The guidance on how the DOJ will enforce the FCPA during the second Trump administration, as described in a memorandum issued by Deputy AG Todd Blanche (Blanche Memo), details how the law can be used as a sword to cut down cartels and transnational criminal organizations (TCOs). However, it also describes the ways in which the DOJ may use the FCPA as a shield for American companies and industries against global competitors.

This second article in a two-part series examining the Blanche Memo unpacks the directives to protect U.S. companies, use the FCPA to advance U.S. national security, and only investigate and prosecute the most serious misconduct. The first article discussed how the DOJ plans to use the FCPA to target the full TCO ecosystem.

For more on the DOJ’s enforcement priorities, see “Assessing the Criminal Division’s New Enforcement Focuses” (Jun. 18, 2025).

Protecting U.S. Companies

The executive order issued by President Donald Trump in February 2025 (FCPA EO) argues that U.S. national security depends on American companies gaining strategic business advantages, but “overexpansive and unpredictable” FCPA enforcement “actively harms American economic competitiveness and, therefore, national security.”

It does not, however, mention the ways in which the FCPA can protect honest American companies by targeting competitors that pay bribes. The Blanche Memo changes that. “By bribing foreign officials to obtain lucrative contracts and illicit profits – at times hundreds of millions of dollars – corrupt competitors skew markets and disadvantage law-abiding U.S. companies and others for many years,” the Blanche Memo asserts.

Vindicating U.S. Interests

The DOJ will seek to vindicate U.S. interests against corrupt competitors “by identifying and prioritizing the investigation and prosecution of conduct that most undermines” the economic interests of U.S. companies. When making investigation and charging decisions, prosecutors are directed to consider “whether the alleged misconduct deprived specific and identifiable U.S. entities of fair access to compete and/or resulted in economic injury to specific and identifiable American companies or individuals.”

The new directive introduces a new approach for prosecutors. “Deciding whether to bring an FCPA enforcement action based on whether an American business was impacted is a very significant change in the way that FCPA prosecutors evaluate cases,” James Koukios, a partner at Morrison & Foerster, told the Anti-Corruption Report. As a prosecutor in the FCPA Unit, he looked for a U.S. nexus to satisfy the jurisdictional requirements of the FCPA, but never “specifically looked for an American business that was harmed as a result of the bribery,” he said, unless doing so might have assisted with gathering evidence to prove the bribery.

The changes presented in the Blanche Memo could impact how prosecutors allocate resources for investigations and prosecutions because “the emphasis on demonstrable harm to American businesses introduces a more outcome-driven lens to case selection,” Kelly Newsome, a partner at McDermott Will & Schulte, told the Anti-Corruption Report. It could also change “how companies assess their risk exposure – particularly in industries where U.S. firms face strong foreign competition,” she said.

Possible Violation of the OECD Convention

The directives in the Blanche Memo may not be permissible under the Organisation for Economic Co‑operation and Development (OECD) Anti-Bribery Convention (OECD Convention), Koukios pointed out. The U.S. is a party to this convention and was a “prime mover” in its adoption, he noted.

Under Article 5 of the OECD Convention, investigation and prosecution of the bribery of foreign public officials “shall not be influenced by considerations of national economic interest, the potential effect upon relations with another State or the identity of the natural or legal persons involved.”

See “The International Anti-Corruption Taskforce and U.S. FCPA Enforcement: A Look Ahead” (May 7, 2025).

Targeting Foreign Companies

When the FCPA EO was issued, many posited that future FCPA enforcement would focus on foreign companies while letting bad behavior at U.S. companies slide. The Blanche Memo specifically addresses this concern by providing that the DOJ will protect U.S. interests “not by focusing on particular individuals or companies on the basis of their nationality,” but instead by focusing on situations where U.S. companies have been harmed.

In a footnote, however, the Blanche Memo goes on to note that “[t]he most blatant bribery schemes have historically been committed by foreign companies, as reflected by the fact that the most significant FCPA enforcement actions – measured both by the scope of misconduct and the size of the monetary penalties imposed – have been overwhelmingly brought against foreign companies.” Given this language, there may be an even greater number of cases brought against foreign entities going forward, Paula Anderson, a partner at A&O Shearman told the Anti-Corruption Report.

There have been allegations of political and economic motivations behind DOJ prosecutions for years, particularly by foreign individuals who have been investigated or prosecuted for FCPA violations, Daniel Wendt, a partner at Honigman, told the Anti-Corruption Report. “At one point, I used to joke that the top 10 FCPA lists were dominated by the Holy Roman Empire,” because some of the largest settlements were with companies from Germany, France, Switzerland and Italy. “The specific geographies have changed, but companies based outside the United States still dominate the top 10 lists,” he observed. Thus, the Blanche Memo does not actually change international perceptions of FCPA enforcement, but “the Europeans and others can now point to specific DOJ policy to say why they feel specifically targeted,” he said.

American companies could still fit within the scope of these directives, as well. “It is quite possible that a bribe paid by one American company could harm another American company,” Koukios noted.

How DOJ Might Measure Harm

The Blanche Memo does not go into detail about how the DOJ will interpret “fair access to compete” and “economic injury,” leaving the instructions open to interpretation by individual prosecutors.

One obvious way in which U.S. companies could be disadvantaged “is if they were competing in public tenders against other companies – foreign or domestic – that won the bids through corruption,” Caitlin Sheard, a partner at McDermott Will & Schulte, told the Anti-Corruption Report. Indeed, many FCPA settlements in the past have involved public tenders.

“Specific harm could be determined by examining whether the alleged misconduct resulted in lost contracts, missed business opportunities, or other economic injury to identifiable U.S. companies or individuals,” Anderson suggested.

Prosecutors can review market data, internal communications at the target entity or procurement records to determine if a U.S. entity was unfairly excluded from a business opportunity, Kelly Newsome, a partner at McDermott Will & Schulte, told the Anti-Corruption Report. “Economic analysis and input from affected parties may also be used to assess the extent of any financial harm,” she said.

Companies that are the target of an investigation may also be asked to provide information about how their misconduct might have impacted other companies. “I would not be surprised if FCPA prosecutors start routinely asking companies to produce evidence regarding their competitors that might have been harmed by the alleged bribery,” Koukios said.

Whistleblowing

As a prelude to the Blanche Memo, in a May 2025 speech (May Speech), DOJ Criminal Division Head Matthew Galeotti announced expansions to the DOJ Corporate Whistleblower Awards Pilot Program (WAPP).

There could be an uptick in whistleblower reports from people at U.S. companies “claiming to suffer economic harm in the form of loss of contracts, stolen business opportunities or inability to compete fairly, as a result of bribes being paid by their foreign competitors,” Anderson predicted.

Outside of the WAPP, the DOJ might provide significant benefits to companies that blow the whistle on competitors or foreign officials demanding bribes, which could, in turn, “potentially lead to more self-reporting and cooperation,” Aurélie Ercoli, a partner at DLA Piper, told the Anti-Corruption Report.

Individual whistleblowers might also take note of the Blanche Memo. “Whistleblowers may be more successful if they can show a nexus between the alleged conduct and harm to American business,” Sheard said.

With new potential benefits under the WAPP, “counsel for whistleblowers will be much more excited if they find a client with allegations against ex-U.S. companies that compete head to head with American companies, assuming there is jurisdiction for the DOJ,” Wendt predicted.

See “Do the 2025 Changes to the DOJ’s CEP and Whistleblowing Programs Encourage Companies to Self-Report?” (Jul. 16, 2025).

National Security

One of the key points in the FCPA EO is that “strategic business advantages,” particularly with regard to “critical minerals, deep-water ports, or other key infrastructure or assets,” play a substantial role in U.S. national security. The Blanche Memo elaborates that national security is harmed when corruption “occurs in sectors like defense, intelligence, or critical infrastructure.” Accordingly, “FCPA enforcement will therefore focus on the most urgent threats to U.S. national security resulting from the bribery of corrupt foreign officials involving key infrastructure or assets,” the Blanche Memo provides.

Always in Scope for the FCPA

By expressly directing attention to national security, the Blanche Memo “takes a more targeted approach than previous enforcement, which did not always distinguish between sectors or consider national security implications as a primary factor,” Ercoli suggested.

Still, many previous FCPA settlements have involved “critical minerals,” such as the numerous cases that stemmed from Operation Car Wash and involved Brazilian state-owned oil company Petrobras. Indeed, according to Stanford University’s FCPA Clearinghouse, the largest and fourth largest FCPA settlements of all time were related to Operation Car Wash.

“DOJ policy has always required prosecutors to consider the nature and seriousness of the offense, and a bribe involving key infrastructure or assets could have been considered serious even under previous enforcement practices,” Koukios noted. However, he could not recall “specifically considering as an FCPA prosecutor the involvement of key infrastructure or assets in a bribery scheme as a threshold requirement for an FCPA case.”

