From Singapore’s new AI governance framework to Australia’s AML overhaul to Basel reforms taking shape in the US, UK and EU, the global regulatory agenda for financial services is unusually dense right now. Tata Consultancy Services’ Ajay Katara maps what’s happening jurisdiction by jurisdiction and when institutions need to be ready.

The financial services industry is undergoing significant transformation, shaped by rapid technological advancements, shifting risk landscapes and increasing regulatory scrutiny. Across jurisdictions, regulators are rolling out new and updated frameworks aimed at reinforcing governance structures, improving operational resilience and safeguarding the stability of the financial system. As institutions embrace AI, expand their digital operations and contend with volatile macroeconomic conditions, regulatory bodies are intensifying their focus on managing emerging risks and ensuring systemic robustness.

Singapore

The Monetary Authority of Singapore (MAS) has released a comprehensive consultation paper proposing guidelines for AI risk management for all financial institutions operating in Singapore. With AI, and particularly generative AI, becoming integral to product design, customer engagement, compliance and risk management, MAS is prioritizing the establishment of formal AI governance frameworks.

The guidelines emphasize the FEAT principles — fairness, ethics, accountability and transparency — and assign explicit responsibility to boards and senior management. Financial institutions will be required to implement proportional controls throughout the AI lifecycle, covering model development, validation, monitoring and eventual decommissioning. With the consultation period having closed at the end of January, institutions will have a 12-month transition period to achieve full compliance. This initiative signals a move toward more structured and auditable AI oversight, underscoring the agency’s commitment to responsible AI adoption in the sector.

In response to lessons learned from the 2023 global banking crisis, MAS has also proposed updates to its 2013 liquidity risk guidelines. The enhanced framework introduces more rigorous stress-testing methodologies, greater operational readiness and an “operational reflex” approach to liquidity risk, ensuring that contingency funding plans (CFPs) are not just documented but can be executed in practice. These enhanced requirements are designed to reduce the risk of liquidity shortfalls during periods of stress and to foster a higher level of preparedness across the industry. 

Canada

The Office of the Superintendent of Financial Institutions (OSFI) in Canada has introduced Guideline E-21, which sets mandatory expectations for managing operational risk and building operational resilience. The guideline applies to banks, insurers, trust and loan companies as well as cooperative credit associations.

Guideline E-21 encourages a shift from traditional business continuity planning to a more proactive, outcomes-based resilience framework. Institutions are required to:

• Identify critical operations.
• Define maximum tolerances for disruption.
• Conduct comprehensive scenario testing.

This approach involves preparing for a variety of severe but plausible disruptions, including cyberattacks, technology failures and third-party service outages. The phased implementation timeline extends to September 2027, giving institutions time to strengthen their governance, data management, technology and cross-functional coordination capabilities.

Complementing the focus on operational resilience, OSFI’s Guideline E-23 establishes a comprehensive model risk management framework for banks, including foreign branches, as well as life insurers and property and casualty companies.

Institutions are required to adopt a rigorous, enterprise-wide approach to managing risks throughout the entire model lifecycle, including those based on AI and machine learning. The guideline mandates robust governance, validation, monitoring, documentation and accountability mechanisms to prevent financial and reputational losses stemming from model failures or misuse. Full implementation is scheduled for May 1, 2027, reflecting Canada’s ongoing commitment to addressing risks associated with advanced analytics and automation.

Financial Services

Banks Are Joining the Race to Issue Stablecoins; Can Their Compliance Teams Keep Up With the Risks?

by David Soiles and Manish Chopra

March 13, 2026

Controls and infrastructure banks have built over decades were designed for a different speed of money

Read moreDetails

Australia

Australia’s AUSTRAC has introduced new AML/CTF rules, which apply to banks and financial service providers. These updated rules represent a major overhaul of the region’s financial crime compliance framework, with key areas of focus including:

• Stronger governance and board-level accountability.
• Comprehensive, enterprise-wide risk assessments.
• Enhanced customer due diligence (CDD).
• Regulatory expansion to include virtual asset service providers (VASPs).
• Increased oversight of professions vulnerable to money laundering.

The new, technology-driven framework is designed to address emerging threats such as crypto-enabled crimes, cross-border illicit flows and complex fraud networks. The rules took effect March 31.

United Kingdom

The Prudential Regulation Authority (PRA) in the United Kingdom has postponed the implementation of Basel 3.1 for most financial institutions to Jan. 1, 2027, with a phased rollout extending through 2030. This delay provides banks with more time to adapt to the comprehensive operational, data and system upgrades necessary for compliance.

Basel 3.1 aims to bring greater clarity and risk sensitivity to capital calculations, leading to a moderate increase in capital requirements for major banks. These reforms are expected to shape lending strategies in sectors like infrastructure, real estate and small and medium-sized enterprises (SMEs), influencing both credit availability and pricing. The phased approach seeks to balance regulatory goals with the PRA’s objective of maintaining the UK’s competitiveness as a global financial center.

