as an afterthought or a department. They will treat it as a core function of the product experience and a competitive differentiator in an AI-driven world.

The time to reframe compliance is now. The tools exist. The need is urgent. The opportunity is real. The future of compliance should be built not as a reaction to risk, but as a foundation for sustainable trust and innovation.

See our three-part series on AI for anti-corruption compliance: “Foundations” (Oct. 28, 2020), “Building a Model” (Dec. 2, 2020), and “Five Workarounds for Asymmetric Data Sets” (Feb. 3, 2021).

 

Nikhil Sarnot^[1] is managing director at Accenture Security, where he focuses on building large information security and privacy programs from the ground up. He advises clients entering new markets and on transforming operations impacted by data localization, cybersecurity, and privacy laws and regulations. Sarnot focuses on risk management through technology integration and alignment of security programs with leading practices and standards. He operates at the intersection of privacy law, engineering/operations and compliance. Previously, he was the global lead for managed cyber risk and the North America co‑lead for strategy & risk.

^[1] The views expressed in this article are Sarnot’s own and do not represent those of his employer, Accenture.

Ropes & Gray has announced that former federal prosecutor Sarah Coyne has joined as a partner in the firm’s litigation and enforcement practice in New York. She arrives from Weil.

Coyne’s practice focuses on investigations and other criminal and civil matters involving financial crime, securities fraud, healthcare fraud, corruption, and high-profile allegations of misconduct and serious wrongdoing. Her expertise spans a variety of heavily regulated industries, including financial services, healthcare, life sciences, technology and sports.

Most recently, Coyne served as a partner and co‑head of the global white collar defense practice group at Weil. Prior to joining private practice, she served for more than a decade as an Assistant U.S. Attorney in the Eastern District of New York, where she held several leadership roles, including Chief of the Business & Securities Fraud Section and key positions in the Public Integrity Section. She also previously served in the District of New Jersey’s Criminal Division. During her tenure in the government, Coyne prosecuted and supervised high-profile criminal investigations, including those involving securities and investment fraud.

For commentary from Coyne, see “What the $850 Million MTS Settlement Signals About FCPA Enforcement, Disclosure and Cooperation” (Apr. 3, 2019).

For insights from Ropes & Gray, see our three-part series “2024 in Review”: International Cooperation Continues to Drive ABAC Enforcement (Dec. 18, 2024), Policy Changes Seek to Shift the Self-Reporting Calculus (Jan. 15, 2025), and Industry Sweeps and Data Analytics to Find Cases (Jan. 29, 2025).