A federal jury’s return of a guilty verdict confirms that FCPA prosecutions will persist in the second Donald Trump presidential administration (Trump 2.0).

Following a trial in the Southern District of Florida, Carl Zaglin, owner and CEO of Atlanco, a uniform supplier company based in Marietta, Georgia, was convicted in September 2025 of conspiracy to commit money laundering for his role in paying bribes to Honduran government officials to secure contracts for the sale of uniforms and other items for use by the Honduran National Police.

Some might be surprised there was a prosecution at all given the general tenor of FCPA enforcement and government reductions at the onset of Trump 2.0. In February 2025, President Trump issued an executive order pausing FCPA enforcement (FCPA EO), and then, in June 2025, Deputy AG Todd Blanche issued a memorandum (Blanche Memo) explaining how FCPA enforcement will have a narrowed focus going forward.

In the wake of the FCPA EO and Blanche Memo, along with the cessation of multiple investigations, “the Zaglin jury conviction indicates that the government maintains some appetite for FCPA enforcement,” James Tillen, a member at Miller & Chevalier, told the Anti-Corruption Report.

This article analyzes the role that cooperating witnesses and international law enforcement played in the conviction and offers lessons for compliance teams on how to identify code words for corruption using both human intelligence and artificial intelligence (AI).

See our two-part series “The FCPA Lives”: Targeting the TCO Ecosystem (Jul. 30, 2025), and Protecting American Interests (Aug. 13, 2025).

A Yearslong Money-for-Contracts Scheme

The indictment filed against Zaglin (Indictment) and the government’s trial memorandum (Trial Memo) describe a multiyear scheme in which Zaglin and others sought to win contracts worth more than $10 million to provide uniforms and accessories to the Honduran National Police.

Between 2015 and 2019, Zaglin purportedly arranged for the payment of bribes to Honduran officials, including Francisco Roberto Cosenza Centeno (Cosenza), a former executive director of Comité Técnico del Fideicomiso para la Administración del Fondo de Protección y Seguridad Poblacional (TASA), a Honduran governmental entity, and former TASA Titular Director Juan Ramón Molina. The bribes were paid via third-party intermediary Aldo Nestor Marchena, who, at the time, resided in Boca Raton, Florida, and received $2.5 million via sham invoices that Zaglin authorized. Money paid by Atlanco to Marchena’s front company in the United States would then be transferred to accounts held on behalf of the Honduran officials in the U.S. and Belize, as well as other locations.

In early 2025, Marchena and Cosenza pleaded guilty to conspiracy to commit money laundering. Molina pleaded guilty to conspiracy to commit money laundering in December 2024. Charges against Zaglin, Marchena and Cosenza were unsealed in December 2023.

Interestingly, the “DOJ charged Carl Zaglin, the individual corporate officer who orchestrated the bribery scheme, along with his knowing associates, rather than pursuing charges against Atlanco or other corporate entities,” Richard Hartunian, a partner at Barclay Damon, told the Anti-Corruption Report.

A Conviction in Trump 2.0

The trial came at an unusual moment in FCPA enforcement history. The defendants were pursued during the Biden administration, and three had pleaded guilty before Donald Trump took office, but Zaglin’s conviction came after the significant changes made to FCPA enforcement priorities in the FCPA EO and Blanche Memo. Thus, the DOJ leadership’s choice to move ahead with the trial indicates continuity in FCPA enforcement.

“Even under shifting policies, core anti-bribery cases of this kind are still being prioritized,” Hartunian observed.

Keisha Stanford, a partner at Jenner & Block, sounded a similar note: “The Zaglin conviction provides some assurance that, for the DOJ, there will be somewhat of a return to ‘business as usual’” after the Blanche Memo, she told the Anti-Corruption Report.

Focus on Individuals

Individual liability is a significant focus of the Blanche Memo, and the Zaglin case bears that out.

Since the FCPA EO, the DOJ has dropped multiple investigations of corporations but moved forward with the trial against Zaglin, suggesting that “corrupt executives and individuals acting as middlemen for bribes are more likely to be prosecuted than the companies for which they work,” Tillen posited.

The DOJ has also moved forward with an upcoming trial against Charles Hobson, a former coal company executive indicted in the Western District of Pennsylvania in 2022, Tillen noted. Hobson is accused of violating the FCPA, money laundering and receiving kickbacks in a scheme to pay bribes to government officials in Egypt.

That the DOJ persisted in bringing Zaglin to trial “shows that the DOJ still believes that individual accountability is important, and the conviction will strengthen that belief,” Tarek Helou, a partner at Wilson Sonsini, said.

Targeting Cartels and TCOs

The DOJ’s pursuit of Zaglin also reflects Trump 2.0’s emphasis on thwarting cartels and transnational criminal organizations (TCOs), as emphasized in AG Pam Bondi’s memorandum, “Total Elimination of Cartels and Transnational Organizations,” issued on February 5, 2025. “The DOJ’s decision to prioritize a case centered in Honduras, where corruption is intertwined with organized crime and narcotics trafficking, aligns with the administration’s stated focus on areas tied to cartel and transnational criminal activity,” Hartunian observed. “That focus has the practical effect of concentrating anti-corruption enforcement in only certain regions, while perhaps signaling a retreat from a more global FCPA enforcement,” he added.

Protecting American Companies From . . . an American Company?

Zaglin’s case was framed by prosecutors as protecting American companies from unfair competition. “Prosecutors noted that Zaglin and his co-conspirators competed with other American companies for contracts with the Honduran government, which deprived American companies of a ‘fair playing field,’ echoing the language of the Blanche Memo,” Tillen said. “Throughout the pleadings, the DOJ emphasized that its enforcement priorities remain focused on addressing corruption impacting American businesses, which is consistent with the Blanche Memo,” he continued.

When the Blanche Memo was issued, there was much speculation that it would be used to privilege U.S. companies over foreign companies, but that was not the case here. “Contrary to suggestions that the FCPA would be weaponized against foreign companies and individuals, the Zaglin case involved a U.S. company and several U.S. persons,” Stanford pointed out.

See our two-part series on the Blanche Memo’s take on corporate responsibility: “Individuals Versus Corporations” (Sep. 10, 2025), and “Collateral Consequences and Global Norms” (Oct. 8, 2025).

The Importance of Cooperators

Prosecutors’ success in obtaining a conviction against Zaglin stemmed in part from the government’s use of a traditional evidentiary tool: cooperating witnesses. Zaglin’s conviction was obtained after co-defendants Cosenza and Marchena entered plea agreements and agreed to cooperate with the government.

The cooperators “were critical figures for the government because they had direct knowledge of – and, in some cases, active roles in – structuring bribe payments, facilitating transactions and interacting with foreign officials,” Barbara Llanes, a partner at Gelber Schachter & Greenberg, told the Anti-Corruption Report. “Cooperators are often pivotal in complex international bribery cases,” she noted.

“It helps to have someone else who was involved in the scheme explain who did what, explain why they did it, decode text messages or other communications, and tell the jury the story of what happened,” Helou, a former FCPA Unit Prosecutor, explained.

In this case, Cosenza’s and Marchena’s plea agreements required “cooperation with the DOJ, including providing testimony at trial and assisting investigators in reconstructing the bribery network,” Hartunian noted. Their cooperation “provided the prosecution with direct evidence regarding the mechanics of the scheme, specifically, the use of sham consultancy contracts, offshore accounts in Belize, and the intermediaries involved in transmitting corrupt payments,” he said. “This underscores DOJ’s continuing reliance on cooperators to expose and prove intricate cross-border bribery schemes.”

Zaglin’s case highlights the dangers of proceeding to trial when others have settled with the government. “It is always risky for a defendant to face trial after another co-conspirator has pled guilty,” Tillen observed. “Cooperating individuals bring the case to life, providing critical context for key events, communications and motivations, which otherwise may be difficult to establish using only vague emails and transactional records,” he said.

See “The Dos and Don’ts of Preparing a Cooperating Witness” (Nov. 4, 2015).

Following Threads From One Case to Another

Zaglin’s case intersected with a broader investigative web. The Honduran uniform contracts case in which he was involved was linked to information developed in an earlier FCPA case involving bribes paid to Bolivian government officials in exchange for contracts to provide tear gas and other non-lethal equipment. Two people involved in that matter, Luis Berkman and his son Bryan Berkman, were government witnesses in the Zaglin trial. The Berkmans apparently were working for Zaglin’s company, and Bryan Berkman is related by marriage to Marchena.

Not Uncommon in FCPA Cases

The DOJ “routinely opens investigations and develops evidence based on cooperators from prior cases or investigations,” Llanes noted. While less common in FCPA cases than other types of criminal cases, such as those involving narcotics, uncovering a cascade of wrongdoing “is not extraordinary,” she continued.

“FCPA investigations, like other extensive federal investigations, often uncover more than one corrupt scheme, especially when witnesses or cooperating defendants span multiple deals,” Hartunian observed. “Because these cases often rely on insider cooperation, a cooperator in one matter can easily reveal related schemes or overlapping participants.” The Berkmans’ “cooperation in the Bolivian tear gas bribery case leading investigators to the Honduran police uniform scheme fits that pattern,” he continued.

“In the corporate setting, the DOJ will often use knowledge about a particular industry from one corporate investigation to pursue other industry players who may be engaging in the same behavior,” Tillen explained. For example, the Panalpina-related FCPA cases exposed bribery schemes involving multiple companies in the oil and gas industry. Similarly, the ‘princeling’ cases involved multiple financial services companies entering into FCPA resolutions related to hiring relatives of officials in China.”

Incentives to Cooperate

It is not necessarily unusual for one FCPA matter to expose another one, Tillen observed, “as the government provides incentives for defendants (both individual and corporate) to cooperate.”