See our three-part series on takeaways from the Petrobras settlement: “Deal With SEC and DOJ to Resolve Allegations of Systemic Bribery” (Oct. 17, 2018), “State-Owned Entity, Victim and Perpetrator” (Oct. 31, 2018), and “Lessons on Preventing Top-Down Corruption” (Nov. 14, 2018).

A Malleable Definition

While the FCPA EO and the preamble in the Blanche Memo name specific industries, the specific language directing prosecutors provides that the DOJ will focus on “threats to U.S. national security” that involve “key infrastructure or assets.”

These are “malleable terms,” Nikolaos Doukellis, a senior associate at Hogan Lovells, told the Anti-Corruption Report. Many of the companies involved in the largest FCPA settlements “were in the construction, transportation, energy, communications and aerospace sectors, which continue to be at the forefront of this administration’s policies,” he said. “Prioritizing infrastructure, ports, defense and critical minerals cases does not mean total exclusion of other sectors,” because financial services, telecommunications, and pharmaceuticals and device companies could be interpreted as “key assets,” as well, he suggested.

“If someone has a mercantilist view on trade, many sectors become key infrastructure or assets,” Wendt observed.

Corruption in the Intelligence Sector

One sector that has not overtly shown up in many FCPA cases but was referenced specifically in the Blanche Memo is the intelligence sector.

“In general, I am not familiar with anyone tracking FCPA statistics using the intelligence sector as a stand-alone category,” Wendt said. If defined broadly, many companies could be included in this sector, such as telecommunications, software, hardware, cloud technology, semiconductors and data centers. “Basically, anyone collecting, storing or transferring data,” he said.

“Private intelligence firms, data aggregators and brokers, biometrics and geolocation processors, social media, technology and artificial intelligence companies often provide services that pertain to more traditional notions of intelligence and counterintelligence to private and government clients,” Khushaal Ved, a partner at Hogan Lovells, told the Anti-Corruption Report. Each of these could be considered a threat to U.S. national security as “some can swing elections,” others “pinpoint someone’s exact location,” and they are also “handling vast quantities of personal data,” he said.

Companies that could fall into the DOJ’s interpretation of the intelligence sector “should ensure their anti-corruption controls are robust and tailored to these heightened risks,” Ercoli advised.

See “How Deputy AG’s Focus on Clawbacks and National Security Impacts Enforcement and Companies’ Compliance Efforts” (Oct. 25, 2023).

Prioritizing “Serious Misconduct”

In response to the FCPA EO’s observation that “overexpansive and unpredictable FCPA enforcement against American citizens and businesses” is a waste of prosecutorial resources, the Blanche Memo directs that FCPA investigations and enforcement actions “shall not focus on alleged misconduct involving routine business practices or the type of corporate conduct that involves de minimis or low-dollar, generally accepted business courtesies.”

Instead, prosecutors should focus on allegations that bear “strong indicia of corrupt intent,” such as “substantial bribe payments, proven and sophisticated efforts to conceal bribe payments, fraudulent conduct in furtherance of the bribery scheme, and efforts to obstruct justice,” the Blanche Memo instructs.

A Questionable Problem

Considering DOJ FCPA settlements over the past decade, there is little evidence to support concerns that companies are being prosecuted for low-dollar transactions or routine business practices.

“Looking back on past enforcement, DOJ has been prosecuting significant cases, with conduct spanning multiple years and multiple jurisdictions and involving millions of dollars (even if the individual bribe payments were in the thousands),” Ved observed.

Additionally, even though there is no de minimis exception to the FCPA, “historically, the DOJ has rarely prosecuted cases based solely on small, routine business courtesies,” Anderson said.

There have been settlements where the fact pattern did involve small dollar transactions to government officials, but they were not the sole basis for prosecution. “This is something we saw come up occasionally, but typically only when the issues were widespread or coupled with more serious misconduct,” Sheard observed.

In such cases, “the concern was not the individual dollar amounts, but rather the cumulative nature of the benefits and the absence of adequate internal controls,” Newsome explained. “These factors, when combined, have elevated otherwise minor practices into broader compliance failures.”

The concerns behind the directive to only investigate serious misconduct may stem less from the actual number of prosecutions and more from the burden created for companies that are worried about enforcement. “Historically, enforcement actions for purely technical or low-dollar violations were rare, but the risk of investigation or enforcement for such conduct created significant compliance burdens and anxiety for companies,” Ercoli said. “The new guidance formalizes what had been an informal policy, providing companies with stronger arguments to shut down investigations of marginal cases.”

Still, companies may want to keep their policies around small courtesies in place. “Many companies likely will still want to remain vigilant against even low-dollar corruption, taking a ‘broken windows’ view of such conduct,” Stieglitz advised.

Fewer Prosecutions for Gifts, Travel and Entertainment

Dollar amounts aside, the language in the Blanche Memo may indicate that the DOJ will be less likely to go after any gifts, travel or entertainment exchanges as FCPA violations, instead considering them “routine business practices.”

The Blanche Memo directs “that FCPA enforcement should be targeted to a specific and potentially narrower set of circumstances than the approach taken in the past,” Kim Parker, a partner at WilmerHale, told the Anti-Corruption Report. Therefore, “it stands to reason that travel and entertainment cases and certain cases predicated on internal accounting control violations – both robust areas of enforcement over the years – may not present the severity of harm contemplated for DOJ enforcement.”

Prioritizing “serious misconduct” may be an important change for all cases at the edges, Wendt predicted. There could be less risk of enforcement “where relatives have preferential hiring status (and the relatives of the official actually show up to work); where a company provides premium travel or entertainment for officials and perhaps even their family members; where officials attend high-profile sporting events, concerts or other experiences; where a company makes a strategic donation or sponsorship; and perhaps also in cases where companies provide gifts,” he said. At the same time, he observed that such cases, with a few exceptions, such as the BIT Mining settlement, have been less prevalent in recent years anyway.

See “BIT Mining’s Inability to Pay Nets a $10M Settlement Over Allegations of Bribery in Japan” (Jan. 15, 2025).

Assuaging Fears

Companies may still be relieved by the language and tone of the Blanche Memo regardless of whether the number of cases involving gifts, travel and entertainment changes.

“Companies can rest easier knowing that they likely won’t be prosecuted for cups of coffee alone,” Sheard said. But companies “should still stay vigilant to these risks, as excessive hospitality and lax rules around business courtesies and other small-dollar payments can be indicative of larger issues,” she advised.

Companies should recognize that “they could be subject to the local anti-corruption laws even if DOJ or SEC do not investigate,” Ved warned.

See our three-part series on travel and entertainment corruption risks: “Five Hallmarks of an Acceptable Hospitality Expenditure” (Mar. 9, 2016), “Three Musts for a Strong T&E Policy and Five Ways a Company Can Customize Its Program” (Mar. 23, 2016), and “Internal Controls to Ensure the Program Is Working” (Apr. 6, 2016).

After years of eye-opening statistics about cybersecurity attacks, it is artificial intelligence (AI) incidents’ turn. As AI systems proliferate across industries and into everyday activities, the tracking and tallying of incidents shows that AI’s risks are growing more layered, global, urgent and numerous.

As of July 2025, the non-profit AI Incident Database (AIID) has tagged and categorized more than 1,140 publicly reported incidents across 23 types of AI harms (based on 4,724 reports). Since the start of May 2025, AIID has added 57 new incident IDs, AIID editor Daniel Atherton told the Anti-Corruption Report. Additionally, the Organisation of Economic Co‑operation and Development (OECD) has an automated tracker that has added an average of approximately 330 AI incident reports per month to its database in 2025 to date.

Nonpublic incidents are beginning to surface, too. In April 2025, the non-profit MITRE, which has long managed the U.S. government’s cybersecurity vulnerabilities database (CVEs), launched an incident‑sharing initiative to accept confidential reports of manipulations, tampering, model jacking and other malicious acts affecting AI systems. “We’re trying to be a third-party safe space,” said Christina Liaghati, department manager for Trustworthy and Secure AI at MITRE. “The data about incidents is very difficult to get outside of organizational silos” without an organization like MITRE trying to standardize and grow reporting, she told the Anti-Corruption Report.

If AI is truly to be a solution for companies and the world, business leaders and corporate boards likely will need to hear more stories about AI’s problems. “The ability to manage potential incidents is essential,” said Douglas Robbins, vice president of MITRE Labs, in a statement. “Standardized and rapid information sharing about incidents will allow the entire community to improve the collective defense of such systems and mitigate external harms.”