United States

In the US, regulatory agencies, including the Federal Reserve, the Office of the Comptroller of Currency (OCC) and FDIC, are moving ahead with the finalization of Basel III endgame reforms. These rules apply to banks with assets exceeding $100 billion and are slated to take effect Jan. 1, 2027.

Key components of the reforms include:

• Higher capital buffers.
• Stricter limits on internal risk models.
• More rigorous assessments of credit, market and operational risks.

These changes are intended to bolster the stability of the US financial system, improve comparability across institutions and reduce dependence on opaque or overly optimistic internal modeling practices.

Global market risk reforms

The fundamental review of the trading book (FRTB), led by regulators in the US, UK and EU, represents a substantial overhaul of market risk capital requirements for large, internationally active banks. The FRTB framework introduces:

• More granular risk measurement.
• Stricter trading desk-level capital attribution.
• Heightened requirements for data and model accuracy.

FRTB is scheduled for implementation in the UK and EU by January 2027 and in the US by January 2028. These reforms will require significant investments in technology, data infrastructure and risk analytics to meet the new and more demanding standards.

The regulatory environment for financial institutions is becoming more complex, interconnected and driven by technological change. Whether through advancements in AI governance, improvements in liquidity resilience or reforms in capital adequacy, global regulators share the objective of reinforcing the safety and stability of the financial ecosystem.

The post What Are Global Financial Regulators Prioritizing in 2026? appeared first on Corporate Compliance Insights.

Regulatory language is often broad by design, but broad language still has to become action inside a business. In marketing compliance, Prakash Kakarla writes, that means turning principles into review steps, escalation points, documentation standards and clear ownership. Organizations that do this well are usually not the ones with the longest policies but the ones with the clearest controls.

Most compliance teams know the regulation well enough to quote it. The harder work is turning that requirement into something a business can use every day. A rule may say a communication must be fair, clear and not misleading. It does not tell the organization who should review the content, what should trigger escalation, how exceptions should be handled or what evidence should be retained when the decision is made.

That gap is where a lot of compliance programs become difficult to operate. A policy may describe the standard and a procedure may explain the process, but unless those expectations are translated into controls that fit the actual workflow, the business will still rely on interpretation, memory and individual judgment. That is rarely a stable model, especially in a high-volume marketing environment where campaigns move quickly and approvals cannot be left to chance.

In practice, operational control design is not about making compliance heavier. It is about making it usable. A good control reduces uncertainty. It tells the business what matters, what does not and what has to happen before anything is published.

The first mistake many organizations make is reading regulation too literally. They focus on the sentence, rather than the purpose behind the sentence. The better approach is to ask what the regulator is trying to prevent.

Usually, the answer is simple in theory and complex in execution. The objective may be to avoid misleading the customer, overstating a product feature, hiding a limitation or creating an impression that does not match the underlying product terms. Once that objective is clear, the control design becomes easier.

This matters because operational controls should protect the outcome the regulation is trying to achieve. If the real risk is that a message could be misunderstood, then the control should catch that risk before publication. If the real risk is that a product benefit is shown without enough context, then the control should force that context into the review process. The control should serve the objective, not the other way around.

Leadership and Career

Why Compliance Leaders Should Think Like Marketers When Measuring Effectiveness

by Amy Hanan

September 29, 2025

Marketing transformed from “arts and crafts” to boardroom partner by proving business impact; compliance can follow the same playbook

Read moreDetails

Embed the control where the work happens & make ownership unmistakable

A control only works if it sits inside the actual business process. If it is added too late, it becomes a bottleneck. If it is added too early without enough context, it becomes a formality. The goal is to place the control where it will actually influence the outcome.

In marketing compliance, that usually means building the control into the content lifecycle. It should sit close to creation, not after the campaign is already complete, and it should be part of the review path, not an informal check done after the fact.

This is one of the most practical realities in the field. Business teams want speed. Compliance teams want accuracy. The right control does not choose one over the other. Rather, it creates a path that allows both. When the control is built into the process properly, it saves time later because fewer issues have to be corrected at the end.

A simple way to think about it is this: regulatory requirement, business risk, control and proof that it was actually done. That sequence should be visible to everyone involved.

One of the most common reasons controls fail is unclear ownership. Everyone agrees the control should exist, but no one is fully responsible for making sure it runs.

Operational controls need a clear owner. They also need clear participants. The business needs to know what is expected of it. Compliance needs to know when it is advisory, when it is approval and when it is escalation. The operations team needs to know what records must be kept. Management needs to know who signs off when the issue is outside normal parameters.

In many cases, the control itself is not the problem; the lack of ownership is. If people are not certain who makes the final call, the process slows down. If they are not certain who tracks evidence, the audit trail weakens. If they are not certain who updates the control when regulations change, the framework drifts. A strong control environment removes that ambiguity early.