The Federal Sentencing Guidelines and the Rules of Criminal Procedure allow for prosecutors to request reduced sentences for witnesses that cooperate in the investigation and prosecution of others. U.S. Sentencing Guidelines § 5K1.1 allows the government to file a motion for downward departure where a defendant provides substantial assistance in the investigation or prosecution of another person. Similarly, Federal Rule of Criminal Procedure 35 allows a sentence reduction to a defendant who provided substantial assistance in investigating or prosecuting another person.

“Rule 5k1.1 and Rule 35 motions are tools that federal prosecutors can use to request the court impose a more lenient sentence when the defendant provides substantial assistance to the government in the investigation or prosecution of others who committed criminal offenses,” Tillen explained.

See “2024 in Review: Industry Sweeps and Data Analytics to Find Cases” (Jan. 29, 2025).

International Cooperation

The apparent assistance provided by other governments, particularly Belize, further boosted the government’s case against Zaglin. The DOJ press release announcing Zaglin’s conviction noted that authorities in Belize and other countries had assisted with the investigation. The indictment indicated that bribe payments were routed through accounts in Belize.

“The DOJ’s Office of International Affairs worked with authorities in Belize, Colombia and Spain to investigate the scheme, and the prosecution may not have been successful without that assistance, or at least it would have been limited in the evidence it could obtain,” Llanes suggested.

“Belize has increasingly moved toward cooperation with foreign law enforcement through Mutual Legal Assistance Treaties (MLATs) and informal law enforcement channels,” Llanes said. “The DOJ’s ability to secure records and cooperation from Belizean authorities suggests that the U.S. now has practical pathways to obtain banking information that once would have been shielded,” she continued.

It was a step forward both for the case and for broader cooperation. “Although DOJ did not disclose the speed or scope of Belize’s response, the successful exchange of financial records shows that jurisdictions with historically opaque banking systems can be persuaded to provide evidence through established legal channels,” Hartunian observed. The Zaglin case “underscores that U.S. enforcement efforts are increasingly capable of reaching offshore accounts, but only when supported by cooperative governments,” he continued. “Cross-border transparency still hinges on the discretion and goodwill of foreign authorities.”

Continuing to reap the benefits of cooperation from foreign authorities may require some diplomacy. “Notably, the assistance from Belize pre-dated the current administration and the change in approach to FCPA enforcement,” Tillen said. “There may be questions as to the willingness of other countries to cooperate going forward due to the U.S. government’s focus on corruption harming U.S. business and other priorities in the Blanche Memo to the exclusion of other corruption matters that are covered within the scope of the FCPA,” he suggested.

See “2024 in Review: International Cooperation Continues to Drive ABAC Enforcement” (Dec. 18, 2024).

How Compliance Can Crack the Code

As in many FCPA cases, Zaglin and others used coded language in emails and other electronic communications as well as sham contracts and invoices to carry out the scheme, according to the Indictment.

“The Zaglin defendants used evasive language (referring to ‘commissions’ and ‘fees’ as bribes, calling Marchena ‘Miami,’ and so on), a common tactic to disguise illicit payments,” Hartunian observed.

Short of becoming cryptanalysts, compliance teams can take some steps to try to prevent wrongdoers from operating in plain sight.

Controlling the Platform

An important step in understanding coded messages related to bribery is being able to see employees’ full range of communications by requiring that they use official channels.

“Some companies require employees to use company-controlled versions of messaging apps, and some large companies combine that with surveillance of communications,” Helou said.

“It is often critical to obtain data from mobile devices and messaging applications like WhatsApp, which can provide valuable evidence to help crack the code,” Tillen emphasized.

Compliance teams can “require use of official company email and systems for business communications,” Hartunian advised, while use of personal or encrypted messaging and messaging services should be discouraged. “Zaglin’s group used personal email and encryption to avoid scrutiny,” he noted. “Having mandatory logging and retention of official communications makes audits possible,” he said.

Understanding the Lingo

Compliance teams also need to be savvy about language the company’s employees might use.

“Coded terms present a challenge to investigating corruption,” as search terms may miss the code words, Tillen cautioned. Thus, “it is important to examine what may appear as non-relevant communications related to transactions under review to see if there are any oddities suggesting code words are being used,” he argued.

Compliance teams might “identify relevant terminology by becoming familiar with terms in the industry and the context in which the company operates,” Llanes suggested.

Corporations might also “institute a system where contracts from one division are reviewed by employees from a separate division,” Llanes said. “That way, the employee reviewing the contract will be able to identify red flags.”

On the flip side, compliance teams can educate employees “about typical euphemisms (e.g., “consulting fees,” “administrative services,” etc.) that may hide bribery,” Hartunian suggested. They might also “ensure codes of conduct require plain descriptions of payments,” he added.

During an internal investigation, a company can draw inspiration from federal prosecutors. “Cooperation from an insider with knowledge can be especially valuable, as they can help interpret the code and provide crucial context,” Tillen said.

Enlisting AI Help

Another new tool at compliance teams’ disposal are the myriad AI tools that have proliferated since ChatGPT was released in November 2022.

To help surface anomalies and identify code words, companies can “invest in AI programs that can monitor and safeguard corporate compliance,” Llanes said.

AI and machine learning tools “can assist by surfacing relevant documents and learning to recognize coded language patterns,” Tillen noted.

See “Integrating AI Into the Five Stages of an Investigation” (Oct. 8, 2025).

For many years, multinational companies have looked to U.S. enforcers for guidance on building their compliance programs. However, over the last decade, enforcers in other jurisdictions have more clearly expressed compliance expectations and, since the start of 2025, U.S. enforcement has shifted in unexpected ways. These trends leave many companies unsure about what guidance to follow and, as a result, what their compliance programs should look like.

During a panel at the SCCE’s 24th Annual Compliance & Ethics Institute, speakers highlighted multiple sources of guidance companies can turn to for benchmarking their programs.

Ethics and compliance teams are often trying to build a structure to allow employees to do the right thing, using fear of prosecution as the main motivation, panel moderator Nathaniel Edmonds, a former FCPA Unit prosecutor and current partner at DLA Piper, observed. However, “enforcement is in an age of transition,” so fear-based arguments “may not be quite as effective,” he said. At the same time, corporate compliance is still necessary to “allow our companies to thrive and to allow our teams to be successful.”

The DOJ’s compliance guidance “is some of the best-known compliance guidance that is out there,” Edmonds opined. However, when multinational companies are thinking through what is important, they should not be worried about just the DOJ or other U.S. authorities. Rather, companies “want to think about what matters regardless of what is happening in enforcement,” he advised.

This first article in a two-part series distilling and expanding on the panel’s insights looks at guidance from the DOJ, OECD and World Bank Group (WBG). The second article will examine guidance from the Agence Française Anticorruption and enforcers in the U.K., and review the eight common elements of a compliance program all companies should have.

See “2024 in Review: International Cooperation Continues to Drive ABAC Enforcement” (Dec. 18, 2024).

U.S. Guidance

Many multinational companies have turned to guidance from U.S. enforcers over the years. Because U.S. enforcers at multiple agencies consider the efficacy of a company’s compliance program when deciding how to resolve allegations of corporate malfeasance, complaints and settlement agreements can be instructive. Additionally, the U.S. Sentencing Guidelines provide for a reduction in a company’s culpability score if a company has an “effective compliance and ethics” program and describes what constitutes such a program. The DOJ has gone even further by issuing documents with more detail as to the elements of a strong compliance program.

CEP

In 2016, the DOJ introduced a pilot program for FCPA settlements whereby companies could avoid prosecutors if they met certain criteria. That program eventually morphed into what is now called the Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP). According to Andrew Gentin, former Chief of the DOJ’s Corporate Enforcement and Compliance Unit (CECU) and current managing director and GC at Rosetti Star, there are three factors the DOJ looks at to determine what the appropriate remedy will be: self-disclosure, cooperation and remediation. Building and improving a compliance program is a necessary part of the remediation factor.

In May 2025, the DOJ issued significant changes to the CEP in line with the current administration’s enforcement priorities.

See “Do the 2025 Changes to the DOJ’s CEP and Whistleblowing Programs Encourage Companies to Self-Report?” (Jul. 16, 2025).

ECCP

Circa 2017, companies seeking reduced penalties based on the sentencing guidelines or under the newly introduced CEP would come in for a compliance presentation before the DOJ and “were a little lost,” Gentin recounted. “They were not sure what to present on,” nor what questions the DOJ would ask. As a result, the DOJ “decided to put forward a document, which is really guidance,” he noted, in the form of a series of questions prosecutors might ask a company during a compliance presentation, now referred to as the Evaluation of Corporate Compliance Programs (ECCP).

The ECCP was written in a way so as not to place particular emphasis on certain individual elements of a compliance program over others. “That is, in part, why it is in the form of questions,” Gentin said. “The DOJ wants companies to use their own resources to come up with their own solutions,” he explained. It is “trying not to be prescriptive.”

The ECCP was last updated in September 2024. As of September 2025, when Gentin left the DOJ, there were no changes to the ECCP in the works. “So if there are going to be changes, I do not think they are going to be in the near future,” he said.

See our three-part series on the DOJ’s 2024 edits to the ECCP: “Some History and AI Expectations” (Nov. 6, 2024), “Data Analytics to Find Risks and Measure Effectiveness” (Nov. 20, 2024), and “Speaking Up, Compliance Resources and Lessons Learned” (Dec. 4, 2024).

DOJ’s Corporate Enforcement and Compliance Unit

The introduction of the ECCP provided companies with guidance, but the Fraud Section “did not really have a lot of expertise” in compliance at the time, Gentin recalled. As a result, in 2020, the Fraud Section put together the Strategy, Policy and Training Unit, which is now the CECU, of which Gentin was Chief. The goal was “to put a lot of expertise in one unit that can handle all compliance management from Fraud Section,” he said.