This article shares observations by Atherton and Liaghati on the maturity of AI incident tracking, how to define what counts as an AI incident, trends in adverse events and benefits for companies that report their incidents.

See “Cybersecurity and AI Are Top Global Business Challenges Identified in Kroll Study” (Jul. 16, 2025).

AIID Tracking and Trends

The AIID, run by the Responsible AI Collaborative and edited primarily by humans, has operated since 2018. The 1,140 (and counting) reports include 249 incidents that occurred before 2020.

What the AIID Tracks

AIID’s collection of incidents is based almost fully on published reports submitted by contributors, individuals and automated searches. The site is browsable, providing a discovery tool that filters and displays incident records in spatial, table and list views.

AIID classifies incidents by the domains of risk involved (e.g., discrimination and AI system safety), the AI use or goal, the sector(s) of deployment, and whether outcomes were expected or unexpected. More granularly, its descriptions of incidents refer to three taxonomies of detailed AI harms, which cumulatively sort AI failures into 65 subtypes.

AIID is a lagging indicator of emerging AI problems because it tends to compile only incidents exposed in news reports, and not direct reports from companies that experienced an incident, Atherton stressed. “Editorial bandwidth and resource constraints” limit its comprehensiveness, he cautioned, adding that “incident count is just a focused snapshot of the available reporting on an overwhelming reality that is not and cannot be fully reported through current means.”

In addition to incidents, AIID has begun including public reports of issues and vulnerabilities with AI use.

Trends in Incidents

Three CEO Deepfakes Drew Alarm

Impersonations of corporate executives and other leaders using AI-generated video and voice have increased. In July 2025, the voice cloning of U.S. Secretary of State Marco Rubio for diplomatic communications drew attention in C‑suites, joining the following three earlier incidents:

• Arup Group was scammed out of $25 million via a deepfake video call impersonating its chief financial officer (Incident 634).
• Ferrari faced a targeted attack using a voice clone of CEO Benedetto Vigna (Incident 966).
• WPP, the advertising giant, thwarted an attempt involving AI voice cloning and YouTube footage of its CEO (Incident 983).

“These three stories constantly get repeated” and invoked as warnings to businesses, Atherton said. The Arup case is cited frequently because the amount is quite astounding for a theft using a deepfake, he added.

Romance, Crypto and Celebrity Scams Dominate

Other scams using AI-generated clones prey on emotions and interest in fame and money. “We’re seeing a massive uptick in romance scams, celebrity impersonations and cryptocurrency fraud,” Atherton noted.

AI Slop Becomes an Ambient Threat

“AI slop” refers to the surge of low-quality, misleading or fake content that has become “part of the ambient reality that we live in,” Atherton explained. For example, after the Air India crash in 2025, AI-generated videos and images circulated widely, confusing the public and reportedly misleading investigators (Incident 1125).

The AI fakes “diverted resources, time and energy away from what actually occurred,” Atherton reported. AI slop creates moments of “epistemic ambiguity” that blur the line between real and fake, reducing trustworthiness, particularly in high-stakes environments, he elaborated.

Journalists rarely identify the AI tools used, which does not help combat scams and slop. It remains a big data point that is unanswered. “In many cases, as the editor, I simply have to say ‘unknown deepfake technology developer,’” Atherton lamented. Incident 1128 was a welcome change because journalists spotted Veo3, the video cloning tool, imprinted on the evidence, he enthused.

Unchecked Hallucinations in Law and Government

Results from AIID demonstrate that AI simulations are passing as proof. In Norway, a municipal report containing fake citations prompted the closure of schools and kindergartens (Incident 1009). “If someone creates a document that assumes nobody reads it carefully, the consequences can be very real,” Atherton warned. Judges are on the lookout, at least. In February 2025, a court fined the lawyers for MyPillow CEO Mike Lindell for submitting a filing with 30 large language model (LLM)-fabricated citations (Incident 1145).

Chatbot Sycophancy and Mental Health Risks

Another emerging concern is the psychological impact of LLMs on users. “By default, AI systems are becoming integrated into our everyday lives,” according to Atherton, a convergence shown by Incident 1106 in June 2025, which gathered reports of users becoming delusional after prolonged interactions with chatbots. These systems, designed to validate and reassure, can mirror users’ thoughts back to them in ways that reinforce unhealthy beliefs, which researchers call sycophancy, he noted.

More Consumer Complaints

AIID receives some reports about other companies’ incidents from individuals. In many of those cases, the person filing the report indicated to the Responsible AI Collaborative that they already had shared the same incident information with the relevant company, Atherton pointed out.

OECD’s Automated Incident Tracking

The OECD runs another, mostly automated, database called the AI Incident and Hazards Monitor (AIM). AIM has a collection of incidents similar to AIID. It has been adding an average of 337 incidents and hazards per month, captured by web scraping international news reports. Once it captures a list of incidents, LLMs evaluate their relevance and tag reports. AIM labels issues and vulnerabilities as “hazards.” While over 30 experts have helped set parameters for OECD’s classifications, a browse reveals that some of the automated reports on hazards miss the mark, describing AI use only, not misuse or risks.

AIID also uses automated crawling for incidents but finds false positives, Atherton said. As a researcher, his interest is the dynamics of public discussion of AI risks. However, facing the flood of AI fakery, he would not mind better automation. “I’m wading through the slop, in my wellies,” he added.

MITRE’s Approach to Information Sharing

As a leading cybersecurity research organization, MITRE has historically emphasized AI security, but now is broadening its “AI assurance” efforts. In April 2025, MITRE launched its AI Incident Sharing program to collect and analyze accidents and incidents.

An Initial Guide to AI Risks

In 2019, years before launching its AI Incident Sharing program, MITRE created the ATLAS matrix of adversary tactics, techniques and procedures (TTPs), which was modeled after MITRE’s ATT&CK framework used in cybersecurity. “We were starting to see these common patterns of incidents popping up,” Liaghati explained, “so we worked together with industry partners to start to characterize that into a standard.”

Each TTP in ATLAS is based on real-world case studies submitted by MITRE partner organizations and linked to an ATT&CK counterpart. “We don’t go out and scrape other resources,” Liaghati said.

Incident Sharing Launched

MITRE prepared for its AI incident information-sharing initiative by holding sessions under Chatham House Rules, with as many as 50 organizations present at each, Liaghati explained. Given how fast attacks can pivot, “we want them to proactively share information with us as soon as they can,” she recalled.

Since starting the AI Incident Sharing program, MITRE has been receiving “weekly reports,” Liaghati said.

MITRE also encourages updates to reports, if possible. Companies may recognize, upon review of the incident’s forensics, that the failure that had some other root cause, Liaghati noted.

Only Participants Receive Full Reports

Unlike cybersecurity, where regulatory requirements often drive reporting, AI incident sharing remains voluntary. “It’s very much still a carrot approach,” Liaghati observed.

Only those organizations submitting to MITRE may receive access to shared indicators and the latest information. “If you want to be part of this trusted community group so you can improve your own security posture with data-driven risk intelligence, you have to submit” either incidents or demonstrated vulnerabilities, Liaghati explained. Submissions must reflect results from a “real-world deployed system or deployable system, or an actual attack on an operational system,” she clarified.

MITRE’s role as an honest broker is central to its approach. “There aren’t that many entities who can take an objective position,” Ozgur Eris, director of MITRE’s AI Innovation Center, told the Anti-Corruption Report. “We’re aggregating information, making sense of it, and then sharing it with the people who can act on it,” offering an attractive benefit for participants, he explained.

For the broader public, MITRE has posted 32 case studies about AI incidents, Liaghati shared.

Will Top AI Companies Participate?

The strength of MITRE’s initiative depends on the biggest AI developers participating. MITRE is engaging with them. For example, Liaghati shared, while MITRE is not directly part of the Frontier Model Forum, launched by major AI developers with its own information-sharing effort, “there’s a lot of overlap in the groups involved.”

MITRE has encouraged the LLM giants to share information with its new network, particularly when they do not have mitigations for active risks. Even if an LLM company opts not to announce vulnerabilities publicly out of fear of “handing an instruction manual to an attacker,” at least, “in some cases, it is better to engage with a trusted, protected group.”

Defining an Incident

One of the thorniest issues MITRE faces is defining what counts as an AI incident. “This is definitely something that a lot of the community is still struggling with,” Liaghati observed. While many incidents involve security, MITRE is gathering information involving broader AI concerns, such as performance failures, reputational risks and interoperability issues in agent-based systems.

“We’re trying to make the incident database flexible across the range of assurance risks,” Liaghati said. This includes concerns like “verifying interactions between systems, logging those interactions and ensuring human-in-the-loop oversight,” she elaborated.

