Ten things I’d like to see happen in 2022

The curveball that was 2020 has thrown that formula out the window. Instead, we now preview what we’d like to see in the year ahead, as it is a much safer bet than trying to guess when this pandemic is finally going to end.

That’s No. 1 on my wish list, but here are 10 other things I’m looking for in 2022:

A clear path forward on ESG: Mandatory environmental, social, and governance disclosures at the Securities and Exchange Commission (SEC) are a matter of when, not if. What those rules may look like, though, remain to be seen.

Chair Gary Gensler has said he would like staff to develop a mandatory climate risk disclosure rule proposal for the Commission’s consideration by the end of the year, but early 2022 is looking more likely at this point. After climate risk will come other areas of ESG, including board diversity, human capital management, and cybersecurity risk governance.

Companies already reporting ESG metrics are doing so with no clear guidelines outside disclosure frameworks by organizations like the Sustainability Accounting Standards Board and Task Force on Climate-Related Financial Disclosures, so the SEC needs to take a stand on what it would like to see for businesses to get on the same page.

A regulator to take the lead on crypto: Will the real cryptocurrency regulator please stand up? The SEC has been posturing itself to do the job with its “everything is a security” approach, but infighting at the agency suggests cryptocurrency firms might be best turning elsewhere for guidance.

“The SEC has not provided clarity in response to repeated questions on crypto from reputable players, but has instead embraced an approach that has been described aptly to me as ‘strategic ambiguity,’” said Commissioner Hester Peirce recently. “Such an approach facilitates enforcement actions, but it is costly and treacherous for well-intentioned developers and their lawyers.”

All eyes in the cryptocurrency industry are on the SEC’s Ripple lawsuit and the precedent it could set for the securities debate.

Meanwhile, President Joe Biden’s nominee to serve as full-time chair of the Commodity Futures Trading Commission (CFTC) has asked Congress to expand the agency’s oversight of crypto, and federal banking regulators have previewed guidance of their own to come on crypto asset risks in 2022. Acting Comptroller of the Currency Michael Hsu said of crypto in November, “Without comprehensive, consolidated supervision, no single regulator can see the whole picture and understand how a firm as a whole operates and takes risk.”

Cooperation is key—or maybe it’s time to create a new regulator for the industry?

The Biden anti-corruption strategy in action: It’s no secret the global fight against corruption has been a losing battle to this point. This year’s Pandora Papers, published by the International Consortium of Investigative Journalists, detailed the shadow world of shell companies and offshore tax havens created every day to hide funds of the wealthy and powerful. Perhaps most surprising in the report is the active role states like South Dakota and Delaware appear to play in facilitating the process.

Biden on Dec. 6 announced his “United States Strategy on Countering Corruption,” which will rely heavily on the Financial Crimes Enforcement Network’s upcoming beneficial ownership registry. Ensuring the registry has proper resource support will dictate its success and whether it is the difference-maker needed to prevent the next Pandora Papers.

Signs of life from the CCPA: Since taking effect on Jan. 1, 2020, the California Consumer Privacy Act has proven to be more bark than bite. Though the California Office of the Attorney General has notified dozens of businesses of alleged noncompliance, no fines have been announced to date.

Considering the more stringent California Privacy Rights Act (CPRA) will supersede the CCPA on Jan. 1, 2023, the 2-year-old law is running short on time to make its mark. California has a year left as the only state with a comprehensive data privacy law on the books and could lose standing to Virginia and Colorado come 2023.

Context behind Amazon’s record GDPR fine: Speaking of privacy laws, the EU’s General Data Protection Regulation arguably put itself on the mainstream map this summer when Amazon disclosed it received notice of a €746 million fine in Luxembourg for unlawful processing of personal data. While the news was widely covered at the time, with Amazon promising to appeal the ruling, since then it’s been mostly crickets on the matter.