The messy middle between policy and execution

This is the part that rarely appears in policies but determines most outcomes in practice. A typical scenario does not begin with compliance. It begins with a business objective. A product needs to be positioned, a campaign needs to go live and a message needs to resonate with customers. The first discussions happen between product and marketing teams, where the focus is on what the communication needs to achieve rather than how it will be assessed from a regulatory standpoint.

At this stage, key decisions are already made. The benefits to highlight are agreed; the tone is set; the positioning is aligned with competitive messaging in the market. By the time compliance becomes involved, the core structure of the communication is already in place.

What follows is a negotiation, not a simple review process. Compliance may raise concerns around how a claim could be interpreted or whether a disclosure is sufficiently clear. Marketing may respond that the wording reflects how similar products are presented elsewhere. Product teams may argue that changing the language weakens the value proposition. Legal may interpret the same requirement differently, adding another layer to the discussion.

These are not theoretical disagreements. They happen in short meetings, often close to deadlines, where the priority is to move forward rather than revisit earlier decisions.

This is where timelines begin to shape outcomes. A campaign tied to a product launch cannot easily be delayed. When changes require rework across multiple teams, the conversation shifts from “is this compliant” to “what is the minimum change needed to proceed.”

In that environment, certain patterns emerge. Questions that require deeper analysis are deferred. Language is adjusted just enough to reduce immediate concern. Disclosures are added but not always in a way that changes the overall impression. Often an implicit agreement to revisit unresolved issues emerges, but in many cases, that later stage never really happens.

Another pattern is more subtle. Content is sometimes positioned as a variation of something previously approved, even when the context has changed. This avoids triggering a full review and keeps the process moving. In other cases, decisions are presented as already aligned across teams, making it harder for compliance to challenge them without creating visible friction.

None of this happens because teams are ignoring compliance. It happens because compliance is introduced after the most important decisions have already been made.

By the time the material reaches formal review, the effort required to unwind those decisions is significantly higher than the effort required to accept incremental adjustments. The review becomes focused on making the content workable rather than reassessing whether the underlying message should exist in its current form.

This is also where controls are most vulnerable. A control that assumes a linear process will not hold when the actual process is iterative, time-constrained and influenced by multiple stakeholders. If the control is positioned at the end, it will consistently be applied under pressure.

In practice, this is where most compliance breakdowns occur. Not because the regulation is unclear, but because the process allows key decisions to be made before the control has a chance to influence them. 

Why good controls support the business

There is sometimes an assumption that compliance controls slow business down. Bad controls do, that’s true, but good ones usually do the opposite. A clear control framework helps the business move with more confidence. It reduces rework. It prevents last-minute surprises. It lowers the chance that a campaign has to be pulled back after launch, which is far more disruptive than a structured review at the start.

That is especially important in marketing compliance, where content moves fast and reputation can be affected very quickly. A well-built control protects the firm without making every decision feel like a negotiation.

Translating regulatory requirements into operational controls is one of the most important tasks in compliance. It requires a clear understanding of the regulation, a realistic understanding of the business and the discipline to connect the two through repeatable controls.

The best control frameworks are not the ones that look impressive on paper. They are the ones that work in the real environment, under time pressure, with imperfect information and across teams that do not always see the issue the same way. They are clear enough to follow, strong enough to defend and flexible enough to evolve. And they turn regulation into reality.

The post Why Marketing Compliance Reviews Happen Too Late to Matter appeared first on Corporate Compliance Insights.

Enterprise Vault, a provider of data and communications compliance software, has become a standalone business within Cloud Software Group.

Soniya Bopache, senior vice president and GM at Arctera, which was acquired by Cloud Software Group in 2025, will lead Enterprise Vault.

“Enterprise Vault serves organizations that cannot compromise on control, compliance or continuity,” Bopache said in a news release. “They operate in complex regulatory environments and need confidence that their investments will be supported for the long term. As a standalone business, Enterprise Vault has the focus and structure to stay closely aligned with those needs while continuing to invest in the capabilities they depend on.”

Correction: An earlier version of this article mischaracterized the development as Enterprise Vault spinning off from Cloud Software Group. 

The post Enterprise Vault Becomes Standalone Business in Cloud Software Group appeared first on Corporate Compliance Insights.

New products & platforms

MirrorWeb, a platform for regulated finserv firms, launched Mira, a supervision agent built for native communications data.

Arctera released AI Converge for the Arctera Unified Platform to enable organizations to investigate governed data within the AI tools they use while maintaining compliance, control and oversight. The company also announced its transition to a SaaS model.

Trent AI launched its AI Security Maturity Model, a structured framework to help security teams assess and improve security for the AI era, while reducing unmanaged risk across AI systems.

FinScan announced that its FinScan Payments solution now supports screening for stablecoin transactions and digital wallets across sanctions lists, alongside traditional payment rails, enabling a single approach for payments compliance.

Strike Graph released Trust Chain, a third-party risk management solution that moves vendor risk assessments from self-reported questionnaires to AI-validated compliance evidence.

LinkSquares announced a new all-agentic AI platform that automatically drafts, redlines and applies clause libraries and playbooks while also triggering workflows, tracking obligations and keeping work moving from intake through renewal.

