Where global M&A trends are pointing in 2026

2026 report

Global M&A Trends

What’s in this report from Norton Rose Fulbright and Mergermarket:

Dealmaker sentiment has rebounded sharply in 2026, with confidence in global M&A activity climbing well above last year’s levels. The findings, based on a survey of 200 senior executives across corporates, private equity firms and investment banks conducted by Mergermarket on behalf of Norton Rose Fulbright, point to a market gaining confidence even as a two-speed dynamic persists between surging megadeals and a more subdued mid-market.

Some key findings:

• How geopolitical risk, including the conflict in the Middle East, is factoring into dealmaker appetite and decision-making.
• Which sectors and subsectors respondents see as best positioned for cross-border M&A growth in 2026.
• The role private equity dry powder and private credit are expected to play in driving deal financing over the next two years.

The post 2026 Global M&A Trends appeared first on Corporate Compliance Insights.

HICX, a supplier data management platform for large enterprises, has secured a £15 million growth funding and refinancing package from HSBC Innovation Banking and existing investor Wavecrest Growth Partners.

HICX provides a platform that large organizations use to manage supplier onboarding, supplier information, risk and performance through a single supplier data foundation. The company plans to use the capital to invest in its platform and customer roadmap, expand commercial capability and pursue selective acquisitions, according to a news release. HICX was founded in 2004 and currently supports deployments in more than 120 countries.

“At a time when AI automation and regulation are both raising the stakes, this is a strong vote of confidence in our position as the governed supplier data foundation that large enterprises rely on to ensure their supply chains can run smoothly,” HICX CEO Dafydd Llewellyn said in a news release.

The post HICX Secures £15M Funding Package From HSBC, Wavecrest appeared first on Corporate Compliance Insights.

ZRG, a global talent advisory and executive search firm, has acquired Fortium, a Dallas-based firm that provides fractional, interim and project-based CIO, CTO and CISO leadership. Terms of the deal were not disclosed.

Founded in 2014, Fortium serves public, private and private equity-owned organizations and has built a network of more than 180 partners who provide technology leadership through interim, fractional and project-based engagements.

Burke Autrey, founder and CEO of Fortium, will join ZRG as president of Fortium Partners, a ZRG company. Fortium will integrate into ZRG’s Interim Solutions & Project Consulting business.

“Fortium has built a leading position in interim and fractional technology leadership, bringing experienced operators into the business in a way that is aligned to the actual need, not a default org chart,” Mark Viner, leader of Interim Solutions & Project Consulting at ZRG, said in a news release.

The post ZRG Acquires Technology Leadership Firm Fortium appeared first on Corporate Compliance Insights.

Kalipso has raised $3.2 million in seed funding as it expands across European markets, the Barcelona-based regtech provider said.

The round was backed by Varsity, Lanai, Plug and Play, Kima Ventures and Vento. Kalipso’s platform analyzes regulatory developments, identifies which obligations apply to an organization, surfaces gaps in existing frameworks and generates implementation-ready fixes with source traceability. The platform tracks more than 100 regulatory sources across more than 40 jurisdictions, including frameworks like DORA, MiCAR, PSD2, the EU AI Act, GDPR and MiFID II. The company, founded in 2025, said it plans to expand its team in 2026 while deepening its presence in the UK, France, Spain, Italy and the Benelux region.

“Teams don’t need another alert feed or another long report. They need infrastructure that turns regulation into action, and the peace of mind of knowing they are compliant,” Virginia Debernardi, co-founder and chief operating officer of Kalipso, said in a news release.

The post Kalipso Raises $3.2M Seed Round appeared first on Corporate Compliance Insights.

Mis-selling is seldom mysterious. It’s usually the outcome of predictable breakdowns, such as weak customer profiles, incentives that favor volume, inadequate product governance, ineffective supervision or limited post-sales detection, D. Daxton White of White Law Group explains. The most useful improvements come from taking a long-term and proactive approach. 

Mis-selling, especially the sale of inappropriate or unsuitable financial products, rarely stems from a single broken policy. More often than not, it is the result of several control gaps that compound over time, leading clients to buy products they don’t understand, don’t need or can’t afford.