The Luxembourg National Commission for Data Protection does not comment on specific cases and has yet to provide reasoning behind its decision, which other EU data protection authorities will have the chance to weigh in on under the GDPR’s cross-border process. Perhaps the fine total may grow even larger, but more important for companies looking to avoid finding themselves in the same boat is a chance to understand what Amazon did wrong and how to avoid it.

A CCO liability framework at the SEC: Peirce in October 2020 teased the idea of developing a draft framework at the SEC that would aim to clarify when the Commission may seek personal liability in compliance cases. Since then, the New York City Bar Association has proposed a framework for the agency to use when considering charging CCOs or their companies, but the SEC has yet to publicly entertain the idea any further.

With SEC Enforcement Director Gurbir Grewal signaling the agency will sharpen its focus on gatekeeper accountability in the years ahead, now is as good a time as ever for Peirce or another commissioner to put forward a CCO liability framework. As I’ve written previously, clear distinction between the actions of a CCO and his or her company is necessary to ensure the framework properly acknowledges the contributions of compliance officers.

The empowerment of Facebook/Meta’s CCO: I have to put the slash there because it’s unclear to the public where Henry Moniz stands after Facebook rebranded as Meta in October.

Moniz, hired by Facebook to be its first chief compliance officer in January, is nowhere to be found on the company’s executive page. He also appears to have deleted or made private his LinkedIn profile since taking the job, for whatever that is worth.

All this is to say it’s questionable whether Meta is giving Moniz a proper platform as CCO or if his hiring was merely decorative. Moniz’s track record as CCO at ViacomCBS for more than a decade indicates he’s more than capable for the job, but whether CEO Mark Zuckerberg has put him in position for success remains to be seen.

Compliance officers are often best left to do their work behind the scenes, but Meta’s spotty track record in the area begs for Moniz to be front and center in the company’s public efforts to rebuild trust. Zuckerberg is certainly not getting the job done.

The continued rise to power of GRC professionals: On that note, it’s a good time to acknowledge the businesses empowering their compliance and risk officers through noteworthy appointments.

Barclays and Danske Bank in 2021 each named their former chief risk officers as CEO when they respectively needed to make abrupt changes at the position. UBS Switzerland on Dec. 6 announced its group chief compliance and governance officer will be nominated to become chairman of the board at the bank’s annual meeting in April 2022. Looking back to one of the biggest scandals in recent memory, Wirecard in June 2020 shifted James Freis Jr. from overseeing compliance to serving as CEO of the company as it navigated allegations of significant fraud.

More than ever, companies seem to understand the importance of what GRC professionals bring to the table. And they are being rewarded with new opportunities to make a difference.

More transparency after company data breaches: This year has served as a reminder that there is no guaranteed defense against cyberattacks. It’s either you can be breached at any time, or you’ve already been breached and just don’t know it yet.

When a breach does occur, it’s important companies be as thorough as possible in their explanation of what went wrong. Not only for their customers, but for their peers trying to avoid the same thing happening to them. As ransomware attacks surge and gain more power with each successful instance, it’s important for businesses to band together with what they know in order to stand a chance in defending themselves.

That’s why I lauded Colonial Pipeline CEO Joseph Blount for his openness in the wake of a ransomware attack in May. Whether you agree or disagree with his decision to pay the ransom, you have to respect his owning the choice and explaining his justification for the rest of us to learn from (and hope we’re never in the same situation).

You, in person at Compliance Week 2022: For the first time in nearly three years, CW’s National Conference will return to Washington D.C. after making the transition to virtual because of the COVID-19 pandemic. We’re excited to host the compliance community face-to-face from May 16-18 for what we’re confident will be a safe experience.

The 2022 national conference will be held at a new venue, the JW Marriott Hotel, and we’re looking forward to sharing with you over the coming months our thoughtfully planned agenda. Stay tuned for updates.

–

One more thing I’d like to see, on a personal note: Can we all agree to start using the blinkers on our cars again? The rules of the road require compliance with as well.