Gentin was part of the team that hired people into the CECU. They looked for “people who had in-house experience” as well as “former partners at law firms who had worked on compliance matters and monitorships,” he recounted. The search resulted in a team of four to five people “who really were experts on compliance and corporate enforcement.”

The CECU plays a unique role in corporate settlements. Prosecutors in investigating units, such as the FCPA Unit, will handle a case until it gets close to a resolution. At that point, the CECU will issue a document request to the settling company that consists of five single-spaced pages seeking information related to the company’s compliance program. “It is very comprehensive,” Gentin said, requiring companies to produce “basically all their risk assessments, all their third-party due diligence [and] every compliance document they have to the Department.”

Once documents are received, the CECU reviews them closely so that the Unit’s members are “fully prepared to ask questions” of the company’s CCO during the compliance presentation, Gentin said. The CECU then works with the investigators to determine the appropriate settlement terms, including the form of settlement (deferred prosecution agreement, non-prosecution agreement, declination with disgorgement or guilty plea), reporting obligations and whether a monitor should be imposed.

See “Dan Kahn Reflects on the DOJ’s Compliance Evolution” (May 25, 2022).

OECD Guidance

While perhaps not the first place that companies look for guidance, the OECD has multiple resources for companies to build up their compliance program.

Background on the OECD

The OECD is an intergovernmental organization founded in 1961 with 38 member countries. “It is basically a transatlantic organization, mainly composed of European countries and Western countries,” Nicola Bonucci, former legal director of the OECD, explained. There are both advantages and disadvantages to this arrangement. “It is a disadvantage because we do not have the universality of the world,” he said, but it is an advantage because things can be pushed forward without full global agreement.

The OECD has a Working Group on Bribery (Working Group), which was established in 1994 to monitor the OECD Anti-Bribery Convention (Convention), the 2021 Recommendation on Further Combating Bribery of Foreign Bribery in International Business Transactions and related instruments.

The Working Group publishes monitoring reports on the progress that each country that has signed on to the Convention has made in implementing it. As part of this monitoring, the OECD has published non-binding guidance for companies on developing and implementing internal controls and compliance programs for the prevention of bribery.

The monitoring reports and non-binding guidance are useful for companies because they contain recommendations that the U.S. government and 45 other countries have endorsed, Edmonds explained. They also influence the policies of the signatory countries, he noted.

Good Practice Guidance on Internal Controls, Ethics and Compliance

In 2009, the Working Group issued Recommendation of the Counsel for Further Combating Bribery of Foreign Public Officials in International Business Transactions, which was then amended in 2021. Annex II to this document consists of Good Practice Guidance on Internal Controls, Ethics and Compliance (OECD Good Practice Guide). .

The OECD Good Practice Guide says that compliance programs should “be developed on the basis of a risk assessment addressing the individual circumstances of a company[.]” Additionally, it suggests that these individual circumstances “should be regularly monitored, re-assessed, and taken into account as necessary, to determine the allocation and compliance programme or measures.” It then goes on to enumerate critical elements of a compliance program, including commitment from company leadership, clear policies, internal reporting mechanisms, third-party risk management, training and communications, and incentives for ethical behavior.

“If a company has a doubt on how [it] should set up an internal control or compliance system, I really strongly advise [it] to look at this [document],” Bonucci urged.

The OECD Good Practice Guide was signed on to by all 38 OECD member countries as well as several additional countries, including Brazil and South Africa. As a result, “it is very difficult for any law enforcement authority to challenge the legitimacy” of a program that conforms to this guidance, Bonucci said.

Guidelines on Anti-Corruption and Integrity in SOEs

The Working Group has also published Guidelines on Anti-Corruption and Integrity in State-Owned Entities (SOE Guidelines). In its preface, the OECD SOE Guidelines note that 102 of the 500 largest enterprises in the world are SOEs.

The increasing prevalence of SOEs, particularly the sheer number of Chinese SOEs, is “one of the biggest challenges” in today’s business world, Bonucci suggested. Additionally, in many European countries, the healthcare sector is almost entirely state-controlled. Sometimes companies do not even know they are dealing with an SOE, he observed.

The OECD developed the SOE Guidelines to help SOEs, but they can also be helpful for private companies that “are dealing abroad with companies that [they] believe could be [SOEs],” Bonucci said.

Due Diligence Guidelines for Responsible Business Conduct

The Working Group has also published Due Diligence Guidelines for Responsible Business Conduct (DD Guidelines).

These are “directed to companies,” Bonucci noted. The stated objective of the DD Guidelines “is to provide practical support to enterprises on the implementation of the OECD Guidelines for Multinational Enterprises by providing plain language explanations of its due diligence recommendations and associated provisions,” he shared.

See “Five Steps for Companies Facing an OECD National Contact Point Process” (Dec. 11, 2019).

World Bank Group

The WBG is an international treaty organization that also provides compliance guidance. Its shareholders are “pretty much every country in the world with a few exceptions,” Joseph Mauro, senior counsel in the integrity compliance office at the WBG, explained. WBG is a development organization, which means it provides “funding and other types of support for middle-income and low-income countries to try to raise the standard of living,” he said. It sponsors “all different types of projects,” including those involving construction, healthcare and education.

Contractual Obligations

Importantly, the WBG “is not an enforcement authority,” Mauro emphasized. Rather, its authority “is all contractual.” Anytime the WBG finances a project, the contract includes anti-corruption guidelines, which prohibit the company from paying bribes and engaging in what are called “sanctionable practices,” he explained. “Those obligations flow all the way down the supply chain to the lowest level subcontractors.” As a result, many companies in the supply chain are not aware that these contractual obligations may bind them.

WBG contracts also contain audit rights, which is how WBG conducts investigations. The bank has no subpoena power, nor can it arrest people, Mauro noted. “We can just say you are contractually obligated to show us your books and records because we have a suspicion of fraud and corruption on the project,” he said. Under the terms of WBG contracts, it is a sanctionable practice itself to refuse to share book and records.

The Sanction Process

If a company or individual commits fraud or corruption related to a sponsored project, WBG imposes sanctions based on its contractual rights.

WBG investigators will gather evidence about a possible sanctionable practice and then present that evidence to a first-level adjudicator “who will decide the case on the written record,” Mauro explained. If the decision goes against WBG investigators, “that is the end of the case,” he said, but if the adjudicator finds that there was misconduct, that decision is appealable to an independent board of experts called the sanctions board. There is also an opportunity for a negotiated settlement where the respondent entity can agree to the terms of the sanction.

In almost every case where a company has been found to have engaged in misconduct, “there are conditions for release from sanction that the company has to complete before the sanction can be over, and the main condition in most cases is building up a compliance program,” Mauro said.

This is where Mauro comes in - his role is to help companies that have committed misconduct to build up their compliance programs as one of the conditions for being released from sanction so they can contract with the WBG again.

Working With Sanctioned Companies

While the WBG works with some large companies, the majority of companies it works with are small and medium enterprises (SMEs). Thus, the WBG compliance advice is focused on the broad range of sanctionable practices contemplated in its contracts and “applicable and adaptable to all different types of companies,” Mauro said.

Indeed, Mauro will often encounter small, family-owned companies with just a handful of employees that argue they have never heard of compliance or that it does not apply to them. He will walk through the elements of a compliance program and assist them with appointing a part-time compliance officer, drafting a code of conduct or introducing training. “Training usually takes a lot of patience in these cases,” he reported.

For larger companies, an issue may arise if they have built compliance programs to DOJ standards but have not addressed compliance concerns unique to the WBG, such as prevention of fraud in the bidding process. For example, it is a contract violation if a company submits a bid for a WBG-financed project and “lies about who is going to be working on the project, fails to disclose an agent or a subcontractor working on the project, or during the execution lies about the hours that have been worked,” Mauro recounted. The WBG can impose sanctions for all of those fraudulent practices. When sanctions have been imposed, Mauro will work with the company to build systems to make sure bids are accurate going forward.

Compliance Guidance

To assist companies, the WBG has put together a Summary of WBG Integrity Compliance Guidelines, which says it “incorporates standards, principles and components commonly recognized by many institutions and entities as good governance and anti-fraud and corruption practices.”

The WBG has also developed an Integrity and Compliance Knowledge Sharing Platform that provides “a lot of resources and opportunities for compliance professionals to connect,” Mauro said.

Further, in 2024, the WBG published Practical Guidance and Resources for Integrity Compliance Programs for SMEs. The 82-‑page document contains “a lot of our thoughts in this area,” Mauro continued.

See “World Bank Settlement Debars Selçuk Yorgancıoğlu With Integrity Compliance Conditions” (May 10, 2023).

In September 2025, the European General Court (EGC) rejected a call by French Member of Parliament Philippe Latombe to annul the adequacy decision of the European Commission (EC), which approved the E.U.-U.S. Data Privacy Framework (DPF) governing the transfer of personal data from the E.U. to certified organizations within the U.S.

This article provides an overview of the factual and legal context underlying the EGC’s decision in Latombe v. Commission, the key rulings and practical considerations around data transfer practices following the decision. In addition, since Latombe is far from likely to be the last word on the adequacy of the DPF, this article discusses certain future challenges that may be brought.

See “Navigating Recent Changes to China’s Data Privacy Laws in Internal Investigations” (Jun. 5, 2024).