Fortunately, many of the most common causes are fixable. 

1. Suitability data is incomplete, stale or overlooked

Mis-selling often begins with weak customer data. If risk tolerance, time horizon, liquidity needs, investment objectives or experience are outdated, the resulting advice process becomes guesswork.

In many organizations, Know Your Customer (KYC) information is collected once at onboarding, rarely refreshed and captured in free-text fields (unstructured categories like “notes,” “description” or “other”) that are hard to validate. Advisers may also default to generic, imprecise profiles like “moderate growth” that are not meaningfully tied to product constraints.

When KYC is thin, product recommendations can appear reasonable on paper. This is how high-risk, illiquid or complex products end up in accounts that should be focused on preserving capital and near-term liquidity while minimizing risk.

Remediation steps

• Implement force-structured KYC. Replace free text with standardized fields, such as time-horizon bands, liquidity tiers, risk-capacity indicators and product-experience checklists.
• Add hard stops for missing data. No recommendation submission, trade ticket or proposal can proceed if any essential KYC fields are blank or older than a set threshold.
• Apply event-driven refreshes. Require KYC updates when major triggers occur, such as age bands, retirement, large deposits or withdrawals, job loss or large losses.
• Build suitability mapping rules. Translate KYC into explicit product eligibility rules to prevent investors from getting locked into products that don’t match their needs. 

2. Incentives and sales pressure overshadow governance

Mis-selling is likely to occur when revenue targets, payout grids and recognition programs reward volume and margin without equally weighing suitability, complaint rates or client outcomes. Even well-intentioned advisers can rationalize recommendations if the system continually reinforces production over ethics and prudence.

Incentives shape behavior. If complex or higher-commission products are disproportionately rewarded, sales will drift toward those products. In an organization, peer pressure and internal competitiveness can prompt advisers to engage in excessive trading or sell inappropriate products to keep up. Suitability justifications can be manufactured after the fact, often damaging clients’ long-term results.

Remediation steps

• Rebalance scorecards. Introduce measurable conduct metrics, such as post-sale cancellations, early surrender rates, complaints, concentration breaches and supervisory rework rates.
• Add negative incentives. Reduce payouts or award eligibility when suitability flags or remediation findings exceed defined thresholds.
• Establish accountability. Assign an experienced leader who can oversee compensation design inputs and risk assessment.
• Apply targeted surveillance when red flags are visible. Monitor advisers with sudden changes in product mix, unusually high commission yield or high replacement activity.

3. Product governance is weak

Firms may have product committees and due diligence memos, but controls fail when the target market is not embedded into workflows. Products get approved then distributed broadly with minimal oversight. Risk and complexity can be underestimated, and education is minimal.

Without enforceable distribution rules, advisers can place niche products into unsuitable accounts. Clients may not understand downside scenarios, lockups, surrender charges or volatility risks until it’s too late. For certain unregistered or high-risk securities, there may be inadequate checks to ensure investors are accredited.

Remediation steps

• Create product guardrails. Plain rules should define account eligibility, maximum allocation, concentration limits, liquidity constraints and experience requirements.
• Pre-trade eligibility checks. Automate checks at the time of order entry rather than after settlement.
• Tiered product access. Require additional approvals or certifications for higher-complexity products.
• Standardize disclosure. Mandate short, consistent risk scenarios that must be acknowledged for risky products.

Financial Services

Will AI Change FinServ Regulation? Here’s What History Tells Us.

by Hollie Mason and Ryan Murphy

April 20, 2026

Regulators’ actions concerning AI in financial services are likely to increase in scope and frequency

Read moreDetails

4. Supervisory reviews are inadequate

Many supervisory programs focus on whether forms are completed but fail to address whether the recommendation actually makes sense. Supervisors can be overloaded, and reviews can be little more than rubber stamps. Documentation is frequently limited, generic or inconsistent with the client profile.

When supervisors don’t challenge weak rationales, the organization can sink into a policy where plausibility is optional. Over time, advisers learn that the flimsiest narrative is enough to justify decisions.