MITRE welcomes reports of not just malicious attacks, but also red-teaming exercises and system failures. Companies are “getting better at defining incidents and at defining vulnerabilities,” and more “have deliberately gone deep on AI security,” Liaghati reported.

Private Sector Drives Reporting

Most of the incident reports MITRE receives come from the private sector. “Industry has leaned in really quickly in deploying LLMs – and sometimes in really naive ways,” Liaghati observed.

“There’s understandably a lot more risk aversion and balanced approaches in government use cases,” Liaghati noted. MITRE is working closely with government sponsors to develop incident response frameworks, but practices remain very idiosyncratic, she said.

Tracking New Tactics

MITRE updates the ATLAS matrix of TTPs twice a year. Its Mid-2025 update added 19 tactics, many involving generative AI and supply chain vulnerabilities. New attack vectors have been detected during the time frame when an AI giant retrains its popular LLMs for updates, Liaghati said. “We’re continually seeing how [attackers] can take advantage of poisoning a dataset before somebody uses it,” she shared.

One case study, dubbed “ShadowRay,” offers “a really good example of supply chain attack vectors,” Liaghati continued. Attackers exploited software dependencies and a lack of authentication to steal an estimated $1 billion in computing power from companies’ AI systems.

MITRE Shares Mitigations, Too

MITRE is trying to link all its tools. “Incidents are reactive datasets, whereas vulnerabilities are very proactive,” Liaghati noted. MITRE is updating its AI risk database in July 2025 and refining the Atlas case studies.

Most practically, MITRE publishes a roster of preventive mitigations, which are security concepts and technologies, that companies should consider. “We’re not just waving the flag so everybody should freak out. No, instead, let’s capture these problems so we can understand them and then mitigate them wherever possible,” Liaghati emphasized.

The Path Ahead for AI Incident Tracking

While MITRE’s AI assurance work remains in an early stage, momentum is building. “We started ATLAS with about 12 industry partners,” Liaghati said. “We now have over 150 organizations involved.”

The goal is to build a shared understanding of AI risks and a collective defense against them. “We’re trying to get the standardized information out there so people can better assure and secure their systems,” Liaghati emphasized.

The details in the MITRE and AIID databases are primarily handy for companies’ technical and AI development teams, but those teams will need to educate AI governance teams and, eventually, top executives about the broad types of incidents and accidents that have occurred and been documented.

For now, MITRE’s case studies provide educational material for companies’ AI teams. On the AIID website, Atherton’s team posts a bimonthly summary of incident trends.

Both MITRE and AIID are positioned to capture emerging AI trouble. As more companies participate in MITRE’s group, it likely will gain insights into the dark side of the rollout of agentic systems. “In the AI security community, some have predicted that the rapid increase of agentic systems may strengthen security because the agentic systems can monitor each other,” Liaghati noted. Others are skeptical because of the market’s eagerness to add a barely tested technology.

MITRE will proceed methodically, Liaghati said. Agentic AI risks are new and “not as demonstrated as they need to be to [be] include[d] in the ATLAS matrix yet,” she noted. However, it is a safe bet that anyone wanting to know about AI agent troubles will, before long, find some details in MITRE’s case studies and in AIID’s incident reports.

See “AI Governance: Striking the Balance Between Innovation, Ethics and Accountability” (Jun. 18, 2025).

In-house compliance professionals need to be able to rely on support from elsewhere in the company, but garnering that support can take effort. To engage busy managers within the organization, compliance professionals must find practical methods for catching their attention and earning their trust.

Strategies for spreading the word about compliance and building alliances across the organization were the topics of a June 2025 webinar hosted by Ground Truth Intelligence. Participants were Amritha Edachery, Ground Truth Intelligence’s director of research and intelligence; Jad Mhanna, head of compliance at Ericsson Networks and Ericsson Technology; and Nadège Rochel, vice chair of the strategic committee at ETHICS, an association of healthcare compliance professionals. This article summarizes their insights and provides eight practical tips on how to build support for compliance throughout the company.

See “Survey Finds Increased Value in Having a Culture of Compliance” (Feb. 26, 2025).

The Benefits of a Strong Compliance Culture

Building in-house compliance networks and promoting speak-up culture are increasingly important as companies face growing regulatory complexity.

“In today’s complex regulatory landscape, the era of ethics and compliance professionals working in isolation is far behind us,” Edachery said.

In addition, a stronger culture of doing the right thing and reporting wrongdoing can improve a company’s bottom line.

Corporate ethics brings a real return on investment, Rochel emphasized. Ethisphere Institute’s research shows that the world’s most ethical companies “outperformed their peers by 12.3% in financial results” over a five-year period, she reported. Additionally, a study by compliance consultancy firm LRN found that organizations with a strong ethical culture outperformed others by 40% in several performance metrics, she said.

Corporate ethics play a big role in retaining talent, especially when it comes to Generation Z employees. “They are purpose-driven, and they seek employers whose values align with their own,” Rochel noted. Research from Deloitte in 2024 showed that 86% of Generation Z employees and 89% of millennials consider a sense of purpose to be key to their wellbeing in the workplace, she said. “An ethical, transparent culture gives people the psychological safety to speak up, experiment and grow.”

See “2025 LRN Effectiveness Survey Finds Lags in Third-Party Diligence” (Mar. 12, 2025).

Building a Compliance Network

Building a network of compliance allies across the company can increase efficiency and help identify risks, as well as help to set the proper tone throughout the company.

Increasing Effectiveness

Compliance efficacy requires support throughout the company. “Our effectiveness as ethics and compliance professionals depends on our ability to build meaningful connections,” Edachery said.

The network effect can make a decisive difference to compliance efforts, Rochel stressed. “The real impact really happens when we team up, when we build bridges across departments, when we are invited in, and not just to review and approve, but to co-create with the business,” she said. Different departments need to be involved in the efforts, including the company’s legal, HR, finance and audit functions, she suggested, which will “help us to shift the perception of compliance from a control function to a true strategic partner.”

The data back this up. PwC’s “Global Compliance Survey 2025” shows that connected compliance leads to better decision-making, more transparency and a stronger culture, Rochel reported. The study found 59% of respondents cited greater confidence in compliance decision-making “precisely because of better coordination across the business,” she said.

Compliance becomes smoother when different departments are engaged in the process. “It makes it simpler, faster and more effective to comply,” Rochel said.

Department leaders working together toward “enhancing the culture” can lead to business managers more frequently approaching the compliance team for consultation, Mhanna said, resulting in a pull from the business toward compliance rather than a push from the compliance team.

Compliance professionals should build trust from other parts of the organization before that trust is needed, Rochel advised. Tending to relationships when things are running smoothly will make “having a challenging discussion or asking some challenging questions” easier in times of stress, because there will be an understanding that the compliance team is there to protect the company, she said.

Another advantage of the compliance team collaborating across the organization is that it helps surface risks early on, Rochel shared, which helps ensure that “any issue does not go to the headlines.” When compliance achieves a cross-company network, “we proactively identify and mitigate the risk rather than reacting to crisis,” she explained.

Setting the Tone

Having a network of support throughout a company helps to set the proper tone for compliance.

Tone at the top of the organization is an important factor in building a strong compliance program, Rochel asserted. “There is always tone from the top,” she noted, but the crucial question is what tone is being set: “is it negative, is it neutral or is it positive?”

However, sometimes leader’s actions contradict compliance messaging, Mhanna pointed out. “We need a consistent, homogeneous message,” he said. This does not exist if the business head is “leading a compliance training in the morning, and then in the afternoon telling the team: we need to achieve sales no matter the cost.”

If compliance professionals find the tone from the top unhelpful, all is not lost, as tone in the middle, set by a network of compliance supporters, may be equally important. Ethics and compliance officers often seek to “influence middle managers across multiple departments” and make them “true partners in the compliance mission,” Edachery noted.

One way to get middle managers on board is to make sure they understand they have skin in the game. Middle managers may not realize that engaging in compliance is a matter of personal liability, Mhanna offered. “They should know that they are personally liable” if someone on their team breaches company policies or the law, he stressed.

See our three-part series “How to Build a Compliant Culture and Stronger Company From the ‘Middle’”: Part One (Apr. 1, 2015), Part Two (Apr. 15, 2015), and Part Three (Apr. 29, 2015).

Eight Practical Tips for Building a Network

While the advantages of having a network of support for compliance within a company are clear, building that network can still be a challenge. Below are eight tips to help get the process started and run more smoothly.

1) Ask Managers to Co-Create Compliance

Compliance officers must make sure company leadership understands that the role of the compliance department is to support the business. The message from the compliance team, Rochel suggested, should be: “I am not here to slow you down, but I am here to help you to succeed ethically.”

One way to ensure compliance is supporting the business is to ask business managers to co-create training materials to help foster a cooperative culture, Rochel said.