From Privacy Shield Invalidation to an Adequacy Decision

Schrems II

The DPF was a response to the July 2020 invalidation by Court of Justice of the European Union (CJEU) of the DPF’s predecessor, the U.S.-E.U. Privacy Shield (Schrems II). In that decision, the CJEU ruled that: (1) data collection by the U.S. government violated the principle of proportionality because it was not limited to what was strictly necessary for intelligence gathering needs; and (2) that an ombudsman mechanism within the U.S. State Department lacked independence and enforcement capabilities, which effectively left aggrieved persons without redress. However, the decision did uphold, in principle, the validity of Standard Contractual Clauses (SCCs) – terms that are pre-approved by the EC and used for the lawful transfer of personal data outside the E.U. to countries for which the EC has not issued an adequacy decision under the General Data Protection Regulation (GDPR).

See “E.U.-U.S. Data Transfers After the Schrems II Decision” (Aug. 5, 2020).

EO 14086

In response to Schrems II, in October 2022, President Joseph Biden issued Executive Order 14086, Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086).

To address the proportionality argument, EO 14086 directs that personal data collection by U.S. signals intelligence (SIGINT) must be “necessary to advance a validated intelligence priority” and conducted in a proportional manner that balances the advancement of the intelligence priority with the impact on privacy and civil liberties. EO 14086 also limits data collection to purposes such as assessing foreign governments, foreign militaries and international terrorist organizations; and protecting against terrorism, espionage, weapons of mass destruction, cybersecurity threats, criminal threats, and electoral and political interference. It further sets forth impermissible objectives such as suppressing or restricting legitimate privacy interests, freedom of expression and political opinions and disadvantaging people based on certain protected characteristics.

To resolve the concerns about redressability, EO 14086 provides for a Civil Liberties Protection Officer (CLPO) within the Office of the Director of National Intelligence who is tasked with reviewing, investigating and remediating complaints about SIGINT activities. EO 14086 further authorizes the U.S. AG to create a Data Protection Review Court (DPRC) that is empowered to review the CLPO’s decisions and issue final and binding determinations thereon. The AG appoints judges in consultation with the Secretary of Commerce, the Director of National Intelligence and the Privacy and Civil Liberties Oversight Board (PCLOB), whose functions include reviewing executive branch policies, procedures and regulations to protect privacy and civil liberties.

To deal with the issues related to judicial independence, EO 14086 prohibits the AG from interfering with the DPRC’s review of CPLO decisions or removing the CPLO or DPRC judges “except for instances of misconduct, malfeasance, breach of security, neglect of duty, or incapacity.”

See “Decoding the Administration’s First Cyber Executive Order” (Jul. 16, 2025).

Adequacy Decision Issued

On July 10, 2023, the EC issued an adequacy decision approving the DPF (Adequacy Decision), finding that, in view of the additional protections of EO 14086, the U.S. provides an “adequate level of protection,” as that term is understood in Article 45(1) of the GDPR, for personal data transferred from the E.U. to certified organizations in the U.S. Subsequently, Phillipe Latombe, a member of the French National Assembly, brought an action in the EGC seeking the annulment of the decision.

The Key Rulings of Latombe

Preliminary Observations

In its decision, the EGC made two “preliminary observations.” First, it noted that under Schrems II, a non‑E.U. country need not offer “identical” protection to secure a finding that it offers an “adequate level of protection,” but merely that its protections be “substantially equivalent” to those of the E.U. This did not represent a change but rather was a reaffirmation of existing law, Cynthia O’Donoghue, a partner at Reed Smith in London, told the Cybersecurity Law Report.

In its second preliminary observation, the EGC stated that the legality of an E.U. act such as the Adequacy Decision must be assessed on the facts and law in existence when it was adopted, and not subsequent developments. As a result, in its ruling the EGC did not consider events occurring in the U.S. after the Adequacy Decision that implicate the DPF.

Redress Mechanisms

The EGC upheld the EC’s determination that the DPF satisfies the GDPR’s adequate level of protection requirement with respect to redress mechanisms. It found that the establishment of the DPRC satisfied the requirement that data subjects have access to “an independent and impartial tribunal previously established by law.” The DPRC is equipped with sufficient safeguards, it observed, which include criteria for judicial appointments, independent review powers and the ability to issue final, binding decisions.

The EGC did not find the PCLOB’s advisory role in judicial appointments problematic because it was established as an independent, bipartisan executive branch agency. It also relied on the fact that the AG can only remove DPRC judges for cause.

Thus, the EGC reasoned, DPRC is sufficiently independent from executive branch influence even though it is not an Article III court. As of at least late 2024, when the EC conducted its first review of the DPF, no complaints had been lodged with the DPRC, Julian Flamant, a senior associate at Hogan Lovells, told the Cybersecurity Law Report.

Data Collection

The EGC rejected Latombe’s argument that the Adequacy Decision violated the Charter of Fundamental Human Rights because it failed to ensure an adequate level of protection with respect to bulk collection of personal data by U.S. intelligence agencies. In particular, the EGC did not agree that the bulk collection of personal data must be “the subject of prior authorization issued by an independent authority,” and found that the opportunity under the DPF for ex-post judicial review was sufficient.

The EGC also relied on the fact that EO 14086 requires intelligence agencies to prioritize targeted data collection over bulk data collection and further circumscribes the collection of the latter. The U.S. President’s power to authorize a secret update of the purposes of bulk data collection was not problematic because it was limited to cases of “new national security imperatives” such as national security threats, the EGC found.

In a Nutshell – Why Latombe Matters

The Latombe ruling constitutes a “reassuring finding” that the transfer mechanism of companies operating under the DPF is valid, which is a “huge bonus” for international trade, Rohan Massey, a London-based partner at Ropes & Gray, told the Cybersecurity Law Report. The decision is the latest development in a historic trend of trying to balance international trade, free data flows and adequate protection of European individuals. It reconciles the European omnibus regime, which views privacy and data protection as fundamental rights, with the U.S. regime, which is sectoral and commercially driven, he added.

The Latombe decision is also important because it was made after a “substantial” review of the rights of redress and U.S. bulk data collection under the Foreign Intelligence Surveillance Act and demonstrates the DPF does not have to be “exactly the same” as the GDPR to earn an adequacy decision, O’Donoghue said.

“We always knew that essential equivalence didn’t require mirroring the provisions of the GDPR, but we didn’t have a strong sense of what alternate approaches would survive judicial scrutiny,” Flamant noted. “One of the big innovations of the Latombe ruling is the meat that has been added to the ‘substantially equivalent’ analysis.” The EGC “thankfully” outlined various use cases for what substantial equivalence requires in the contexts of judicial independence, and necessity and proportionality obligations around bulk data collection, he said.

The ruling is “big news,” because it is the first time that an E.U.‑U.S. data transfer framework survived a challenge, Brussels-based King & Spalding partner Charly Helleputte told the Cybersecurity Law Report.

Latombe “matters because it is the first assessment on the new DPF,” Steptoe partner Anne-Gabrielle Haie concurred. However, companies should not assume that the decision means the DPF will be “sustainable” or “survive over time,” she cautioned.

Should U.S. Companies Seek DPF Certification?

Companies That Already Chose a Path

The Latombe decision probably will not suddenly “increase the attractiveness” of the DPF to companies that use SCCs, and those companies “for which certification was essential have probably applied already,” Massey opined.

Haie agreed. The Latombe decision is a “nonevent” with respect to a company’s choice of transfer mechanism, and those that are using alternative transfer mechanisms should continue to do so, she advised.

Companies Assessing Options for the First Time

Regarding whether to operate under SCCs or the DPF in the first instance, one is not “better than the other,” Haie said. It is really a business decision regarding which mechanism is the most appropriate, and it depends on the type of company and data being transferred, she elaborated.

Some large U.S. companies might be “culturally more comfortable” being regulated in both the U.S. and Europe and treat DPF certification as “almost like a kitemark for the transfer of data,” O’Donoghue observed. Also, the DPF can facilitate transactions where a U.S. company needs to receive systematic transfers of similar types of data from organizations based in the Europe – whether employee or B2B or B2C customer data – whereas SCCs can be more limited as to the scope of data transferred, she said. In addition, they might be more appropriate for U.S. to E.U. transactions, which are not covered by the DPF. SCCs also might be more appropriate for transfers from a company that has small operations in Europe and seeks only to transfer fewer data categories, such as employee data. DPF certification could also be easier than negotiating SCCs, she added.

Massey shared similar views. Service providers or large U.S. multinational conglomerates with plenty of European customers may want to use the DPF, he suggested. But “if you’ve got a one-on-one relationship, you’d probably be better using standard contractual clauses anyway.” This is because using SCCs presents less of an administrative burden – they do not involve a registration process, there is no fee, and there is no annual review or renewal, he explained.

Use of SCCs can, however, become a burden as the business grows, Massey continued. In such a case, the business must weigh the time and costs spent on administrative efforts such as negotiations and contract management. At some point, especially if there are recurring data flows from an increasing number of third parties in the E.U., the business may conclude that the DPF is a “more efficient solution,” he said.

Companies that do elect DPF certification, especially multinational ones, are likely to find that the process is “not overly burdensome,” Helleputte noted. DPF certification is probably easier for large organizations, he observed, because they already have the appropriate processes. At the same time, smaller companies might certify to give themselves competitive and reputational advantages – to show counterparties that they have made an “extra effort” to comply, he added.

For U.S. companies that chose to use the GDPR as their global benchmark when it was enacted in 2018, certification “is not a big lift,” Massey said. He also agreed about the reputational advantages of certification, noting that one of the “great benefits” of certification is to provide others with “reassurance and trust around good data protection processes.”

Impact on Alternative Transfer Mechanisms

Standard Contractual Clauses

Although the Latombe decision concerns transfers to DPF-certified companies, it will also have a positive effect on U.S. companies operating under SCCs, Helleputte predicted. The ruling makes it easier for European companies to conduct the transfer impact assessments that are a predicate to implementing SCCs because they can point to the DPF’s protections as a justification for reducing the number of supplementary measures that they may need to protect data transfers.