The L Suite, the network for in-house counsel, introduced Lloyd, a community-powered AI tool for providing guidance. The company also announced Lloyd and its TopCounsel product will be connected to Anthropic’s Claude AI chatbot to assist in-house attorneys.

Alation launched Alation AI Governance to help enterprises govern AI systems, agents and models at scale.

Ontra launched for general availability its due diligence questionnaire (DDQ) solution, which uses AI to help fund managers complete limited partner DDQs quicker.

Partnerships

Quod Orbis, a provider of continuous controls monitoring, unveiled a UK partnership with cybersecurity consultancy i-confidential. 

Casepoint announced a partnership with Proofpoint to integrate with Proofpoint Archive, a digital communications governance portfolio.

The post GRC News Roundup: MirrorWeb, Arctera, FinScan & More appeared first on Corporate Compliance Insights.

Only the strongest survive. That’s what the DOJ is projecting with the FOCUS initiative, which is meant to bring the agency together with the best data miners digging into FCA whistleblower complaints, write Selina P. Coleman, Lesley C. Reynolds, Thomas H. Suddath, Jr., David A. Bender and Matthew K. Loughran of Reed Smith.

On April 30, the DOJ announced the fraud oversight through careful use of statistics (FOCUS) initiative, a new anti-fraud initiative designed to “improve the Department’s ability to prioritize working with the most successful data miners” filing qui tam, or whistleblower, complaints under the False Claims Act (FCA). 

Under this initiative, the DOJ is inviting data miners to meet with the Civil Fraud Section to discuss their capabilities and outline why and how their data signals reliably correlate to fraud. Although these meetings are not a pre-filing requirement, the DOJ stated that it “will prioritize working with data miners who have demonstrated an investment in pre-filing diligence and commitment to analytical rigor, familiarity with program rules, and legally sufficient allegations.”

The FOCUS initiative signals that data miner relators are here to stay and may improve their filings.

The DOJ trying to filter out unsuccessful cases

The DOJ has received a record number of FCA qui tam complaints in recent years. The DOJ noted in announcing this new initiative it received in 2025 a record 1,300 FCA qui tam complaints, and to date in 2026, it has already received more than 780 qui tam complaints. 

Data miners have accounted for much of this uptick, having filed more than 45% of all qui tam complaints since fiscal year 2024. According to the DOJ, however, recent data from FCA settlements and judgments suggests a lower overall success rate for qui tam complaints filed by data miners relative to department-initiated FCA complaints. Although this is not surprising, because the DOJ has access to non-public information, the DOJ says that “data miners can increase the quality and success of their qui tams by ensuring that they utilize only focused data analytics that identify reliable data signals with a reasonable correlation to fraud.”

Compliance

What DOJ’s Highest-Ever FCA Recoveries Signal for Cybersecurity, Customs and DEI Enforcement

by Douglas W. Baruch, Kayla Stachniak Kaplan, B. Scott McBride and Jennifer M. Wollenberg

February 5, 2026

Constitutional challenge to qui tam provisions heads toward Supreme Court, but neither DOJ nor relators show signs of slowing enforcement activity

Read moreDetails

DOJ offers guidance to relators

To ensure effective use of enforcement resources, the DOJ explained that it will prioritize high-quality data miner actions and offered guidance to relators and counsel who seek to use data mining in qui tam cases, including to: 

• Provide “high-quality, reliable, and predictive data analyses and signals and a thorough understanding of the relevant legal obligations.” 
• Be aware of the “heightened pleading standard of Rule 9(b) of the Federal Rules of Civil Procedure,” which requires pleading fraud with particularity.
• Provide “alternative explanations for the observed conduct and be able to articulate how the data, in combination with other available evidence, suggests both scienter and falsity.” 
• Consider partnering “with others who can aid their understanding of program eligibility requirements and regulatory frameworks.”

Key takeaways for qui tam targets

Although the DOJ’s announcement of the FOCUS initiative signals that data miner relators are here to stay and may improve their filings, certain key takeaways stand out.

The FOCUS initiative may shift the DOJ away from collaborating with unsophisticated data miner relators who leverage the FCA as a mechanism for pursuing a windfall. Instead, the announcement suggests the DOJ will more closely scrutinize data miner relators, focusing instead on collaborating with those who are mindful of the heightened pleading requirements under the FCA and who can more reliably correlate their analyses to substantiating claims of fraud. 

Although the result may be that FCA defendants will contend with more sophisticated cases that are harder to dismiss for failing to plead with specificity or similar grounds, those cases can, in some cases, offer FCA defendants a unique defense — the FCA’s public disclosure bar, which, in some cases, bars FCA cases predicated on publicly disclosed, data mined information if the government does not intervene. 

This article was originally published on Reed Smith’s site and is adapted here with permission.

The post The DOJ Wants Strong FCA Whistleblower Lawsuits From Data Miners appeared first on Corporate Compliance Insights.