“Ask their input,” Rochel advised, which helps managers to “feel heard” and that they own compliance, which in turn increases the likelihood that they will promote compliance to others in the company. For example, she recalled a project where managers were involved in developing an intranet for compliance with the goal of making it more approachable for target users.

2) Balance Collaboration With Independence

While collaboration is important, so is maintaining the independence of the compliance function. Compliance professionals need to “balance maintaining compliance independence with building the collaborative relationships needed for effectiveness,” Edachery said.

The compliance function needs to make decisions without influence from business managers. This is why compliance usually reports to the board, or has a dotted line to the board, Mhanna noted. “We make our decisions on our own,” he said.

However, collaboration and independence are “not mutually exclusive,” Mhanna clarified. “When we need to action things, we action them in cooperation with others – whether it is the business, the other supporting functions or assurance functions, or both,” he stressed.

Additionally, “collaborations earn us the credibility to stay independent,” Rochel observed.

3) Cultivate Personal Relationships

Cultivating long-term interpersonal connections in the organization is an important investment by a compliance officer. When red flags emerge down the line, a compliance officer can call on those personal relationships to address them, Mhanna suggested. Great compliance resources can be built quickly, but the same is not true of the rapport that will encourage people across the organization to act compliantly, he cautioned.

Compliance officers should build trust before they need it, Rochel suggested. It will be easier when compliance officers “have to say no or have a challenging discussion or ask some challenging questions,” as business colleagues already believe that the compliance team is “here to protect them,” she said.

Compliance professionals should be quick to own up to mistakes they make in the line of duty, both Rochel and Mhanna stressed. To be honest about the error and correct it is “the best way to earn and keep trust,” Mhanna said.

Compliance professionals must be humble about their mistakes, Rochel added. “It is hard, because we tend to be the department that knows everything.”

4) Make Compliance Information Accessible

Compliance professionals can help ensure appropriate messages come from company managers by providing them with “ready-made tools,” Rochel offered. This is more specific than telling managers they “have to promote compliance,” she said.

Rochel has supplied managers with “compliance survival kits” that define key compliance topics and provide discussion questions that help them lead conversations with their teams. To help managers document and record the work they have done on compliance, she encourages them “to have a happy compliance folder on their computer.”

Devising compliance training that employees experience “less like a mandatory exercise and more like valuable business enablement” is another important way to ensure compliance information is accessible, Edachery noted.

“Really meaningful trainings are trainings that speak to people,” Rochel said. She prefers active training courses as they give trainees the opportunity to engage in practice exercises, such as case studies that call for ethical decisions in realistic situations and critical thinking skills.

See “How Ericsson Made Compliance Training Must-See TV” (Mar. 12, 2025).

5) Ensure Hotlines Offer Empathy and Appreciation

For companies with E.U.-based operations, speak-up culture has become a pressing priority thanks to the whistleblower protection laws that Member States have adopted as a result of the E.U. whistleblower directive adopted in 2019. “A lot of organizations are probably feeling overwhelmed” because of the new laws, Edachery acknowledged.

If it proves difficult for in-house compliance professionals to set up a helpline internally, “there are numerous external companies who do provide hotlines,” Mhanna said. It is important for the hotline to be available 24/7 and to offer most of the languages that are spoken by the company.

While outside suppliers can help with the technicalities, the critical piece is having a genuine and empathetic company culture, ensuring that anybody who speaks up gets heard, Mhanna stressed.

“When they speak up, we listen up, we act [and] show that we have acted,” Mhanna said. It is important that whistleblowers come away from the experience feeling inclined to encourage others to also speak up about concerns, he added.

To illuminate the tangible results of hotline complaints, Rochel advocated sharing the outcome with the organization. The message should be that “we looked into it, we investigated, and then, as a result, we are stronger as an organization,” she said. It is vital for compliance to reassure company employees that the company takes into consideration what they share, she noted.

Employees may also speak up directly to their managers, Rochel added. Compliance officers must make sure that managers are ready for that possibility and know what to do with complaints within the organization, she said.

It is also crucial that the hotline receives vocal support from the company leadership, “encouraging people to speak up and guaranteeing non-retaliation,” Mhanna said.

See our two-part series on the DOJ’s Corporate Whistleblower Awards Pilot Program: “A Look at Forfeiture and Culpability” (Aug. 14, 2024), and “Exclusions, NDAs and Goals” (Sep. 11, 2024).

6) Scrutinize the Culture of Acquired Companies

In the wake of an M&A transaction, the acquiring company’s compliance team must be prepared to work on the compliance mentality in the company that was taken over.

Mhanna’s experience as head of compliance included helping turn around the culture in a small acquired company. “The culture they had was completely different from what we had,” he said, noting that there was “fear of retaliation” at the acquired company, and employees did not speak up about wrongdoing. Work to turn around the culture happened under a leader appointed to manage the new company who “knew that if we lacked speak-up, then a lot of compliance breaches were going to happen and we would not be able to catch any.”

See “White Deer Sanctions Settlement Underscores the Importance of Post-Acquisition Cleanup” (Jul. 30, 2025).

7) Choose Champions Carefully

Building a team of compliance champions or allies can help boost the network effect.

“Find your early ally,” Rochel advised. Compliance officers should start by identifying one to three managers who “already demonstrate ethics and integrity and care about their team,” perhaps because they previously worked in an organization with a mature compliance program, she said. Compliance officers can start to equip those people with tools and celebrate them “so they can inspire others,” she added.

It is important to pick compliance champions who are in the position to notice and address red flags. That might mean choosing people from compliance’s “favorite allies,” HR staffers or its “secondary allies,” the finance and controls employees. But it might also require finding allies in other departments that face heightened compliance risk. For example, in the case of the acquired company Mhanna helped integrate, its manufacturing operations posed security risks, so it was important to engage allies from the security department.

See “Creating a Values-Based Compliance Code and Recruiting Compliance Champions to Spread the Message” (Nov. 4, 2015).

8) Show Gratitude

According to Mhanna, it is important to show gratitude to those in the company who contribute their time, over and above their regular jobs, to help improve the compliance culture. “Thank them in front of their managers. Make sure that when they have their end-year appraisal, their leaders know that they have invested their time and their effort into compliance,” he advised.

Concurring that “recognition builds engagement,” Rochel mentioned another way to acknowledge compliance allies: “In my compliance committee slides, I would share the pictures of the people that help us from the business,” she said, dubbing such people “ambassadors” for compliance.

See “Compliance 5.0: A Culture-Centered Approach” (Jan. 17, 2024).

Compliance professionals in the healthcare space currently face a range of enforcement shifts - some more subtle and gradual than others. The current administration is maintaining active enforcement of the Anti-Kickback Statute (AKS), the False Claims Act (FCA) and the Stark Law (Stark), which targets physicians referring patients to healthcare providers with which they have a financial relationship.

However, there have been nuanced changes in how the statutes are enforced by agencies such as the DOJ, the Centers for Medicare & Medicaid Services (CMS) and the Office of the Inspector General (OIG) of the Department of Health and Human Services (HHS). For example, there has been an intensified focus on individual accountability, and the administration has stated that it intends to double down on fraud, waste and abuse in the healthcare sector.

What all this means for healthcare compliance professionals was the topic of a webinar hosted by the Health Care Compliance Association (HCCA) in June 2025. Baker Donelson shareholder Amanda Copsey, Nelson Mullins managing partner Gabriel Imperato and Arete Compliance Solutions principal Steven Ortquist shared their observations while HCCA chief engagement and strategy officer Adam Turteltaub moderated. This article distills their insights.

“The Continued Value of Healthcare Compliance Guidance Amid Sector Shifts” (Feb. 26, 2025).

Enforcers Focus on Accountability, Quality, Necessity, Waste

Individual accountability, quality of care and questions of medical necessity are major focus areas for governmental agencies engaged with healthcare, and they are watching out for fraud, waste and abuse.

Individual Accountability

Enforcers are expected to have an intensifying focus on prosecutions of individuals under the present administration.

While individual accountability has been an important focus for healthcare enforcement for decades, this second administration of President Donald Trump has indicated it will “focus more on individual accountability” on top of the traditional primary concern with corporate accountability, Imperato reported.

More than two decades ago, enforcers said they would begin focusing on individuals as a deterrent to bad behavior in health-related fields, Imperato recalled. The individuals responsible for the problematic activity themselves, or those in positions where they should have detected and prevented the activity, would both be targeted, he explained. “We started to see more and more individual liability actions back then,” he said, which has continued over time.

Copsey emphasized that it is not only executives who face individual accountability, but healthcare practitioners, as well. Though compliance officers sometimes erroneously suppose that government enforcers “never go after the doctors,” enforcement summaries available on the OIG website illustrate that the government does prosecute physicians sometimes, she observed.