Companies operating under the DPF should not use SCCs as a backup to hedge against the possible invalidation of the Adequacy Decision, O’Donoghue stressed, since there is the potential for certain SCC provisions to conflict with the DPF. This is because the SCCs are contractual provisions published by the E.U. and are fully in accord with the GDPR, whereas the DPF was designed to provide adequate protection by reconciling differences with U.S. law that is not the exact equivalent of the GDPR, she said.

“You have one or the other, you do not have both,” Massey concurred, explaining that having both complicates matters because it raises questions of whether a given transfer is under the DPF or an SCC. Companies may use different mechanisms in different contexts, however. For example, he noted, some companies might want to transfer all of their HR and employment data under the DPF and their customer data under SCCs.

While having SCCs in addition to being DPF-certified is a “bit over the top,” Helleputte commented, companies could make contingency plans. To prepare for a potential inadequacy decision, he continued, companies might want to have agreements with third parties that provide that they will enter into SCCs in such an eventuality. “Looking at the alternatives as a pre-planning project is a sort of very wise, prudent commercial decision at the moment,” Massey agreed.

Binding Corporate Rules

The Latombe decision is not generally relevant for companies operating under Binding Corporate Rules (BCRs), which are another mechanism that multinational companies can use to transfer personal data both internally and internationally in compliance with the GDPR, Helleputte noted. In any event, operating under a BCR requires a “huge uplift,” and many companies see it as “too complex and too time-consuming and expensive,” Massey observed. So, there has been more use of the DPF and, after Schrems II, SCCs, he said.

Caution Still Required Around Managing Data Flows

Given that Latombe upholds a regime under which companies were already operating, the decision does not necessitate any operational changes or contractual revisions, Massey noted.

Vigilance is still key, however. Companies that have been operating under the DPF framework need to monitor for new developments, Helleputte advised, adding that, “for now, it’s much more a kind of wait-and-see type of mode.”

Companies should operate under a “safe to proceed, but unwise to relax” credo, O’Donoghue instructed. U.S. companies should continue to comply with the “core tenets” of the DPF by limiting the purposes of data collection, retaining the minimum amount of data for no longer than necessary, ensuring that the data is secure and that, when data is transferred, the privacy framework principles follow the data, she elaborated.

U.S. companies’ affiliates operating in the E.U. should be mindful that E.U. regulators are likely to use “tag jurisdiction” and bring an enforcement action against the European affiliate where the U.S. parent company is infringing, O’Donoghue cautioned. Furthermore, she added, to help ensure that they are doing business with DPF-certified organizations, E.U. companies should have their U.S. counterparts warrant and represent that they are, and will remain, DPF-certified, and, if necessary, refuse to do business with noncompliant U.S. companies because it puts the E.U. company at risk of being noncompliant with the GDPR itself.

In addition to checking the Department of Commerce website to see if a U.S. company is DPF-certified, European companies should also monitor the positions of the EC and the European Data Protection Board to make sure that the safeguards they have in place are still relevant and sufficient, Haie suggested. Given that the Latombe decision is limited to assessing the facts and the law as they stood at the time the Adequacy Decision was adopted, and that the EGC did not consider subsequent developments since then, it should not be taken as a “blanket validation of the DFP,” she warned.

Data Mapping Challenges

The main challenge for managing international transfers of personal and sensitive information is mapping data flows - “knowing which data is flying where,” Helleputte observed. This sounds like “a very basic task but, in fact, it’s very complicated for most organizations” and is “foundational” for processes, he said. It is also an exercise that must be repeated “again and again” so that a company is aware of the risks it might be creating. “Compliance is a journey,” he emphasized.

It can be “extremely difficult” for companies that are operating globally to trace their data, Haie likewise observed. However, once the foundational data mapping step is taken, companies are well-positioned to assess the laws of the jurisdiction to which data is being sent to determine whether the jurisdiction offers a similar level of protection as the GDPR and, if it does not, to put additional safeguards in place to increase the level of protection, she said.

See “Why Modern Corporations Need Investigative Memory” (Jul. 16, 2025).

What’s Next?

Potential Standing Challenge

If Latombe appeals the decision, it could be determined that the EGC erred by not ruling on whether Latombe had standing. The fact that EGC ruled on the merits of the dispute without first addressing standing was “unusual,” O’Donoghue noted. “I wouldn’t expect a court to rule on the merits if it didn’t need to, because ultimately you could argue that almost the entire decision is obiter dictum as opposed to a full-on decision and judgment,” she posited.

In any appeal, the jurisdiction of the CJEU would be limited to the facts and legal context reviewed by the EGC and would not take into consideration any subsequent U.S. legal developments, said Haie.

Potential Challenge to Reliance on Existing Facts

The fact the Latombe ruling was based on existing facts at the time of the Adequacy Decision, and not subsequent developments, leaves the DPF open to future challenges, Massey said. It is likely that Max Schrems’ NYOB policy group will lodge a challenge to the DPF, he predicted.

One substantial change, O’Donoghue noted, is the fact that there is currently no quorum on the PCLOB, as members of the board were discharged by the Trump administration and the U.S. Supreme Court has been using its emergency docket to allow these dismissals. The EC may be in a “wait-and-see mode” regarding whether the U.S. president will be granted the power to dismiss such appointees without cause, which could implicate the independence of the DPRC, she added, and the EC may then use its own discretion to review the continued adequacy of the DPF.

“The safeguards are basically in the hands of the president” because they are grounded in an executive order that it “only takes [another] executive order to change,” Helleputte said.

Potential Early Review

The ruling also is open to further scrutiny because the EC must review the DPF every four years to ensure that it provides an adequate level of protection, Massey noted.

Although the GDPR requires that “periodic review” occurs “at least every four years,” the EC conducted its first review within one year of the DPF entering into force, and it already has committed to undertaking its next formal review in just three years, Flamant noted. It is also possible, he added, that pressure from advocacy groups and the European Parliament could compel the EC to conduct its formal assessment even sooner than three years.

Potential Action in Member State Court

Another way to contest the Adequacy Decision would be to bring an action in an E.U. member’s national court seeking a preliminary ruling on the validity of the Adequacy Decision, suggested Haie. Any doubts about the validity of the Adequacy Decision would need to be referred to the CJEU, which would be entitled to consider developments in the U.S. regarding the DPF that occurred after the issuance of the Adequacy Decision. If the CJEU finds that the Adequacy Decision is invalid, it would direct the national court to follow its interpretation, and the EC would withdraw the Adequacy Decision, she said.

See “Integrating AI Into the Five Stages of an Investigation” (Oct. 8, 2025).

With enforcers all over the globe offering incentives for employees to blow the whistle on corporate malfeasance, many companies are realizing the value of having employees raise concerns internally first. However, many companies do not foster a culture where employees feel comfortable bringing issues to their supervisors or the compliance department.

An Ethicsverse discussion, which featured three high-profile former whistleblowers – Elin Kunz, healthcare consultant with Kunz LLC; Sherron Watkins, leadership and ethics advocate at Sherron Watkins & Company; and Tom Hardin, corporate trainer and compliance advisor – sharing their stories to help companies understand the ways in which company culture can get in the way of speaking up, offered six suggestions on how organizations can encourage internal reporting. They were joined by Mary Inman, a partner with Whistleblower Partners, and Nick Gallo, co-CEO of Ethico. This article distills their insights.

See “How a Whistleblower Can Derail a DPA” (Oct. 8, 2025).

Three Whistleblowers Share Their Stories

Kunz and Watkins both found themselves in intolerable situations that prompted them to raise concerns about their workplaces. For Hardin, government enforcers persuaded him to work as an informant.

A Company Contradicted Its Own Policies

Kunz was Halifax Health’s director of physician services and its compliance officer when she uncovered apparent Stark Law violations in how incentives were paid to physicians. “We were violating our own policy,” she said. Upon raising concerns internally, she was told to “tread lightly,” and that her “loyalty had to be to the hospital and not to the government.”

The company’s associate counsel agreed about possible Stark violations and wrote a memo about it. However, six months later, Kunz discovered that the company “paid the physicians their compensation anyway, knowing that it violated Stark.”

“Somebody just did not want to listen because of the potential money it would cost if we self-reported,” Kunz commented. What the company ended up paying in a settlement, however, was considerable. “Had we done the right thing, we wouldn't have paid $86 million and $40 million in legal fees,” she said.

Ignored Fraud Warnings

Watkins “stumbled across” accounting fraud at the now-defunct energy company, Enron, where she worked.

Watkins described herself as “naive” for turning to then-CEO Kenneth Lay over her fear that the company might “implode in a wave of accounting scandals.” His senior position meant that “he was going to have to fall on his sword if he could really accept what I was saying,” she noted.

Watkins recalled “trying to work it internally,” despite the fact that leaders did not listen to her.

“If Enron was going to survive, they needed to come clean themselves, restate their financial statements and acknowledge the problem. To be exposed from the outside might really jeopardize the company even staying alive,” Watkins said, summarizing her assumptions at the time.

Funds Normalized Insider Trading

Hardin, while working as a hedge fund analyst, became an FBI informant assisting in Operation Perfect Hedge. This FBI investigation into insider trading saw more than 80 individuals criminally charged at hedge funds and banks. “I did the wrong thing at first. I made those trades. So I was an informant, not a whistleblower,” he said.

He had given himself various “rationalizations,” including the culture at the organizations where he worked and his supervisor “looking the other way,” Hardin acknowledged.

See “NAVEX Study Finds Incident Reporting Steady, But Substantiation Rates Rising” (May 7, 2025).