AI, automation and algorithms are proliferating across many sectors of the global economy, including in regulated industries like pharma, where they are doing things like selecting clinical trial sites. But as regulators catch up, corporate leaders need to get clarity on areas where there can be no substitute for human accountability, says AI governance and board adviser Theodora Monye. 

Across regulated industries, investment in AI is accelerating. The ambitions of AI projects tend to be consistent: faster decisions, reduced operational cost, better outcomes at scale. What is less consistent is where human judgment ends and algorithmic authority begins. That boundary is not a technical question but a governance one. And most organizations are still working on answering it.

The assumption that sufficiently sophisticated algorithms can eventually manage an organization, or significant parts of it, is increasingly embedded in how boards and leadership teams think about AI strategy. It is also wrong, not because algorithms lack capability, but because capability is not the same as accountability. In regulated industries, accountability is not optional.

EU AI Act

Algorithmic decision-making is no longer theoretical in regulated environments, such as pharmaceutical and adjacent sectors. AI systems are already making or informing consequential decisions: clinical trial site selection, vendor qualification, regulatory documentation, risk classification and compliance monitoring.

In each of these contexts, the question regulators, auditors and boards are beginning to ask is not whether an algorithm was involved. It is who was responsible for the decision the algorithm supported and whether that accountability was documented before the decision was made.

The EU AI Act addresses this directly. Article 14 requires that high-risk AI systems be designed to allow effective human oversight during the period in which they are in use. Article 26 places obligations on deployers to use such systems in accordance with instructions for use and to assign human oversight to natural persons who have the necessary competence, training and authority. The accountability obligation falls on the organization deploying the system, not on the system itself. Nonetheless, the precise scope of these obligations remains subject to legal interpretation. Article 26 also preserves deployer discretion in organizing oversight measures. 

What algorithms can & can’t do (yet)

Algorithms are powerful tools for managing complexity at scale. In pharmaceutical and contract research organization environments, the practical advantages are real: processing volumes of data that no human team could analyze in equivalent time, identifying patterns across variables invisible to manual review and reducing inconsistency in routine decision processes.

In clinical operations, algorithmic tools have changed how study teams approach site selection, patient recruitment forecasting and real-world evidence generation in ways that matter operationally. In compliance functions, they surface anomalies and risks that manual review would miss.

Three governance responsibilities remain with the organization regardless of what the algorithm provides.

• Ethical judgment under uncertainty. Algorithms optimize for defined objectives within known parameters. They cannot weigh competing values, interpret ambiguous obligations or exercise the discretion that regulated industries require when situations fall outside established categories. A model can flag a transaction as anomalous. Determining whether that anomaly represents fraud, an error or a legitimate but unusual business activity requires human judgment and judgment carries accountability.
• Strategic direction. An algorithm can identify the most efficient path to a defined goal. It cannot determine whether that goal remains appropriate as circumstances change, whether the organization’s risk appetite has shifted or whether a regulatory landscape has moved in ways that require the strategy itself to be reconsidered. Those are questions for leadership.
• Accountability. When a governance failure occurs, regulators do not ask which model made the decision. They ask who was responsible for ensuring the model was appropriate, properly overseen and operating within sanctioned boundaries. Remember that under Article 26 of the EU AI Act, accountability sits with the deploying organization. It cannot be automated. It must be held by identifiable people with the authority and the mandate to exercise it.

Compliance

The EU AI Act’s ‘Wait and See’ Window Is Closing

by Naomi Grossman

April 6, 2026

AI literacy has survived attempts to water it down and remains a direct organizational obligation — not a policy aspiration

Read moreDetails

Autonomy levels matter

Determining how much autonomy an AI system should be permitted to exercise, and what oversight is required at each level, is one of the most consequential practical decisions in AI governance, and one that most organizations have not made explicitly. AI systems do not simply operate autonomously or not. They exist on a spectrum: from systems that provide information for human decision-making, through systems that recommend actions, to systems that execute decisions within defined parameters, to fully agentic systems capable of taking consequential actions without real-time human involvement.

Article 14 of the EU AI Act reflects this reality, requiring that oversight measures be commensurate with the risks, level of autonomy and use context of the high-risk AI system. The accountability structures, oversight mechanisms and documentation obligations appropriate for an information-providing system are not sufficient for an agentic one. Treating them as equivalent is a governance error with direct regulatory consequences.

Classifying autonomy levels before deploying AI systems, and designing oversight proportionate to each system’s level of autonomy, is not a compliance exercise. It is the foundation on which everything else rests.

Lessons for leaders

Establish accountability before deployment. Who is responsible for each AI system’s decisions and how that accountability is documented should be resolved before the system goes live. Resolving it retrospectively is harder and carries less credibility under regulatory scrutiny.

Classify autonomy levels explicitly. A system that surfaces information for human review requires different oversight from one that executes decisions autonomously. Making those distinctions explicit and building oversight proportionate to each level is the practical work of AI governance.