“All of the people who are working within OIG, in particular, are very committed to individual accountability,” according to Copsey, who spent 18 years in various roles at OIG before joining Baker Donelson.

See “Polit and Aguilar Convictions Underscore DOJ’s Dedication to Individual Accountability – Despite the Challenges, Cost and Time Commitment” (Jul. 17, 2024).

Quality of Care

Enforcers are also expected to continue their years-long focus on quality of care. “OIG has been focused in recent years on coordination of quality-of-care oversight with the compliance program,” Turteltaub observed.

“OIG is always going to be first and foremost concerned with quality of care,” Copsey agreed.

“I do see a continued focus on quality,” Ortquist remarked. For example, comments Mehmet Oz made, upon being confirmed as Administrator for CMS in spring 2025, alluded to “his concerns about quality,” he recalled.

Medical Necessity

Medical necessity is a concept that often arises in healthcare enforcement. Many settlements have involved procedures the government found questionable, Ortquist observed. Medical necessity considerations have become increasingly “across the board,” he said. He drew a contrast with a past trend in which “big procedures” were often those in which there were “questions about medical necessity that have resulted in the notable settlements.” The concept often now forms part of an Evaluation and Management (E/M) service review for insurance payers. “These days, when we are doing claims reviews, we are even thinking about medical necessity in the context of an E/M review, and whether or not the service, as it was conducted, was medically necessary,” he observed.

Fraud, Waste and Abuse

Oz, upon becoming administrator for CMS, named fraud, waste and abuse among his top priorities.

The federal government has been prioritizing fraud, waste and abuse in healthcare since 1995, but its importance was elevated more in the wake of the Affordable Care Act of 2010, Imperato commented. At that point, “it became a cabinet-level priority,” he added. Oz’s comments indicate an ever-greater enforcement focus on fraud, waste and abuse, specifically in the managed care field, he stated.

“We started to hear in late 2023 and 2024 that the enforcement agencies were going to be focusing more and more directly on managed care organizations and different patterns of fraud,” Imperato recalled. Those patterns had been identified both through whistleblower cases brought over the years, and through data mining, he explained.

In the past couple of years, the DOJ Criminal Division’s Fraud Section has shown particular interest in decisions made behind the scenes among healthcare professionals, brokers and managed care plans, Imperato reported. Common issues included brokers receiving incentives to preferentially enlist healthier people to join a managed care plan, or divert less healthy people from joining the plan, because healthier people mean lower treatment costs, he explained. The DOJ has also intervened in cases where people with disabilities were screened out from a plan, he noted. Based on the recent patterns of DOJ enforcement, such conduct “is going to be the basis for future actions as we go forward,” he predicted.

Throughout multiple administrations, members of Congress on both sides of the aisle have shown commitment to healthcare fraud enforcement, Imperato said. “The government is always committed to fighting fraud, waste and abuse.”

No Scaling Back

Enforcement against healthcare organizations is unlikely to relax under the current administration. Anyone hoping that enforcement would ease should “think again,” Ortquist advised.

Deficit Management Argues for Government Action

Budgetary considerations guarantee that the federal government will remain interested in “going after monies that they should not have paid out,” according to Ortquist.

The administration can be expected to take deficit management seriously, and that includes the kind of spending management that is a focus of much healthcare enforcement, Imperato agreed. “A way to reduce that deficit is to continue recovering money,” and “there is going to be a lot of pressure to do that,” he predicted.

Less Aggressive Documentation Demands

Despite continuing pressure to keep enforcement up, there could be some changes in terms of what is expected from companies under scrutiny.

In his own practice, Imperato has seen a few examples that have left him wondering if there is an unspoken policy shift on requesting documentation from companies, Imperato said. In more than one recent instance, the DOJ sought what he thought were surprisingly modest amounts of evidence in cases of possible civil fraud in the healthcare space. In one case in which he was retained to intervene, DOJ attorneys advised him not to “bother looking for text messages” unless they later asked him to, he said.

It may have become the DOJ’s preference, in whistleblower-initiated civil cases, “to lessen the disruption to the organization during the investigative stage,” he suggested.

OIG Stays Non-Partisan

Leadership of the OIG remains non-partisan, Copsey said. “In the 18 years that I worked at OIG, never did I once experience some sort of partisan pressure,” Copsey related. As evidence of continuity at OIG, she noted that in January 2025, Deputy Inspector General Juliet Hodgkins stepped up as acting Inspector General at the OIG, having previously served as the OIG’s Deputy Chief of Staff.

In November 2024, the OIG published what is meant to be the first of several industry-specific compliance program guidance documents, supplementing the all-embracing General Compliance Program Guidance of November 2023. Those documents are “a little bit delayed,” Copsey observed. However, she does not believe that this is due to any political changes or pressure. A team of eight in OIG’s industry guidance branch has been reduced to five, she said, and OIG’s statutory obligation to produce advisory opinions will take precedence over those documents. A delay in the OIG’s publication of recommended guidelines for various parts of the healthcare sector might reflect decreased personnel, but it does not demonstrate a policy shift, she asserted.

“How Corporate Integrity Agreements Strengthen Compliance Programs at Healthcare Entities” (Sep. 25, 2024).

Old Statutes Used in New Ways

The AKS, FCA and Stark will continue to be the primary tools used by the DOJ for enforcement in the healthcare space, but they each may be used in slightly different ways than previously.

FCA

While most enforcement actions will be based in familiar fact patterns, “there might be some new areas that whistleblowers may focus on” owing to the present administration’s stated desire to redirect some FCA enforcement to Diversity, Equity and Inclusion (DEI) programs at organizations that receive federal money, Imperato said.

Stark

Stark will continue to direct much of the DOJ’s case load. However, Ortquist detected a “shift in focus” relating to the law at CMS. CMS is focused on “ownership arrangements that can cause some significant problems if they have not been handled in a way that is appropriate under Stark,” he said. This shift can be thought of as a return to the original notion of the Stark Law, he suggested. “Before it was amended back in 1993 to cover everything, it really was about physician ownership.”

More tightly focused Stark enforcement is expected to continue under Kim Brandt, CMS’ COO and Deputy Administrator since January 2025, in line with her approach in earlier public positions, according to Ortquist.

Despite the tightened focus, Stark-related whistleblower complaints can be expected to continue, Imperato predicted. Whistleblowers will continue making allegations, even if they turn out to be issues that CMS is no longer prioritizing, he said. Whistleblower complaints will continue to constitute “a compliance challenge” for organizations, he said.

AKS

The AKS may be a greater risk area for healthcare organizations because it covers a wider field, Copsey noted. However, despite the broad hypothetical application of that statute, federal officials tend to be “reasonable about their approach” in terms of which cases they choose to pursue, she observed.

A possible Stark violation can be an indicator that an organization also is vulnerable under the AKS, Ortquist noted. If an organization “is not doing a good job of managing its contracts and getting the signatures,” it may well have other issues that could implicate the AKS, he commented.

See “False Claims Act: Key Decisions and Predictions” (Feb. 28, 2024).

Caremark Cases Are On the Rise

In Re Caremark International Inc. Derivative Litigation (Caremark), a landmark decision regarding corporate directors’ oversight duty, broadly coincided with HHS calling for healthcare providers to have compliance programs, according to Ortquist. The case “became the basis for how we thought about potential board liability related to compliance programs.”

There has been “a big shift in the last three or four years” of Caremark cases, Ortquist commented. Since the 2015 Marchand v. Barnhill emphasized boards’ responsibility to monitor risks, courts have started applying this principle in the healthcare arena as well, he said.

However, in relevant cases concerning healthcare, courts have not been “finding liability for boards” that are alleged to have failed in oversight obligations, Ortquist said. Rather, courts are declining to dismiss cases. “These boards end up settling rather than going to litigation,” he observed.

“For the first time in 30 years, we are starting to see some boards settle on the notion that they did not do a proper job of overseeing compliance in the organization,” Ortquist stressed.

The tendency is likely to continue, Imperato said, adding, “I do not think there is going to be any diminution in that potential liability.”

“New Year, Not So New Anti-Kickback Statute Enforcement Trends at the DOJ” (Feb. 14, 2024).

Compliance Teams Remain Critical

Despite, or perhaps because of, the multiple shifts in enforcement priorities, it is important for healthcare organizations to maintain a strong compliance team.

“The government is going to continue with individual accountability,” and an organization’s best choice to shield its employees and leadership is to keep “a strong compliance department,” Copsey said.

