Our new regular feature at Compliance Week puts a snarky spotlight on individuals, companies, and governments that “Failed It” in the areas of ethics and compliance this week and gives out kudos to those that “Nailed It.” If we missed any or if you have any nominations for next week, let us know on Twitter (@ComplianceWeek) or in the comments section below.

To Be Determined

Wells Fargo: On one hand, the embattled bank showed its commitment to overhauling its risk model with a series of new hires late last week. On the other, the moves seemingly pushed out Chief Compliance Officer Mike Roemer, who will leave the company following a transition period. According to a report in the Financial Times, some at Wells Fargo viewed the risk overhaul as undermining a previous plan to centralize the risk and compliance functions at the bank. With nearly 30 years in financial services, including a stint as group head of compliance at Barclays, Roemer was a big get for Wells Fargo and supposed to be the guy to lead its compliance comeback. Time will tell if the bank’s new approach pays off. —Kyle Brasseur


Nailed It


Saudi Public Investment Fund: In the wake of the 1MDB scandal in Malaysia, which recently cost Goldman Sachs nearly $4 billion in settlements, extra scrutiny is and should be paid to sovereign wealth funds. So it is a positive sign to see reports the Public Investment Fund of Saudi Arabia, one of the largest sovereign wealth funds in the world, has added former Morgan Stanley Investment Management Chief Risk Officer Feta Zabeli to its ranks. Zabeli, who is serving as chief risk officer for the fund, according to his LinkedIn profile, was in his position at Morgan Stanley in New York for eight years and held previous risk management roles at asset management firm AllianceBernstein. —Kyle Brasseur

Business Roundtable: Wednesday marked the one-year anniversary of the Business Roundtable’s revised “Purpose of a Corporation,” which essentially redefined the purpose of a company existing solely to serve its shareholders to, instead, having a responsibility to all stakeholders—employees, suppliers, customers, the communities it serves, and the environment at large. The CEOs of these companies deserve recognition for reaffirming their commitment to that promise. —Jaclyn Jaeger

Department of Justice: Kudos to the DOJ for providing direct guidance to a U.S.-based investment advisor seeking to pay a fee to a foreign government entity for its services. The advisor was smart in asking the DOJ whether such a payment would be considered a bribe under FCPA guidelines in what could have been a murky, complicated situation. The DOJ provided a thorough explanation that can serve as compass of sorts for other companies stuck in similar predicaments. The only complaint we have is that it was the DOJ’s first FCPA opinion procedure in six years. The Department should reward companies for their honesty and transparency in coming directly to the government with their challenges by issuing more of these types of opinions. —Dave Lefort


Failed It


Irish Data Protection Commission: If you read between the lines on the Irish DPC’s decision to essentially punt on determining how much to fine Twitter for its handling of a data breach disclosed in 2019, what’s clear is that the regulator is staying true to Ireland’s reputation as a business-friendly center of operations for large tech companies based in the United States. According to a report in the Wall Street Journal, the Irish DPC triggered a dispute-resolution mechanism in the fine print of the European Union’s General Data Protection Regulation (GDPR) that passes the buck from Ireland to the European Data Protection Board (EDPB) to make a final ruling on Twitter’s punishment. It’s a strategic move that not only leaves Ireland without the burden of responsibility for deciding on a penalty to a major tech firm, but also serves to delay other GDPR-related cases that will back up in the queue as long as this one remains unresolved—cases against other tech heavyweights like Facebook and Google. In our view, it’s a cowardly move by the Irish DPC that keeps it in the good graces of Big Tech. Here’s hoping the EDPB sends a strong message with its ruling … whenever that might come. —Dave Lefort

California politicians: On Jan. 1, the California Consumer Privacy Act (CCPA) took effect. Attorney General Xavier Becerra began enforcing the law July 1. And yet, the final version of the groundbreaking consumer privacy regulation officially took effect Aug. 14, when it was approved by the state’s Office of Administrative Law. Complying with this law has been confusing enough for businesses, even without the jumbled, late rollout. The Golden State’s politicians hoped passing the CCPA would dampen voter enthusiasm for a much more stringent privacy proposal, the California Privacy Rights Act (CPRA) of 2020. Voters will get their chance to weigh in on the CPRA with Proposition 24 on the Nov. 3 state ballot. If Prop 24 passes, the CPRA would take effect Jan. 1, 2023. —Aaron Nicodemus

U.K. financial services compliance: A report from the Financial News in London this week paints a less-than-rosy picture for compliance in financial services, including a quote from a headhunter saying he expected big banks to cut their London-based compliance divisions “in the region of 20% to 25%” within “the next 12 to 24 months.” The report specifically names Credit Suisse and HSBC as firms looking to make such cuts, citing people familiar with the matter. Credit Suisse recently announced its plans to combine risk and compliance, which is expected to eliminate duplicative positions in the spaces, while HSBC could make its cuts under future restructures announced in February. The Financial News report mentions advances in RegTech, the coronavirus pandemic, and Brexit as reasons compliance could be perceived as vulnerable in the months ahead. Perhaps this isn’t a fail, per se, if cuts need to be made, but it certainly isn’t a positive for the profession.  —Kyle Brasseur