The Aftermath of Blowing the Whistle

Companies often fail to appreciate whistleblowers as conscientious employees driven by an honest desire to address problems.

Kunz, who remained at Halifax after filing her suit against the company, was sometimes in meetings at which her own complaint was discussed, before she was revealed to be the person behind it.

Questions were constantly asked about the identity of the whistleblower, and not about the misconduct that was exposed, Kunz recounted. Those conversations were not about the company’s fraud, but rather about the identity of the whistleblower, saying “They know everything about us. They must be disgruntled.’”

After her colleagues learned that she was the whistleblower, despite having previously had “15 perfect job evaluations,” attitudes toward her changed, Kunz added. “I became a disgruntled employee overnight.”

Colleagues in the company are often more comfortable saying the whistleblower is a grudgeful employee with “an ax to grind” rather than attributing “a high integrity motivation” to that person, Watkins concurred. “That is pretty common with whistleblowers,” she said.

Characterizing the individual as “not loyal” or “just difficult” is a way for others to defer blame, Gallo commented. “That is a self-serving frame for somebody who has already rationalized their low-integrity behavior,” he added.

Retaliation Is Common

Managers and company leaders may use a range of retaliation tactics to send the signal that they resent a whistleblower’s actions, Inman said. “Never underestimate the level of juvenile behavior that someone will resort to, to send a signal to a whistleblower,” she warned.

There have been cases of “whistleblowers in the healthcare space being referred to psychologists when they would not go along,” Inman noted. She mentioned an employee whose frequent lateness was something his colleagues had learned to work with, but, “as soon as he blew the whistle, all of a sudden that chronic lateness was a problem.” A whistleblower who had dwarfism suddenly found that “her colleagues put all of her files out of reach,” she added.

Kunz reported that colleagues who had been friendly with her at work also experienced retaliation, with one being told not to socialize with her.

Some retaliation tactics “can be very subtle and pretextual,” Inman said. Some whistleblowers, who previously received “fabulous job performance evaluations year over year,” suddenly have different language in their evaluations, she noted, such as “Not a team player.”

Whistleblowers can find themselves “frozen in amber” in the companies where they exposed misconduct because they will remain employed but be given less responsibility, Inman reported. They are “too dangerous to fire” but also “too dangerous to have in the meeting,” she explained.

Kunz concluded that some in the company were treating her badly in a deliberate effort to discourage speak‑up from anyone else.

Companies’ bad treatment of those who speak up is a strategy to discourage others, Inman agreed. It is a way “to tell people that it is not safe” to speak up, she noted.

Colleagues’ Support Can Be Conditional

Employees who speak up can find themselves ostracized by colleagues, as well.

At a time when some in the company believed Lay would be responsive to Watkins’ concerns, she experienced support from colleagues. “I had a number of colleagues encouraging me and sending me more information, making phone calls to Ken Lay, letting him know I was a credible person,” she noted.

However, this changed when Lay proved unreceptive, Watkins recalled. “When it became evident that he did not want to hear what I had to say, all that support fell away,” she said.

Whistleblowers can initially find themselves being “magnets for other people who have been sitting and simmering on these concerns,” Inman observed. However, their support can evaporate if the company dismisses the concerns, because “they are paying attention to what leadership is thinking,” and people will suddenly distance themselves from the whistleblower, she said.

See “Whistleblower Protection and Compliance: A Comparative Study of the United States and Japan” (Jul. 31, 2024).

Business Culture Normalizes Wrongdoing

Sometimes the culture of a company – or a sector, more broadly – normalizes wrongdoing. For newer employees, it can be hard to determine where to draw the lines when they see the attitudes of more established colleagues.

In his hedge fund career, Hardin said a “culture of getting information and trading on stocks before it was public became normalized in the industry.” People he considered mentors “were getting advantages by trading ahead of earnings announcements or M&A activity.” Placing trades himself, he found that his own boss would say “do not tell me how you are doing this.”

A person entering a new work environment wants to understand “the true rules of the game,” Gallo commented. Seeing a manager or mentor “engaging in behavior that may be contrary to those words on the page” can leave the new hire wondering “what is really in bounds and what is out of bounds,” he said.

Acceptance of wrongdoing in the upper echelons can make speak-up pointless, Inman observed. “It is almost a futile act to blow the whistle internally” when the people receiving those reports “are the architects of the fraud,” she said.

High-minded slogans touted by companies, in and of themselves, are not much use. Watkins recollected Enron’s values being summarized in the acronym RICE: “Respect, Integrity, Communication, Excellence.” These would be prominently displayed in the office along with banners that also included a Martin Luther King Jr quote: “Our lives begin to end the day we become silent about things that matter,” she added.

Hardin recalled that his workplace had the slogan “Speak Up” on the wall, “but that really did not drive the behavior and the culture.”

Virtuous statements made by top management can be similarly futile if they are not reflected in the culture throughout the organization. “Do not be fooled by a great tone at the top, Hardin said, because “one is just a signal.” An organization’s culture is “defined by the behaviors that get rewarded in the company” and “the behaviors that employees believe will put them ahead,” he argued. It is “built into little things leaders do every day. Who they listen to, who they ignore, what they celebrate and what they actually quietly tolerate.”

See our two-part series on the DOJ’s Corporate Whistleblower Awards Pilot Program: “A Look at Forfeiture and Culpability” (Aug. 14, 2024), and “Exclusions, NDAs and Goals” (Sep. 11, 2024).

Changing Attitudes

Attitudes toward whistleblowers have been changing over time as companies realize they would rather employees report internally than go to the myriad government enforcers who are now offering rewards to those who bring evidence of crimes.

Government Incentives Have Helped

Government programs that incentivize whistleblowers can be helpful in unearthing misconduct. The SEC’s whistleblower reward program, created by the 2010 Dodd‑Frank Act, is an example. SEC enforcement attorneys have claimed that this has resulted in the exposure of at least two cases comparable to that of Enron, Watkins noted.

There has been a slow transition toward more companies viewing internal whistleblowers as “risk intelligence,” according to Watkins. Companies increasingly understand that identifying wrongdoing and correcting it internally is helpful because “being exposed from the outside” leads to “big fines, big reputational damage,” she said.

Governmental support for whistleblowers has led to more lawyers working with such people, Watkins said. “It has attracted very sharp legal talent to the cause of the whistleblower.”

Speaking Up Has Business Advantages

Companies should realize that employees who raise concerns about wrongdoing are valuable assets, the speakers agreed.

They are “not disloyal,” but are among the “most loyal employees” who provide voluntary “risk intelligence,” Inman argued. They also help to protect the company’s brand from “loss of faith,” she said.

If companies can look at speaking up in a positive way, “that reframe can do a lot to gather more of that risk intelligence,” according to Gallo. Company leaders should “see the opportunity in getting more participation and de-risking the organization,” he stated.

CEOs and boards should “understand that whistleblowers are not scary” but are in fact “incredible intelligence sources,” Inman said. “They are the canaries in the coal mine” who enable a company to course-correct, she argued.

“Someone speaking up is such a good opportunity for the company to do the right thing,” Kunz commented. If they display poor treatment toward a person who speaks up, companies discourage others from coming forward, she added.

See “Government Enforcers Explain Their Approach to Whistleblowers and VSD” (Jul. 17, 2024).

Fostering a Speak‑Up Culture

For companies that have learned the value of internal reporting versus employees going straight to government enforcers, there are a number of things they can do to foster a speak-up culture.

1) Provide for Anonymous Reporting

The first way to foster a speak-up culture is to offer whistleblowers an option for reporting anonymously, which is now considered a best practice and even required under the E.U. Whistleblower Directive.

“There is benefit to the industry standard now that allows whistleblowers to report anonymously,” Inman suggested, because the reaction to a raised concern should not be “about who brought it,” but rather on the concern itself. Having speak-up channels set up as anonymous helps keep the focus on the message rather than the messenger, she said.

2) Inform the Reporter

Companies should inform employees about the outcome of their speak-up reports, Inman recommended. “There has to be communication with the whistleblowers in some way to acknowledge the status of the investigation,” she said.

Even if a report is not substantiated, it is better for the individual to at least be informed that their issue was investigated, according to Inman. Instead, what the person often gets after reporting is “radio silence,” she noted.

3) Celebrate Speak‑Up

Employees need to know that the company values the act of speaking up. One way to do that is for the compliance function to highlight speak-up reports that led to improvements, Watkins suggested. The compliance team could feature an article in monthly communications highlighting “a problem that was identified” or “a positive story of how [an] anonymous report benefited the company,” she said.

Companies usually avoid identifying the wrongdoer by name when sharing such stories internally, Gallo observed. Even so, such stories demonstrate that the compliance team and the company are grateful to the employee in question for being a “culture carrier” and a “guardian to the going concern,” he emphasized.

In addition, employees can be commended for whistleblowing as part of a performance evaluation, Inman suggested. Employees are always keen to see what employers are measuring them on, she said, arguing that including the “ability to raise concerns” among those criteria “would go a long way.”

4) Decrease Fear

Sometimes fear is the biggest barrier to speaking up. Employees would be encouraged to speak up if companies made the process less frightening, Hardin suggested.

Many employees feel that senior managers do not listen, and the senior managers fail to realize that employees are afraid to approach them because they wield power and status, Hardin said. Leaders should not just tell employees to speak up, but should “also listen up” and try to “make it easier for others to disagree with them,” he advised.

Rather than using the term “speak up,” which “can sound pretty intimidating,” companies should invite employees to “share their thoughts” or “add perspective,” Hardin recommended. This casts speaking up as “a shared responsibility, and not so much like this big individual act of bravery,” he commented.