Remediation steps

• Upgrade the standard of review. Require supervisors to confirm alignment across KYC, product features and allocation size.
• Introduce reasonableness prompts. Structured questions like, “What is the client’s maximum downside tolerance?” are smart.
• Employ second-line reviews. Rotate targeted samples by product, adviser and branch. Feed findings into supervisor training.
• Clarify expectations. Get rid of vague boilerplates. Require specific references like time horizon, liquidity, prior experience and concentration.

5.  Insufficient post-sale controls

Even strong pre-sale controls can miss certain cases. The problem is compounded when post-sale monitoring is limited to complaints. In reality, silent harm often shows up in behaviors like early surrenders, frequent replacements, rapid concentration build-up, margin calls or repeated exceptions.

If a firm waits for complaints, it may be months or years after clients experience losses, liquidity constraints or fee shock. This kind of delayed reaction can cause multiple incidents to pile up because of poorly conceived policies. Early detection is essential for limiting impact.

Remediation steps

• Implement outcome-based alerts. This is for early surrender or cancellation rates, replacement patterns, high-fee product issues, concentration drift and exception frequency.
• Have client outreach triggers. For high-risk or complex sales, conduct brief quality-assurance calls to confirm the client’s understanding of key features and risks.
• Make necessary adjustments. Every alert investigation should produce a control fix, such as rule changes, training updates or KYC field improvements.
• Use “near misses.” Track prevented trades and failed suitability checks to guide future policies.

Address a pair of realities

When mis-selling occurs, firms need to address two realities: control failures that enabled the behavior and the potential harm to clients who received unsuitable recommendations. This may mean sacrificing short-term sales and possibly losing clients whose risk tolerance is out of proportion to their actual needs and situation. Taking such a circumspect approach allows firms to reduce both regulatory exposure and client harm.

The post Root Causes of Mis-Selling: 5 Control Failures & How to Remediate Them appeared first on Corporate Compliance Insights.

Executive Order 14398 represents a significant expansion of the government’s enforcement posture on DEI and creates an environment where the cost of delay could substantially exceed the cost of preparation, Andrew Turnbull of Morrison Foerster writes. Contractors should consider implementing certain steps to mitigate risks related to these new requirements.

Federal contractors and subcontractors face sweeping new obligations under Executive Order 14398 that prohibit them from engaging in “racially discriminatory DEI activities” and requires reporting any “reasonably knowable” violations by subcontractors. The FAR Council has already issued a mandatory contract clause, FAR 52.222-90. Agencies have begun inserting it into new solicitations, targeting a completion date of July 24 for modifying existing contracts. Enforcement is not waiting. With a $17 million DOJ DEI settlement already on the books and the July 24 deadline approaching for existing contract modifications, the compliance window is fast approaching. 

Expansive DEI restrictions and requirements

Executive Order 14398 goes beyond the Trump Administration’s earlier action under Executive Order 14173, which required contractors to certify they did not operate DEI programs that violated existing federal anti-discrimination law. The most recent executive order and the new FAR clause bind contractors to the following obligations:

• To not engage in any “racially discriminatory DEI activities.”
• Furnish all information and reports to the contracting agency to ascertain compliance with EO 14398, including providing access to books, records and accounts.
• Report to the contracting agency any “subcontractor’s known or reasonably knowable conduct that may violate” FAR 52.222-90 and “take any appropriate remedial actions” directed by the contracting agency.
• Inform the contracting agency if a subcontractor sues the contractor for putting EO 14398 at issue in any manner.
• Acknowledge that the contract may be canceled, terminated or suspended and the contractor or subcontractor declared ineligible for further government contracts for noncompliance.
• Recognize that compliance with FAR 52.222-90 is material to the government’s payment decisions for False Claims Act (FCA) purposes.