Build governance into operating models, not compliance functions. Governance that sits only within the compliance team is fragile. When governance obligations are integrated into how decisions are made, documented and reviewed across the organization, they have a better chance of holding.

Treat regulatory frameworks as a floor. The EU AI Act Regulation, ISO/IEC 42001:2023 and the NIST AI risk management framework set minimum expectations. Organizations that treat those minimums as the target will find themselves reactive as frameworks evolve. Those that build beyond the minimum are better placed to absorb change without disruption.

The post The Time to Set Rules Around AI Use Is Before — Not After — You Deploy It Everywhere appeared first on Corporate Compliance Insights.

AI doubles as top employer concern, outpacing immigration and DEI

AI has overtaken immigration and DEI as the top workplace policy concern among US employers, with 84% expecting business impacts from AI-related regulatory changes over the next 12 months — double the share who said the same in 2025, according to new research from Littler, an employment and labor law firm. The firm’s 14th annual employer survey drew on responses from more than 300 US-based C-suite executives, in-house lawyers and HR professionals.

The survey surfaces a governance gap that could leave employers exposed. While 68% now report having a formal AI policy — up from 38% in 2025 — only about half have a formal review or approval process for AI tools (55%) or restrictions on what information employees can enter into them (54%). Nearly four in five respondents (79%) expressed concern about AI-related litigation, with data privacy (49%), discrimination or bias (45%) and compliance with state and local AI laws (43%) as the leading areas of focus.

Other key findings:

• Workplace accommodation litigation concerns jumped to 67% of respondents — up from 50% in 2025 — with 97% reporting at least one challenge in managing leave and accommodation requests and 67% seeing an increase in mental health-related requests over the past year.
• Unlawful DEI practices emerged as the top employer concern regarding False Claims Act enforcement priorities at the DOJ, cited by 35% of all respondents and 53% of those from large organizations.
• Despite declining concern about immigration as a policy issue (49%, down from 75%), 73% of respondents still expect DHS and ICE enforcement activity to affect their workplaces in the coming year.

A third of employees won’t report wrongdoing out of fear

One in three employees would refuse to report misconduct in the workplace out of fear of retaliation, a survey by Outten & Golden found. The survey, which drew from responses from more than 1,000 Americans, also found 22% of respondents reported witnessing unethical or illegal conduct at work.

Most employees don’t know about protections for whistleblowers, the survey found, with more than 40% of respondents saying they were unaware of government whistleblower programs offering confidentiality, legal protection and financial incentives.

Of the respondents, 21% said they felt pressured to compromise their ethical standards at work; that figure rises to more than a quarter (26%) among men.

In another key finding, 13% of employees don’t believe employers communicate honestly and openly. Such skepticism rises with age, with the survey finding older employees more suspicious about how transparent their employers are.

The survey also looked into workers’ feelings about DEI measures. Almost three quarters (73%) believe DEI should be a workplace priority. A disconnect with workers’ opinions and employment practices persists; just under 30% of employees said their employer does not treat DEI as a priority.

Boards getting more involved in security matters

Board directors are increasing their oversight of physical security and executive protection, according to a survey by EY, a business and government consultancy, which found that 87% of corporate decision-makers said that over the past 12 to 18 months, boards have become more hands-on in this area.

Nearly eight in 10 (79%) of companies surveyed increased security budgets compared to 2024, while just 12% of respondents indicated their organizations were prepared to detect a targeted attack against an executive or employee.

Organization leaders are also preparing for cyber attacks, EY said. Nearly 60% of executives and board leaders have pressure-tested AI bypassing physical security controls or creating deepfakes impersonations of executives intended to gain access.

The survey included responses from 250 leaders who influence executive protection, physical security programs, budget and policy.

Nearly half of finance and IT executives made major decisions on bad data in the past year

Nearly half of senior finance and IT executives (47%) say they made a material business decision based on inaccurate, incomplete or outdated financial data in the past 12 months, according to a survey by OneStream, an enterprise finance software company. The survey polled 352 executives across the US, UK and France, including CFOs, CIOs, CTOs and chief data and AI officers at companies with at least $50 million in revenue.

Financial consequences were significant: 72% of executives who experienced bad data said it cost their organization $500,000 or more, and 37% reported damages exceeding $1 million. Downstream effects included delayed reporting and financial close (44%), lost revenue opportunities (41%) and compliance issues (35%).

Risk appears to be compounding as AI use grows. Executives who have made decisions on bad data are four times more likely to use 10 or more AI tools than their peers, suggesting that heavier AI adoption may be amplifying data quality problems. Meanwhile, 95% of those executives report concerns about AI-related risks, including flawed decisions (37%) and financial misreporting (20%).

A generational dimension adds nuance to the findings. Younger executives (ages 25 to 44) use AI more heavily — 82% use three or more AI tools for decision-making, compared to 69% of more experienced peers — but are also more exposed: 51% report making a material decision on faulty data vs. 39% of older leaders. They are also more than four times as likely to report significant financial or compliance impacts as a result (17% vs. 4%).