Most employees feel stressed about raising concerns to management, particularly upper management, Inman said. For instance, it “is a very misguided notion, because of the power differential,” to expect employees to go to the CEO with concerns, she noted, because “most people even have a hard time reporting to their supervisors.”

5) Do Not Retaliate

It should go without saying, but a critical piece of encouraging employees to report wrongdoing is ensuring that they will not be retaliated against for doing so. In addition to being illegal in many jurisdictions, retaliation can backfire on the business.

When a company mistreats the person raising the concern, other employees see that as the likely result of speaking up, Kunz explained. Then, “no one is going to come forward,” and a company will “miss the opportunity to take advantage of someone speaking up,” she cautioned.

6) Make It Routine

Kunz hopes that, in the future, raising concerns will be regarded as a routine responsibility for any employee. “I am always going to be a whistleblower, and I feel like I cannot get rid of that label,” she said. Bringing concerns to the attention of management or compliance should be appreciated as an employee doing their job well, and should never be a black mark that follows them around for the rest of their career, she argued.

See “2024 SEC and CFTC Whistleblower Reports Reflect Continuing Vitality of Programs” (Jan. 29, 2025).

Each year, NAVEX, in cooperation with The Harris Poll, conducts a benchmarking study of the state of risk and compliance programs. Its 2025 State of Risk & Compliance Report (Survey), is based on responses from nearly 1,000 survey participants. The results indicate that compliance programs continue to mature but with the remit of the compliance team expanding to encompass artificial intelligence (AI) governance and other topics as enforcement priorities evolve and change.

The study covered compliance program structure and maturity; compliance concerns and incidents; impact of changing enforcement priorities; internal reporting and whistleblowers; compliance training; compliance governance; the intersection of risk management and compliance; third-party oversight; and compliance issues associated with widespread use of AI.

This article synthesizes the Survey findings and the insights offered during a related webinar hosted by Navex discussing the report.

See “NAVEX Shares Benchmarking Data in 2023 State of Risk and Compliance Report” (Jul. 19, 2023).

Survey Demographics

The Survey, which had 999 respondents, drew from two sources. There were 382 individuals from NAVEX’s list of current and prospective clients and 617 individuals selected by Harris. The Survey was conducted online from the end of April through the end of May.

The overwhelming majority of respondents were C‑suite executives (28%), senior managers/directors (32%) or other managers (27%). Twenty-eight percent of respondents – by far the largest cohort – held compliance positions. Roughly half of the respondents were from the U.S. (46%). Most of the rest were from France (12%), the U.K. (11%) and Germany (11%).

Most respondents’ organizations have up to 999 employees (37%) or between 1,000 and 9,999 employees (40%). The remaining 23% have more than 10,000 employees. Half of respondents are from either manufacturing (13%); healthcare and social assistance (13%); finance and insurance (12%); or professional, scientific and technical services (11%).

“We cast a pretty wide net across the compliance landscape, looking at respondents across geography, function, industry and company size,” Gabriel Rozenwasser, director at The Harris Poll, said during the webinar. This wide net “ensures that the results of this study are comprehensive and do cover this industry at large,” he explained. However, there are differences in sample size and respondent composition each year, which is important to keep in mind when making comparisons over time, he added.

Compliance Program Maturity and Structure

A plurality of respondents (44%) use the International Organization for Standardization (ISO) standards for compliance programs. One quarter use the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) as a guide for organizing the compliance program. One-fifth follow the guidance issued by the U.S. Department of Health and Human Services Office of the Inspector General. Respondents in Europe and the Asia-Pacific region are more likely than those in the Americas to use ISO standards, Shon Ramey, chief legal officer at NAVEX, noted. Professional, scientific and technical services; manufacturing; financial services; and insurance organizations more commonly use ISO standards than other organizations.

The report uses the framework for compliance program maturity created by the Ethics and Compliance Initiative (ECI), which uses a five-point scale ranging from least mature to most mature, according to Carrie Penman, chief risk and compliance officer at NAVEX:

1. underdeveloped;
2. defining;
3. adapting;
4. managing; and
5. optimizing.

More than half of respondents (57%) said their organizations are managing or optimizing their compliance programs, which is consistent with the findings of the last two years, Matt Kelly, editor and CEO of Radical Compliance, observed during the webinar. An organization should seek to improve its compliance program continuously. That, however, does not mean improving all things at once. It means understanding the organization’s most important priorities and focusing on them. “[A] program does not have to be perfect. It has to be effective. And that means it is effective at the things that matter the most – the risk-based approach,” he said.

See our three-part series on the DOJ’s 2024 edits to the ECCP: “Some History and AI Expectations” (Nov. 6, 2024), “Data Analytics to Find Risks and Measure Effectiveness” (Nov. 20, 2024), and “Speaking Up, Compliance Resources and Lessons Learned” (Dec. 4, 2024).

Where Compliance Sits

A plurality of respondents (22%) said their compliance function is an independent function that reports to the CEO or board. The next most common functions responsible for compliance are the legal department (15%), risk department (12%) and IT/data security/data privacy department (11%).

Notably, 17% of respondents said responsibility for compliance is split among multiple departments. That is hard to work in practice – especially for rank-and-file employees, Kelly said. It could result in multiple silos with conflicting priorities and inconsistent messaging.

See “To Work Effectively, CCOs Need Authority, Autonomy and Information” (Nov. 6, 2024).

Internal Reporting

Most respondents (81%) believe their organization’s employees are most likely to report misconduct internally rather than externally (14%). Even so, just 53% of respondents have a hotline or internal reporting channel.

The fact that just half of organizations have an internal reporting channel is troubling, because the current administration has indicated that it will use whistleblowers “as a lever to get more enforcement,” especially under the False Claims Act, Kelly said. “It is incumbent on companies” to try to keep internal whistleblowers on their side and avoid having them bypass the company to go directly to the authorities, he warned. Consequently, it is increasingly important to have a strong whistleblower program.

Additionally, just 49% of respondents have a non-retaliation policy. This proportion, too, should be much higher, Kelly cautioned. Having a policy and associated training should be standard. “If we want our employees to speak up, we have to really focus on preventing and detecting retaliation, having good policies [and] taking strong actions,” Penman added. People should feel comfortable reporting internally instead of “to our friendly regulators.” An organization should explain to employees where a call goes, who takes the call, what happens on the call, what the company will be able to say about its investigation and what it cannot say.

Investigations

Two-thirds of respondents said they have a centralized compliance investigations program, versus 23% with a decentralized approach. Notably, 73% of respondents who said they have more mature compliance programs reported having a centralized program, versus just 55% of those with less mature programs, Ramey said.

Three-fifths of respondents believe their organizations take all appropriate actions, including discipline, before closing a case. However, just half of respondents said their compliance function has full visibility into all elements and stages of a disciplinary case and/or monitors such cases to ensure consistency. The top factors affecting the time needed to close cases were reported to be case complexity (35%) and resource constraints (25%).

See our three-part series on employee discipline for anti-corruption issues: “Predictability and Consistency in the Face of Inconsistent Laws” (Nov. 1, 2017), “Investigation and Documentation to Smooth the Discipline Process” (Nov. 15, 2017), and “Due Process for a Just and Effective System” (Nov. 29, 2017).

Third-Party Oversight

NAVEX asked respondents whether they screened third parties or suppliers and, if so, what issues they screen for. Just 6% said they do not screen third parties. Respondents most commonly screen for regulatory compliance (58%), cybersecurity and data protection (54%), and/or financial health (49%). Response rates for regulatory compliance and cybersecurity were stronger last year, Kelly observed. “These numbers should not be going down,” he said, because companies will only be increasingly relying on third parties as time goes on.

The vast majority of respondents (84%) agree that third-party due diligence reduces legal, financial and reputational risk, including 33% who “strongly agree” with that proposition. This suggests a disconnect with the fact that nearly half of respondents do not screen third parties for regulatory risk or cybersecurity – and more than half do not screen for other key concerns, Kelly noted.

See “2025 LRN Effectiveness Survey Finds Lags in Third-Party Diligence” (Mar. 12, 2025).

Program Audits

Just over two-fifths of respondents said their organizations conduct risk and compliance program audits. Of those respondents, from 43% to 68% said the audits include:

• policy and procedure reviews;
• internal investigation reports;
• incident reports;
• leadership feedback;
• employee interviews, feedback and quiz results;
• training data;
• gap analysis; and/or
• program reviews by an external auditor.

Three-fifths of respondents said their organizations use risk assessment results to improve their compliance programs. More than half use compliance program audits, guidance and frameworks, and/or updated regulatory requirements. Nearly half use lessons from misconduct, board/executive feedback and/or measures of compliance culture. Just one-third use cross-functional data and/or continuous third-party monitoring.

The most common metric respondents use to test the effectiveness of their organizations’ policy management programs is employee training results.

See “A Step-by-Step Approach to Upleveling Compliance Analytics” (Jul. 2, 2025).

Use of Technology and AI

Roughly 70% or more of respondents said they use purpose-built technology to administer hotline and incident management, policy and procedure management, ethics and compliance training, code of conduct and/or risk management. Roughly 60% use it for third-party risk monitoring, disclosure management and/or program analytics.

Two-thirds of respondents said AI plays an important role in their compliance programs, including 25% who said it is “significantly important.”

See our three-part series on artificial intelligence for anti-corruption compliance: “Foundations” (Oct. 28, 2020), “Building a Model” (Dec. 2, 2020), and “Five Workarounds for Asymmetric Data Sets” (Feb. 3, 2021).