The phrase “racially discriminatory DEI activities” is defined broadly as disparate treatment based on race or ethnicity, including programs relating to recruitment, employment, training, mentorship, clubs, contracting, program participation or the allocation and deployment of resources. Several notable points stand out:

• The definition is limited to race and ethnicity; it does not reach gender or other protected characteristics.
• The prohibition is not tethered to violations of existing law, meaning it could capture programs that may be defensible under federal anti-discrimination law.
• It applies to a broad range of activities, including employment, supplier diversity, corporate investments, mentoring and resource allocation.

The “known or reasonably knowable” reporting standard creates significant ambiguity around what level of diligence the government will expect. Contractors should consider whether contractual, monitoring and other measures with subcontractors are warranted to mitigate compliance risk. Beyond legal exposure, this obligation is likely to create practical business and operational friction, especially if key subcontractors refuse to accept the clause or resist the contractor’s efforts to comply with EO 14398.

FAR 52.222-90 is being incorporated quickly and broadly. According to guidance from the FAR Council, FAR 52.222-90 must be included in all new federal contracts and “contract like” instruments over the micro-purchase threshold (currently $15,000). This includes contracts for commercial products and commercial services where the place of delivery or performance is in the US. Contracting officers must also “make every effort” to bilaterally modify existing contracts by July 24 but have discretion to modify contracts that will expire before Dec. 31. 

Several agencies have already begun inserting FAR 52.222-90 into new solicitations and seeking bilateral modifications of existing contracts. Some prime contractors are also starting to flow down FAR 52.222-90 into subcontracts.

The FAR Council is also seeking Office of Management and Budget (OMB) clearance under the Paperwork Reduction Act (PRA) to impose several information-collection obligations under FAR 52.222-90, including producing books and records for the contracting officer, reporting subcontractor conduct that is “known or reasonably knowable” and may violate the clause and notifying the contracting officer of any subcontractor litigation challenging the clause’s validity. The FAR Council’s PRA supporting materials suggest the scale of these requests will be significant. It estimates 6,000-plus contractors may annually be subject to agencies’ records requests with each submission expected to require roughly one hour of contractor effort but 16 hours of agency review. How these reviews will be scoped, how far back they will reach, what specific data elements will be required under the final collection and whether the personnel conducting reviews will have training in assessing disparate treatment remain unanswered.

Contractors should begin organizing compliance records and building response protocols now rather than waiting for these questions to be answered. Even before PRA clearance, agencies retain authority to compel production of existing records in connection with investigations, including records sought by the EEOC or DOJ.

Leadership and Career

Why Black Colleagues Still Do Not Feel Safe Reporting Racial Discrimination at Work

by Marcelle Moncrieffe‑Newman

April 7, 2026

Lack of anti-Black racism claims does not necessarily mean your speak-up culture is working well

Read moreDetails

Enforcement teeth

FAR 52.222-90 requires contractors to acknowledge that compliance is “material to the government’s payment decisions” for FCA purposes. That express materiality provision is designed to neutralize a defense that contractors have historically raised that a requirement was too minor or ancillary to support an FCA claim. Whether that contractual language alone will satisfy the Supreme Court’s materiality standard under Universal Health Services, Inc. v. Escobar remains an open question, but it plainly signals the government’s intent to treat these certifications as enforceable commitments.

The consequences of noncompliance can be severe. FCA violations can result in treble damages, potentially up to three times the contract’s value plus per-claim penalties of roughly $14,000 to $28,000. Collateral consequences include suspension, debarment, reputational harm and shareholder class actions.

Noncompliance is now a ground for debarment and suspension under FAR Part 9. Under that traditional standard, debarment for contract breaches generally requires a “willful failure” or a “history of failure,” meaning the government must show serious, deliberate noncompliance. The revised FAR drops that threshold entirely for the new clause, which could lower the bar and make good-faith missteps a potential basis for exclusion from federal contracting.

The risk is reinforced by the multi-agency anti-DEI enforcement efforts contractors are facing from the Trump Administration.

The DOJ launched a civil rights fraud initiative in May 2025 and has since issued civil investigative demands to multiple contractors. In April 2026, the DOJ secured a $17 million settlement with a contractor over DEI-related FCA violations. This was the first resolution premised on “illegal DEI.” The conduct at issue, which dated to 2019, included tying compensation to demographic targets, using race in employment decisions and restricting access to leadership programs based on demographics. The lookback should concern every contractor: The government is not limiting its scrutiny to current practices.