Most finance leaders say tax compliance mandates are outpacing their ability to manage them

More than half of senior finance executives (58%) describe domestic and global tax compliance mandates as complex for their organizations, and 44% say regulations are changing too quickly to manage effectively, according to a new survey by Sovos, a tax compliance software company. The survey of 300 finance leaders at companies with revenues of $500 million or more — conducted across financial services, manufacturing and retail — found that compliance is increasingly constraining broader business strategy.

Regulatory velocity is a defining concern: 61% of respondents identified the pace of new government mandates as the biggest compliance risk over the next two to three years, ahead of increasing complexity of global operations (56%) and rising costs of compliance technology and staffing (42%). Three-quarters of respondents (75%) say compliance limitations prevent their organizations from being more strategic in business decisions, including geographic expansion and new product launches.

AI is emerging as a potential tool, but anxiety accompanies it. Nearly 40% of respondents plan to evaluate or implement AI-driven tax compliance tools in the next fiscal year. Yet 86% said they are extremely or very concerned about data security with AI-enhanced compliance solutions.

The post 84% of Leaders Expect Effects From AI Regulation Over Next Year appeared first on Corporate Compliance Insights.

AI cybersecurity platform provider Exaforce has raised $125 million in Series B funding with investments from HarbourVest, Peak XV and Mayfield. Coming a year after Exaforce raised $75 million in Series A funding, the cybersecurity platform now has $200 million in funding.

Funders in Series B also included Khosla Ventures, Seligman Ventures and AICONIC, according to a news release. The new capital will help Exaforce scale its AI-native security operations platform, deepen its real-time reasoning capabilities and expand globally. 

“We built Exaforce to be the platform defenders actually work in, not just an AI layer on top of existing tools,” said Ankur Singla, CEO of Exaforce. “It starts with a real-time knowledge graph that gives agents complete context from the start, and extends into rich investigation and visualization experiences that put security engineers and AI agents on the same page. This funding lets us deepen that platform and bring it to security teams on a global scale.”

The post Exaforce Raises $125M for AI Cybersecurity Platform appeared first on Corporate Compliance Insights.

Optro has acquired Midship, an AI-native SOX automation solution, the Los Angeles-based GRC software provider said.

Midship uses AI agents to complete high-volume, repetitive auditing and control testing processes that have traditionally been done manually. Midship will be fully integrated into Optro’s Controls Management product. Terms of the deal were not disclosed, but Optro reported that Midship’s co-founders — Kieran Taylor, Aahel Iyer and Max Maio — would join Optro’s product team.

“We moved internal audit from spreadsheets to the cloud, and now we are leveraging agentic AI to transform the function from tactical and manual to strategic and automated,” Raul Villar Jr., CEO of Optro, said in a statement. “By embedding the market’s leading agentic SOX solution directly into Optro’s system of action, we are delivering the next generation of AI to our customers.”

The Midship acquisition is the latest in several months of moves for Optro. In March, the company rebranded to its current name from Auditboard. In fall 2025, the company announced it was acquiring FairNow, an AI governance platform. In July 2025, Villar was named as the company’s CEO. 

The post Optro Acquires AI Auditing Platform Midship appeared first on Corporate Compliance Insights.

Of the nine enforcement cases CCI examined where companies received credit for timely disclosure, only two included a measurable time window. In several others, the timeliness clock had effectively run out before the company acted — a whistleblower, a press report or a parallel investigation had already answered the question. CCI editorial director Jennifer L. Gaskin examines what the enforcement record actually says about one of corporate compliance’s most consequential — and least defined — obligations.

“Voluntary and timely.” Those three words, or variations of them, do some serious heavy lifting in corporate resolutions with government authorities and guidance for corporate compliance programs. Corporate leaders might wish for specifics like “within hours” or “weeks later,” which is understandable, especially when considering the self-disclosure record. CCI’s analysis of nearly two dozen actions over the past decade reveals a messy reality: What the DOJ today pitches as “guaranteed” credit may still be more of a gamble than advertised if history is a guide.

There can be little doubt that timely disclosure (along with remediation and full cooperation) can pay dividends. In the cases CCI analyzed where companies missed the timeliness window, they faced criminal penalties and disgorgement averaging in the range of $140 million to $170 million. 

Indeed, speed is of central importance to many modern corporate compliance and internal audit programs. But enforcement patterns reveal that timeliness is a Venn diagram rather than a perfect circle — what companies think is timely disclosure may not meet a standard the government hasn’t clearly defined.

That means finding out someone in your organization may have broken the law, investigating the situation, fixing what needs to be fixed and reporting all of that to the government — probably long before you’ve even closed the book on your internal investigation.

Practitioners who navigate these decisions regularly say the tension is real. 

“[The DOJ wants] you to disclose all relevant facts, but they also want you to disclose very, very early,” Taryn McDonald, a partner at Haynes Boone, told CCI. “That’s really hard to do. … If you make a decision to disclose, you’re not waiting till it’s all tied up with a bow. It’s just not going to be possible.”

