With the start of a new year comes new expectations from key U.S. regulators, in addition to further progress in already established areas of interest.
If 2021 was a year of transition under the Biden administration, 2022 is looking as if it will be a year of action. The Securities and Exchange Commission (SEC) is expected to focus more decisively on climate-related disclosures, while the Federal Trade Commission could wield new power to put forward federal privacy legislation. Further, the impact of the ongoing pandemic is likely to demand continued attention from federal banking regulators.
Generally, as regulators embrace technology to help them perform their jobs, they expect compliance departments to select and implement new technologies as well. The skill set of compliance and risk professionals keeps widening; it’s not a career in which you say you have a law degree and are ready to run.
Which brings me to my list of key areas I expect to receive enhanced scrutiny in the year ahead. Also included is compliance as a career, as a list assessing the impact of regulatory change on compliance departments without a discussion about how the career itself is evolving would be incomplete.
Cybersecurity and data privacy
The average cost of a data breach rose from $3.86 million to $4.24 million in 2021, according to the latest annual research from IBM. Examples of large companies to disclose a breach suffered in the past year included T-Mobile, McDonald’s, Robinhood, and more.
Recently, a new cybersecurity crisis has come into view with the disclosure of a vulnerability in the widely used open-source Apache logging library called Log4j (Log4Shell). System administrators, incident responders, and governments have been scrambling to install patches, reduce the threat, and advise businesses on best practices, but the vulnerability has already been exploited by attackers around the world.
Although data privacy has been in the spotlight for some time, regulators’ interest in how Big Tech companies like Meta, Google, and Apple handle consumer data continues to grow. The last six months have seen the first nine-figure fines under the EU’s General Data Protection Regulation (GDPR) proposed, with Amazon and WhatsApp on the receiving end.
In the United States, Virginia and Colorado joined California in 2021 as states to pass comprehensive privacy legislation. The varying laws bring new challenges for businesses, as does the fact many other states to introduce privacy legislation over the past 12 months will move forward with potential rulemaking in the year ahead.
Use of tech and data to create a more effective compliance department
Regulators are increasingly using technology to perform their work, and their expectation is compliance professionals are embracing it as well.
Technology can be used to track changing regulations; keep an eye on one’s brand, reputation, and competition; track cash flow and liquidity; safeguard data and networks; monitor employees and vendors; detect illicit money flows; and so much more. Technology to combat financial crime in particular figures to be popular in 2022 as companies strive to meet new beneficial ownership requirements.
It’s always interesting to learn about the new technologies built for compliance departments—and sobering to read the enforcement actions that could have been avoided with less reliance on outdated tools.
Bitcoin launched in 2009 and touted anonymity for its holders as one of its most appealing characteristics. Criminals could and did exploit the cryptocurrency and the others that followed, leading to a negative perception around digital assets that crypto developers, issuers, and investors are still trying to circumvent today.
While the SEC continues what some perceive to be its “regulation by enforcement” approach to cryptocurrency, other agencies have begun assembling policy frameworks around the industry. Banking regulators have pledged guidance to come in the year ahead, while the Internal Revenue Service has introduced a draft of a new tax form that, if approved, would require taxpayers to declare whether they have acquired or sold virtual currency in the past tax year.
This entire arena—from digital payments to the transfer of non-fungible tokens to blockchain use in nonfinancial applications—is an ever-evolving and hugely interesting one to keep track of in 2022. Compliance officers at any institution that trades, issues, invests, stores, or manages digital assets must analyze state, federal, and global rules on the books and use enforcement actions and speeches as guidance.
Stakeholder expectations regarding ESG
There is no exaggeration in saying we’re in a long-lasting and passionate discussion period regarding everything environmental, social, and governance (ESG). Investors, consumers, employees, CEOs, regulators, and lawmakers are increasingly demanding companies change their approach to managing climate-related risks and more thoroughly disclose those efforts.
For its part, the SEC solicitated input regarding the adequacy and effectiveness of its disclosure rules as they apply to environmental disclosures, and two-thirds of the comment letters submitted supported mandatory climate disclosure rules.
Compliance departments must review the pronouncements made by their companies regarding sustainability initiatives and determine whether they are actually incorporating climate risks into their corporate building, capital spending plans, and vendor selection to avoid claims of “greenwashing.”
Handling corporate investigations and whistleblowers
There is a need for diligently conducted internal investigations to determine what happened in any given instance of misconduct. To get cooperation credit from the Department of Justice, an investigation must be conducted swiftly, with those committing wrongful acts identified and held accountable.
Since an investigation can begin with a report of a possible code violation to the company’s whistleblower portal, the two are certainly linked. Whistleblowing hotlines and related policies and procedures were front and center at Compliance Week Europe 2021, with questions from the audience revolving around how everyone in the organization could more effectively work together on protecting whistleblowers and conducting fair investigations.
Add another record fiscal year for SEC whistleblower awards, and it’s unlikely the conversation will be slowing anytime soon.
There is a lot of discussion today regarding corporate culture and how a culture of compliance can be baked into a company’s operations.
The definition now includes, among other things, employer attentiveness to employee concerns (whistleblowers), diversity and inclusion practices, and corporate social responsibility.
The U.S. Federal Sentencing Guidelines mention compliance culture, including expectations for companies to promote an “organizational culture that encourages ethical conduct” and “a commitment to compliance with the law.”
Compliance as a career
The compliance profession continues to evolve, as new certifications and technologies require practitioners to remain agile. Titles are changing to reflect new specialties being developed within and adjacent to the compliance role, such as data privacy officer, ethics officer, diversity and inclusion officer, and sustainability officer.
While there are many new changes, some old concerns remain, like compliance officers’ fears regarding individual liability. Talk of a CCO liability framework at the SEC gained steam in 2021 when the New York City Bar Association put forward its own proposal for the agency to consider.
Finally, women in the compliance field talk about how they try to bring their unique experiences to bear on family leave and sexual harassment policies, and their voices can lend gravitas to the goal of increased gender parity in the upper ranks of their organizations.
Ten things I’d like to see happen in 2022 (2021 in review)
- Currently reading
Seven compliance areas to watch in 2022