Acknowledge the Risks

Awareness of the enforcement and compliance risks should suffuse the organization’s leadership. They must “have some understanding of the fraud and abuse laws,” Copsey said. It is very important for the C‑suite and the board of a healthcare organization to understand the effectiveness of the organization’s compliance program, she stated. The CCO or compliance contact for the organization must “be part of the conversation,” she stressed.

Organizations should have good compliance programs, and, in a large organization, there should be a competent employee whose status is no lower than “chief compliance officer,” Copsey advised. A small organization should ensure it has someone on hand as a “compliance contact,” she added.

Get Independent Input

Bringing in independent review can help strengthen a compliance program.

Independent review of documentation and claims by a third party can help identify compliance issues, Ortquist said. Even a compliance team that considers its in-house process to be excellent can find that “opportunities to learn and to do things better” will emerge from an independent reviewer’s input, he said.

In Copsey’s own earlier work as a compliance monitor, “the first thing I looked at was the independent review organization report,” she said. This would give valuable insight into “exactly what was going on.”

Risk Assessment Is Key

Risk assessment is an important part of a compliance team’s work, not only to prioritize where to devote resources but to defend the organization in the face of potential government scrutiny.

Some compliance teams seem to think that “if something touches a regulation somewhere,” they must be closely tracking that consideration, Ortquist noted. However, they generally do not have enough resources to take this approach. Compliance teams that conduct effective assessment of the highest risk areas – something the OIG’s compliance program guidance can help – will be better able to focus on those things that make the most difference, he said.

Any risk assessment the organization can do internally “is going to be valued more than anything,” should enforcers have a reason to examine the organization, Copsey stressed. The DOJ prominently highlights this in its compliance program guidance, she pointed out. Showing that an organization is making best efforts, and that any irregularity is “a mistake and not fraud,” is “extraordinarily important,” she commented.

Partnering With Medics

When addressing issues of quality of care and medical necessity, compliance officers should coordinate with professionals who are more familiar with the medical issues, Ortquist advised.

One situation in which this can arise is when compliance teams are conducting “a traditional claims audit,” Ortquist advised. Compliance professionals should consider “adding medical necessity as a component” of that audit, which would involve “having a clinician look at the claim and determine whether there might be any underlying medical necessity concerns,” he said.

Acknowledging this point, Imperato stressed that, in such audit situations, it is a good idea for professionals “to examine the medical necessity piece before it becomes an issue.” If that is achieved, the organization has more of an opportunity to manage that risk.

See “Implications of the Updates to the Pharmaceutical Research and Manufacturers of America Code” (Sep. 29, 2021).

Amid changing expectations regarding environmental impact and exploitative labor practices in companies’ value chains, managing risks at third parties – including vendors, consultants, sales agents, distributors, brokers and even customers – can be time-consuming. Additionally, several developments in the first few months of 2025 have shifted the playing field further.

During PLI’s Compliance & Ethics Essentials conference in June 2025, experts discussed how companies can stay on top of the corporate social responsibility (CSR) risks as part of their third-party risk management (TPRM) programs. The speakers were Maurice Crescenzi, industry practice leader at Moody’s Analytics; Ellen Hunt, then a principal consultant with Spark Compliance and now vice president for the global ethics and compliance program at Cushman & Wakefield; Timothy Hedley, executive in residence at Fordham University; and Shana Cappell, compliance and ethics global lead at PepsiCo. This article synthesizes insights from their conversation.

See “When and How to Audit Foreign Third Parties” (Apr. 23, 2025).

Meeting Numerous Expectations

A range of regulatory decisions and compliance norms affect efforts to conduct due diligence on third parties’ CSR.

U.S. Regulatory Developments

Several recent releases from the DOJ are relevant for third-party CSR, Crescenzi noted.

The Blanche Memo

A memorandum from AG Pam Bondi on February 5, 2025, underlined that the DOJ is “revising previous priorities” and that enforcement will focus on issues including immigration, cartels, transnational criminal organizations (TCOs), human trafficking and smuggling. Then, after an executive order paused FCPA enforcement, Deputy AG Todd Blanche issued a memorandum with new guidance on how the DOJ will be approaching bribery and corruption prosecutions going forward (Blanche Memo).

The Blanche Memo stresses an emphasis on “limiting undue burdens on American companies” and “targeting enforcement actions against conduct that directly undermines U.S. national interests.” It emphasizes the DOJ’s determination to fight against cartels and TCOs and avoid penalizing American businesses for routine practices. Among items that will not be focal points for enforcement, it mentions “the type of corporate conduct that involves de minimis or low-dollar, generally accepted business courtesies.”

The DOJ stating that business courtesies will not be a focus of FCPA enforcement is an interesting development, according to Cappell. Gifts, travel and entertainment expenditures are typically a significant area of third-party risk, she said, noting that PepsiCo trains third parties extensively on these issues in case they provide gifts and entertainment on the company’s behalf.

See “The FCPA Lives: Targeting the TCO Ecosystem” (Jul. 30, 2025).

The White Deer Settlement

Another 2025 enforcement touchstone with third-party implications, Hunt pointed out, is the DOJ’s June declination of prosecution against private equity firm White Deer.

The company that White Deer acquired was found to have violated sanctions in its relations with trading partners. White Deer was able to make the disclosure thanks to conducting due diligence on those third parties, Hunt noted. The case represents the first declination under the DOJ’s “safe harbor” for companies disclosing misconduct at their acquisition targets, she said. While the DOJ had revealed that policy in October 2023, now there is a concrete example of it in action.

See “White Deer Sanctions Settlement Underscores the Importance of Post-Acquisition Cleanup” (Jul. 30, 2025).

Bulk Sensitive Data

One further U.S. regulatory issue that Hunt highlighted is that of bulk sensitive personal data, something on which the DOJ issued a policy and guidance in April 2025, in response to an executive order issued by President Joe Biden in February 2024 (Data EO).

The DOJ’s policy and guidance implementing the Data EO target China, Cuba, Iran, North Korea and Venezuela, as well as entities under their control, and restrict certain data transactions. They took effect in April 2025, but there was a period ending in July during which civil enforcement would be waived against violators that made good-faith efforts to comply.

The rules make it even more critical for companies to know exactly what data they are providing to various partner companies and what those partners are doing with it, Hunt remarked.

See our two-part series “DOJ Guidance on Bulk Sensitive Data Rules”: “Enforcement Grace Period and Prohibited Transactions” (May 21, 2025), and “Compliance Program, Recordkeeping and Reporting” (Jun. 4, 2025).

E.U. Regulatory Developments

Recent years saw the E.U.’s legislative bodies passing the Corporate Sustainability Reporting Directive (CSRD) and Corporate Sustainability Due Diligence Directive (CSDDD), but an Omnibus package announced in 2025 (Omnibus) scaled back the impacts, Hedley noted.

The Omnibus aims to make sustainability reporting “less burdensome,” according to the press release announcing the Omnibus. It changes the applicability criteria to remove most of the companies that otherwise would have been in scope for the CSRD and simplifies the reporting standards for companies remaining in scope.

With requirements still being phased in, no U.S. companies are currently reporting under the CSRD or CSDDD, but compliance professionals are well aware of the matter, Hedley said. The sustainability reports from impacted companies have already started mentioning the requirements on the horizon, he noted.

Companies will be required to identify and assess any human rights and environmental impacts, across the entire value chain, under the CSDDD, Hedley warned.

Non-E.U. companies with E.U. operations over a certain size will be in scope, alongside large E.U. companies, Hedley pointed out. However, the Omnibus reduces the number of affected U.S. companies to a few hundred from several thousand, he said.

The proposed Protect USA Act could emerge as an important counterpoint, Hedley emphasized. The text of the proposed law states that it aims to “prohibit entities integral to the national interests of the United States from participating in any foreign sustainability due diligence regulation, including the [CSDDD] of the European Union.” Thus, if the Protect USA Act is passed, selected industries and companies in the U.S. would be protected from complying with the CSDDD. Exactly which companies would be included is not yet known, and depends on the U.S. president’s choice, Hedley said. The business entities to which the Protect USA Act would apply could include any that the President “identifies as integral to the national interests of the United States” and the president also would have the discretion to decide on exempting any entity. Since E.U. lawmakers evidently remain committed to keeping companies in check on ESG issues, there will be ongoing tension with the U.S. should this proposed legislation be passed into law, he predicted.

See “E.U.’s Corporate Sustainability Due Diligence Directive Demands Environmental and Social Compliance” (May 8, 2024).

Social Justice Movements

Popular opinions regarding social justice and the environment are another set of expectations impacting CSR policies, Crescenzi said.

Recent social movements including MeToo and Black Lives Matter seem to be more subdued in the U.S. political climate since President Trump took office, Hedley observed. More broadly, though, concerns about justice and ecology must continue to be on compliance professionals’ radar from the point of view of TPRM, he stressed.