Compliance Training

Three-quarters of respondents overall have a risk and compliance training plan. Just 68% of small respondents have a training plan, versus about 80% of larger respondents. The overwhelming majority of finance and insurance organizations have a training plan, as do most organizations at the top of the ECI maturity scale, Kelly observed. The most common topics for compliance training in the next two or three years, cited by nearly half or more respondents, are:

• ethics and code of conduct (63%);
• data privacy (62%);
• cybersecurity (60%);
• harassment and discrimination (52%);
• AI (48%); and
• conflicts of interest (47%).

Just one-third cited anti-bribery and corruption training. Notably, last year AI was near the bottom of the list of training topics – but this year it is near the top, Kelly noted. Over the past year, AI risk has been “a surging priority for compliance, for the management team, for the board, for pretty much everyone,” he said. Another notable shift is that the proportion of respondents planning diversity, equity and inclusion training fell from 47% in 2024 to just 37% this year. Additionally, just over half of large organizations are planning more whistleblower training, versus roughly 40% of smaller companies.

See our three-part series “Rethinking Click-Through Training”: The Pluses and Minuses (Feb. 26, 2025), Maximize Effectiveness With Customization (Apr. 9, 2025), and Integration Into a Comprehensive Training Program (May 7, 2025).

Leadership Commitment

The study found positive compliance and ethics behavior at all levels of management, according to Penman. More than three-fifths of respondents said that senior executives (73%), middle management (65%), and first line managers and supervisors (62%) all encourage compliance and ethics. Nearly as many said all three cohorts “model proper behavior.” About half said management displays a commitment to ethics in the face of competing interests or business objectives.

On the other hand, the results suggest that management at roughly 40% of organizations is not modeling good behavior, Penman observed. Additionally, roughly 16% of respondents said executives and managers have impeded the work of compliance personnel and, worse, roughly one-tenth encouraged employees to act unethically.

See “Survey Finds Increased Value in Having a Culture of Compliance” (Feb. 26, 2025).

Board Engagement

Although nearly two-thirds of respondents said their boards receive periodic reports on compliance matters, just 33% said their boards are “highly engaged” in the compliance program. Additionally, just 52% of respondents indicated that their boards have oversight of the compliance program, just 37% said boards have executive/private sessions with compliance, and just 33% have oversight of risk identification and management.

NAVEX examined whether strong board engagement in compliance is associated with more positive management behavior, explained Penman. It found that at organizations with above-average board engagement with compliance, there is more positive compliance-related behavior by executives and managers. Strong board engagement with compliance “sends a message to leadership at all levels that this is important to the organization,” she said.

NAVEX also asked whether leadership views compliance as a “necessary evil,” an “insurance policy” or a “strategic advantage.” Roughly 70% of respondents “strongly agreed” or “somewhat agreed” that programs both serve as an insurance policy and provide a strategic advantage. On the other hand, nearly half said leadership views compliance as a necessary evil. The way leaders perceive compliance affects the funding, staffing and operation of the compliance program, Penman noted.

See “The Board’s Role in FCPA Compliance” (Mar. 31, 2021).

Privacy and Cybersecurity Are Among Top Compliance Concerns

More than one-third of respondents (35%) said they had not experienced any compliance incidents over the past three years. More than half (56%) said they had “at least one” compliance issue, and 36% confirmed they had experienced more than one.

Among those who experienced a compliance incident, a plurality (28%) said they had a privacy or cybersecurity breach, which was consistent with last year, Ramey indicated. The next most cited incidents included third-party ethics or compliance failures (18%), legal or regulatory action against the organization (17%), and compliance with E.U. regulations (16%).

NAVEX asked respondents to identify and rank the three most important compliance issues facing their organizations. By a large margin, the most common concerns are regulatory compliance (24%) and data privacy/security (23%). In contrast, last year, 29% cited regulatory compliance as the top issue, versus just 20% who cited data privacy/security. The drop in concern over regulatory compliance could be due to the perception that enforcement pressure will be lower under the Trump administration, Ramey suggested. Increased concern over data privacy could be related to the rapid adoption of AI and associated data gathering.

Notably, just 21% of respondents with more mature programs cited regulatory compliance as the top concern – versus 30% of those with underdeveloped programs. That probably reflects the fact that organizations with more mature programs “have a better handle on their regulatory compliance requirements,” Ramey said.

See “Cybersecurity and AI Are Top Global Business Challenges Identified in Kroll Study” (Jul. 16, 2025).

Changing Enforcement Priorities

Nearly half or more of respondents said that, in light of changes in U.S. government priorities and enforcement policies, they had made, or were considering, changes to various compliance program elements, including internal whistleblower reporting, training, code of conduct, policies, risk assessment, third-party oversight and/or board reporting. Notably, U.S. respondents were generally less likely than respondents from other countries to say their organizations have made or are considering making changes, Ramey observed.

Although anti-corruption enforcement is clearly a lower priority for the Trump administration, that is not a reason for organizations to become complacent, Kelly warned. Corruption risk is not “as unimportant as some cynics might think,” and ignoring it will eventually catch up with an organization, he said. Those who seek to de-emphasize anti-corruption efforts might ask themselves whether they “want a ‘pro-corruption’ message to take root in the company,” he advised.

Traditional controls over accounting fraud and embezzlement are very similar to FCPA-related controls. “Just about every embezzlement scheme I have ever seen looks like an FCPA violation except for the ‘F’,” Kelly remarked.

See our two-part series “The FCPA Lives”: Targeting the TCO Ecosystem (Jul. 30, 2025), and Protecting American Interests (Aug. 13, 2025).

Intersection of Risk Management and Compliance

Nearly three-quarters of respondents said their organizations have integrated their risk management capabilities at least to some extent, including 30% that have a centralized integrated risk management program run by senior management. One-fifth said risk management is siloed across the organization. Respondents with more mature programs were more likely to have an integrated, centralized program, Kelly noted.

See “Unifying Risk Assessments: Breaking Silos to Enhance Efficiency and Manage Risk” (Mar. 26, 2025).

Most Compliance Functions “Highly Engaged” With Risk Management

Seventy percent of respondents said their compliance function is “highly engaged” in risk assessment and management, and most of the rest (24%) said it is “moderately engaged.” Roughly half said it is highly engaged in matters including data breaches, reputational harm, third-party onboarding, board decision-making and insider threats. Another quarter or more said it is moderately engaged in those areas. Greater consolidation of risk and compliance functions is inevitable, according to Kelly.

Using Risk Assessments to Improve Compliance Programs

On the other hand, the study also found that just 61% of respondents use risk assessment results to improve their compliance programs. Risk assessment should be “the foundation or the cornerstone” for everything the compliance program does, Kelly suggested, because they provide a “structured, disciplined and data-driven” basis for the program.

Half of respondents said their risk assessments are “informed by continuous access to operational data across business functions,” which is ideal because it allows firms to adapt promptly, Kelly observed. Two-fifths use their risk assessments to inform allocation of resources to high-risk areas.

Notably, 70% said their risk assessments are current and subject to periodic review. This is similar to the 2024 result, which is surprising in light of the fact that global regulatory requirements seem to be in flux, Kelly observed. Firms should consider doing an interim risk assessment. Organizations with more mature programs are more likely to have an up-to-date assessment, he added.

Just 24% of respondents said their risk assessment process is effective, Kelly noted. The most cited barriers to conducting risk assessments are lack of resources and/or systems (20%) and attending to more pressing activities (17%). On a positive note, just 9% said fear of exposing weakness or discovering issues is the biggest barrier to conducting risk assessments.

See our series on risk assessments in Trump 2.0: “Back to Basics” (Aug. 27, 2025), and “Reassessing in the Great American Reset” (Sep. 24, 2025).

Compliance and AI Oversight

About two-thirds of respondents indicated that their compliance functions are either “very involved” (33%) or “somewhat involved” (32%) in their organization’s use of AI. A plurality (39%) said their IT departments are primarily responsible for AI-related policies. The next four most common responsible functions are information security (10%), compliance (6%), a cross-functional committee (6%) or legal (5%). In light of the rapidly changing regulatory environment around AI, it remains to be seen where within organizations these responsibilities will eventually lie, according to Ramey.

There is widespread concern over AI oversight, which militates in favor of compliance having an equal seat at the table, Ramey said. The top AI-related compliance risks cited by respondents include lack of visibility into AI-related risks (37%), gaps in implementation of compliance controls (30%) and failing to address changes in regulations (28%). The top general concerns about AI include:

• inappropriate use of intellectual property (37%);
• incorrect responses/hallucinations (27%);
• data loss (23%); and
• bias (10%).

Concern over hallucinations seems low, as does the concern over bias, Ramey noted. Bias can arise in many areas of operations.

Organizations should not lose sight of the AI governance forest through the individual risk trees, Kelly suggested. The biggest AI risk is that employees are using AI without the organization’s knowledge. Companies should build a solid governance process for bringing AI into the extended enterprise. “After that, all of the specific risks get easier to manage,” he said. “It is the governance question that is going to really come up and bite people in the rear end.”

See “AI Governance: Striking the Balance Between Innovation, Ethics and Accountability” (Jun. 18, 2025).

Seward & Kissel has welcomed Mark Garibyan as a partner in its litigation and investigations group in New York.

Garibyan represents hedge funds, private equity firms, public companies, and high-net-worth individuals in complex commercial disputes with a focus on securities cases, partnership disputes, and employment matters. He has conducted investigations on behalf of clients in sensitive matters involving compliance with the FCPA and anti-money laundering requirements, and represented clients in investigations and enforcement actions by the SEC, the Commodity Futures Trading Commission and the Department of Education.

Garibyan joins from McDermott Will & Schulte, where he served as special counsel. He spent the past 11 years at Schulte Roth & Zabel, which recently merged with McDermott Will & Emery.

For insights from Seward & Kissel, see “Lessons From the SEC’s Denial of Motions to Amend Off‑Channel Communications Orders” (Sep. 24, 2025).