Compliance

One CEP to Rule Them All?

by Jennifer L. Gaskin

March 18, 2026

The DOJ released its first-ever department-wide corporate enforcement policy ostensibly to bring fairness and transparency to the government’s decisions on charges against companies accused of criminal conduct.

Read moreDetails

What does timely mean? Only the DOJ knows

The enforcement record, like DOJ’s guidance, is scant on details, even when companies have gotten credit for timely reporting. Of the nine cases CCI examined where companies received credit for timely disclosure, only two included any measurable time window. In one, a company disclosed within three months of identifying potential misconduct and within hours of internal confirmation. In another, the board learned of the issue and notified the government within two weeks.

The remaining credited disclosures were described in language likely to frustrate any compliance officer looking for a benchmark. “Voluntarily and timely.” “Promptly.” “Prompt, voluntary self-disclosure.” No clock. No threshold. In one of those five cases, the company disclosed while its internal investigation was still underway, a fact the declination letter noted approvingly, without explaining what it might have meant to wait.

What the credited letters share is notable for what they omit. None of them define the starting point of the timeliness clock or a tipping point — whether that is the date of an initial allegation, the conclusion of a preliminary inquiry or the moment internal confirmation is reached. None explains what delay, if any, would have disqualified the company. The government’s message to companies that got it right amounts to: you were timely. The message to everyone else is more instructive.

When companies missed the window — or never opened it — the language in enforcement documents is more specific. A deferred prosecution agreement with one major company noted that it “did not voluntarily and timely disclose” the conduct at issue. Another stated the company “did not receive voluntary disclosure credit” because its disclosures came “only after the [SEC] requested documents” and years after the company became aware of bribery allegations through a whistleblower complaint and a civil lawsuit — allegations it investigated internally but chose not to report. 

In several cases, the record makes plain that the clock wasn’t stopped by anything the company did but by someone else getting there first. A former employee copied American and Indian government authorities in an email before the company came forward. Press reports made public allegations of misconduct before a company began cooperating. In each instance, the DOJ’s letter explained the denial in terms of sequencing — who knew what, and when — rather than in terms of what the company found or how long its investigation had run. The timeliness question, in those cases, had already been answered before the company picked up the phone.

When someone beats you to it

The external-trigger pattern — where the timeliness clock effectively runs out before a company acts — appears in several of the enforcement actions CCI reviewed, and the government’s language in those cases is precise about what happened.

In one case involving a global spirits company, a former employee copied American and Indian government authorities on correspondence related to the alleged misconduct before the company came forward. The company did not receive voluntary disclosure credit. Its penalty: $19.6 million.

The pattern is similar in a 2024 deferred prosecution agreement (DPA) with SAP SE, the German software giant. The DPA states the company “did not voluntarily and timely disclose” the conduct at issue — because it didn’t need to. South African investigative reports had already made the allegations public. SAP began cooperating immediately after the press reports appeared, earning substantial cooperation credit, but VSD credit was off the table. The company paid $119 million in criminal penalties and $103 million in disgorgement. 

In both cases, the decision about timeliness wasn’t really a decision at all because it had been made by someone else.

The cases involving Panasonic Avionics and Albemarle are different in kind, and in some ways more instructive. There, companies had the information. They had conducted internal investigations. The question of whether to disclose was squarely in front of them and the record reflects what they chose.

Panasonic Avionics learned of bribery allegations through a whistleblower complaint and a civil lawsuit. It investigated. Its DPA states the company “chose not to voluntarily report to the relevant authorities.” Disclosure came only after the SEC requested documents. The company paid $137.4 million and was required to retain a monitor for two years.

Albemarle, a specialty chemicals company, confirmed misconduct in one geography and waited more than nine months before disclosing, simultaneously reporting related conduct in three additional countries. The disclosure of the original conduct was deemed untimely; the additional countries received partial credit. Total penalties came to roughly $196 million. 

Walmart’s experience adds a further wrinkle. The company proactively disclosed misconduct in Brazil, China and India before the government had independently learned of it, conduct that would ordinarily qualify for voluntary disclosure credit. It didn’t, because the government was already investigating related conduct in Mexico. The disclosure of one matter, it turned out, had contaminated the credit available for all the others. 

Risk analysis, not a math problem

For companies weighing whether to disclose, the enforcement record suggests the decision rarely turns on the investigation findings themselves but on a balance of many factors, including the nature of the conduct itself.

“Part of that calculation is also what is the conduct, what does it look like, who was involved, how prevalent is it and all of those things kind of weigh more in favor of a potential self-disclosure than not,” McDonald said.

Establishing and reinforcing compliance culture is the first of many steps toward self-disclosure, McDonald said.

“Having a real compliance program, a real compliance culture where folks at the company are encouraged to report any issues … if you have no way to identify a potential issue, it really handicaps you as a company in terms of self-disclosure.”

The post What the Enforcement Record Says About ‘Timely’ Disclosure appeared first on Corporate Compliance Insights.