Insurance firms have shown concern about climate change, and its impacts are worrying many companies in ways that were not true a decade ago, Hedley added. Ongoing concerns about possible future pandemics, natural disasters and geopolitical conflicts are things compliance professionals must increasingly factor into their decisions, he advised.

All these areas of widespread public concern have implications for supply chain and CSR risk management, Hedley commented.

See “Speak-Up Technology: Can It Move the Needle on Workplace Culture?” (May 10, 2023).

Compliance Conventions

No matter what enforcement authorities say, the compliance community has developed its own set of norms around CSR drawing from multiple sources. There is a wide degree of agreement about what a company’s ethics and compliance program should contain, Crescenzi said.

The components of an effectively designed program show considerable uniformity across a range of documents that contain pronouncements on the matter, Crescenzi remarked. Some of these originate from the U.S. and some from elsewhere. The Federal Sentencing Guidelines for Organizations, the DOJ’s Evaluation of Corporate Compliance Programs and a range of prominent DPAs are all good sources of guidance on what constitutes an effective program, he advised. So are international documents, such as various standards from the International Organization for Standardization and the OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance, he added.

In all of these sources, there is general agreement that companies should apply end-to-end risk management to each third party, starting with a business rationale for engaging that third party in the first place, Crescenzi said.

The DOJ has made clear in its guidance that third-party due diligence should not only occur when a business relationship begins, but throughout the entire relationship, Cappell remarked. Many companies’ third-party due diligence programs already conform to that, she said.

See our three-part series on the DOJ’s 2024 edits to the ECCP: “Some History and AI Expectations” (Nov. 6, 2024), “Data Analytics to Find Risks and Measure Effectiveness” (Nov. 20, 2024), and “Speaking Up, Compliance Resources and Lessons Learned” (Dec. 4, 2024).

How to Manage Third-Party CSR Risk

When it comes to managing CSR risk at third parties, companies have adopted a range of different approaches.

TPRM Is Cross-Functional

TPRM can be the responsibility of many different departments within a company. It is a cross-function concern that can involve a company’s legal, procurement, enterprise risk management and IT teams, Hedley noted. Senior management and company boards also have huge roles to play, he added.

In his experience as a compliance consultant, Hedley has seen TPRM reside in many different departments, but the compliance department often plays a leading role with responsibility for monitoring the program as a whole.

PepsiCo intentionally maintains a system of multifunctional ownership of TPRM, Cappell shared. The compliance team will not make unilateral decisions on how to handle red flags raised about third parties, instead partnering with business managers, the company controller or legal professionals to determine how to proceed. Yet the compliance team is where the ultimate responsibility lies when it comes to execution, she said.

Indeed, TPRM is among the biggest risks the compliance function owns, Cappell said. It forms the core of an anti-bribery and anti-corruption program, she observed.

However, many companies house their human rights due diligence responsibility in the supply chain department, not the compliance function, according to Crescenzi.

ERM and KYC Are Helpful Comparisons

One helpful way to think about TPRM is as the external manifestation of enterprise risk management (ERM), Crescenzi suggested.

Whatever program elements a company applies to its internal ERM processes can also be applied outward to third parties, according to Crescenzi. The certifications and due diligence many companies insist on when hiring employees can be extended to the process of recruiting third parties, he said.

Know Your Customer (KYC) requirements can also provide a helpful paradigm for framing TPRM, particularly for the purposes of getting buy-in from business executives, Crescenzi noted. Using analogous phrases such as “know your vendor” or “know your distributor” can help corporate managers understand the how third-party due diligence works, he suggested.

A key difference is that KYC requirements for banks are very prescriptive, Hedley pointed out. Third-party due diligence in general is not as prescriptive, despite the need for best practices and the existence of regulatory guidance, he said.

Due Diligence Is Already Well-Advanced

In many larger companies, third-party due diligence for CSR is already highly developed in anticipation of regulatory shifts.

Most big companies have a sustainability team, often tied in with their legal team, Hedley said. The Management Discussion and Analysis section of a company's 10‑K filing will often include some mention of upcoming regulatory changes affecting third-party CSR, he noted.

Human rights and child labor are often already present in companies’ due diligence considerations, Hedley continued. Companies will often list such things in a materiality matrix and discuss them in a sustainability report, with metrics in place for measuring risks. However, this does not necessarily mean that a company has sufficient due diligence measures to satisfy some of the upcoming international requirements, he cautioned.

See “U.S. Trade Remedies Are Put to the Test by Forced Labor and Foreign Subsidies” (Jun. 19, 2024).

Tips for Getting the Most out of TPRM for CSR

The discussions’ participants had a range of recommendations from their analysis of TPRM pertaining to CSR.

Rinse and Repeat

By cyclically conducting due diligence, re-vetting third parties continuously over time, the compliance function can fill in gaps that business managers leave as they deal with third parties, Cappell said.

Business managers are unlikely to revisit due diligence once a partner has been onboarded, according to Cappell. Rather, they work with vendors that have proven themselves in the past.

PepsiCo’s compliance team applies across-the-board re-vetting of vendors at established points in time, Cappell revealed. Obtaining new certifications and putting the partner through fresh training can be a part of this, she noted.

Third-party risks can show up at any point in time, Hunt pointed out, making a cyclical reevaluation valuable.

Watching Conflicts of Interest

Conflicts of interest are another area to keep a close eye on.

Personal relationships between company managers and their counterparts at third parties, such as vendors, are clear conflicts of interest, Cappell emphasized, but this issue can be especially difficult to locate, as it is unlikely to emerge during routine third-party reviews. Instead, employee training must emphasize the importance of affirmatively revealing such conflicts, she said.

PepsiCo is doubling down on identifying conflicts of interest, providing standalone training specifically on that topic because conflicts of interest can wreak havoc on the supply chain, Cappell said. The company also recently started asking about such personal relationships in its third-party due diligence questionnaire, she added.

Conflicts of interest will be an increasing area of focus going forward, Hunt predicted. Compliance professionals need to know whether the company managers that regularly deal with vendors have any personal relationships with them that could influence their decisions, she said.

See “Managing Conflicts of Interest With Consistency and a Can-Do Attitude” (Feb. 12, 2025).

Inter-Functional Cooperation

A single third party may present multiple kinds of risk to the organization, Crescenzi pointed out. An entity that is corrupt or engaged in money laundering may also have human rights issues, for example, he said.

This underlines the importance of shared responsibility across organizational functions, including compliance. Where each function focuses on different risks, an interconnected approach can help tackle issues with a third party in a well-rounded way, Crescenzi remarked.

At PepsiCo, several different specialist experts within the company will coordinate with each other in dealing with a given third party, to present a united front to that party and deal – all together – with several issues, Cappell reported.

Such a coordinated approach provides multidimensional risk coverage and can help eliminate gaps in risk assessment, while also revealing redundancies between the functions, Hedley commented.

Verify Ownership

Advances in data technology make it possible to verify a third party’s ownership structure down to a 0.01‑percent stake, and thus to dig deep into who controls that company, Crescenzi told the audience. Even secondary and tertiary levels of ownership can be unearthed, along with information about one company’s managers sitting on another company’s board in a way that may raise a conflict of interest, he added.

Such data should be analyzed up to a point that the company determines is practically possible and in alignment with the level of risk, Cappell advised. Companies should choose a consistent, risk-based policy of verifying beneficial ownership down to a certain percentage that makes sense, she said.

A company should determine a well-considered level of risk appetite in this regard, given that risk can never be zero, Hedley concurred.

Consistency in this matter is important, to avoid digging deeper for some people while giving others a free pass, Hunt said.

See “Navigating the New FinCEN Beneficial Ownership Reporting Regime” (Feb. 28, 2024).

Don’t Ease Up

Changes in the DOJ’s enforcement focus do not justify slacking off on TPRM, the panelists agreed.

Rather, compliance professionals should intensively continue with due diligence, taking the DOJ’s new priorities as a cue to double down on TCOs and cartels, with a particular focus on Latin America, Cappell suggested.

At PepsiCo, Cappell’s team is examining third parties closely to ascertain how well-established and financially sound they are, and how many employees they have in order to root out any that are merely shell companies potentially being used for money laundering.

TCOs will remain a concern in the coming years, and the DOJ is likely to continue focusing on them in the next administration, she predicted.

Global requirements are another reason not to ease up on TPRM, Hedley observed. Even types of corruption offenses on which the DOJ currently seems to be relaxing its focus remain illegal in other jurisdictions, he stressed.

See our two-part series on the FCPA Executive Order: “The Future of U.S. Enforcement” (Mar. 12, 2025), and “Staying the Course in the Face of Continued Risk” (Mar. 26, 2025).