Regulation and guidance from federal agencies and the White House, plus compliance challenges stemming from a two-year global pandemic and Russia’s ongoing invasion of Ukraine, made the first quarter of 2022 a novel risk environment for regulated businesses.

Below is a sampling of compliance program challenges and directives.


In March, the Securities and Exchange Commission (SEC) proposed long-awaited rules that would require companies to report on how their operations affect the climate and the formation of carbon emissions.

The proposed rule, which was approved by a 3-1 margin and is currently open to comment for at least 60 days, would order companies to disclose how climate risks affect their business, outline their own greenhouse gas emissions, and report on climate-related goals.

A month prior, the SEC proposed two amendments to the rules governing its whistleblower program. The first change concerns award claims for related actions that would be otherwise covered by an alternative whistleblower program. The second affirms the agency’s authority to consider the dollar amount of a potential award for the purpose of increasing an award—but not to lower one.

On March 30, the SEC announced its 2022 examination priorities, flagging crypto assets; information security; the private fund sector; and environmental, social, and governance (ESG) issues among them. The agency noted it will also review whether funds’ proxy votes align with their ESG-related disclosures and mandates and whether they are misrepresenting their ESG commitments and efforts.

In February, the Financial Industry Regulatory Authority (FINRA) released its 2022 examination and risk monitoring report, in which it highlighted considerations for member institutions’ compliance programs. Among the organization’s enforcement priorities were concerns regarding cryptocurrency and cybersecurity.

Sanctions and business continuity

The Russian invasion of Ukraine and subsequent sanctions on individuals, companies, and products imposed by the United States and other nations have led to increased workloads for compliance officers whose businesses operate in or closely to Russia and Ukraine.

These companies are scrambling to craft business continuity plans and safe passage for their employees operating in dangerous places. The Wall Street Journal offers an in-depth analysis of this daunting challenge and what business leaders are doing to confront it.

Digital assets

In March, President Joe Biden issued an executive order that set forth six principal policy objectives in furtherance of U.S. initiatives in the digital asset space.

The objectives include consumer and investor safeguards, the protection of U.S. and global financial stability and mitigation of systemic risk, and the promotion of access to safe and affordable financial services for Americans.

Most notably, the executive order commands research and development efforts into the potential design and deployment options of a U.S. central bank digital currency.


In January, the White House issued a memorandum noting the federal government must improve its efforts to identify, deter, protect against, detect, and respond to malicious cyber campaigns and their actors through bold changes and significant investments in cybersecurity.

In early March, the SEC proposed a rule stating public companies would have to report material cybersecurity incidents no later than four business days after they occur.

More recently, Biden issued a written statement warning Moscow might lash out with cyberattacks because of the “unprecedented economic costs we’ve imposed on Russia,” imploring businesses to enhance cyber defenses immediately.

CCO liability

Last year, the New York City Bar Association proposed a framework outlining when the SEC should decide to charge a chief compliance officer for compliance failures at his or her financial services firm.

In January, the National Society of Compliance Professionals issued a framework of its own, urging regulators to consider CCO liability in the context of the compliance culture within a CCO’s firm.

In March, FINRA issued a regulatory notice clarifying individual liability under its rules is predicated upon the firm’s express or implied designation of a person as a supervisor and the delegation of supervisory responsibility to this individual. FINRA noted compliance officers generally are not supervisors at their firms unless they wear another hat, such as also serving as the chief executive officer.