Meanwhile, the EEOC under Chair Andrea Lucas has filed suit against Coca-Cola Beverages Northeast and is pursuing subpoena enforcement in ongoing investigations of employer DEI programs.

Steps to take now

Contractors should seriously think about implementing these steps.

• Audit DEI programs. Conduct a privileged review of DEI programs, policies and practices in which race or ethnicity play any role. This includes reviewing recruiting, hiring, mentoring, employee resource groups, supplier diversity, corporate investments and resource allocation. Extend the review to practices not labeled “DEI,” such as performance metrics tied to demographic targets. Many contractors have already audited their DEI programs in light of the growing scrutiny, but those audits should be revisited to ensure they include the broad scope of programs, activities and resources covered by the definition of “racially discriminatory DEI activities.” It is critical to ensure that individuals signing compliance certifications for FAR 52.222-90 have verified the contractor’s compliance. A well-documented audit mitigates risk by supporting the position that certifications were made in good faith.
• Prepare for contract modifications. Set up a cross-functional team to manage incoming modification requests. Verify that each modification matches the deviation language exactly. Watch for agencies attempting informal certifications outside the formal modification process, as some did under EO 14173.
• Execute subcontractor flow-downs. Inventory affected subcontracts, determine which lower-tier entities qualify as subcontractors (not all vendors will) and issue flow-down modifications. Update templates with audit rights and indemnification language where possible.
• Build subcontractor monitoring. The “known or reasonably knowable” reporting standard is undefined, so consider building a documentation trail that demonstrates due diligence in case the government comes knocking. Consider requiring robust subcontractor certifications, questionnaires on DEI practices and enhanced complaint-reporting mechanisms, as well as training personnel who interact with subcontractors. 
• Get records ready. Even before PRA clearance, agencies can demand existing records in connection with investigations. Contractors should consider identifying and centralizing the records needed to demonstrate compliance and implementing a litigation-tracking protocol for any subcontractor challenges to FAR 52.222-90.
• Assess federal and state conflicts. Contractors that hold both federal and state contracts with competing diversity requirements should consider mapping those obligations and evaluating them closely with experienced counsel to determine whether their procurement and subcontracting processes are structured to reduce overlap risk.
• Monitor challenges to EO 14398, but do not wait for compliance. Suits have already been filed against EO 14398. This includes claims by a coalition of educational and minority contractor associations in Maryland challenging EO 14398 on multiple grounds. This litigation is worth monitoring, particularly given the mixed results courts have reached on challenges to EO 14173. But contractors should not defer compliance based on the possibility of injunctive relief. Unless a court issues an order, the FAR Council’s implementation timeline for FAR 52.222-90 remains in effect.

The post New DEI Rule Puts Federal Contractors on the Compliance Clock appeared first on Corporate Compliance Insights.

New products & platforms

Bitdefender, a cybersecurity company, launched RealCheck, a solution that detects deepfake video content and assesses its intent that works by putting in a link to a video or uploading the video.

Darktrace, an AI-native cybersecurity platform, announced that it is joining OpenAI’s Daybreak initiative through the Trusted Access for Cyber program.

EQS, a compliance software maker, announced Q, an embedded AI tool in its platform to provide speak-up report triage, investigation support, third-party risk assessment and policy guidance as well as other assistance. The company also indicated agentic capabilities for Q later in the year.

Oversight, provider of finance risk intelligence, released Oversight Actions, extending its risk-monitoring Action Layer, enabling human and fully autonomous issue resolution for more efficient finance operations.

ioNova AI, an AI-native platform that converts unstructured payment address data into ISO 20022 formats, unveiled ioNova ARS, an address resolution service to help banks, corporations and payment providers improve compliance, reduce payment friction and support SWIFT CBPR+, HVPS and SEPA readiness.

LegitScript, a risk and compliance solutions provider, launched Compliance Collective, a partnership program designed to help LegitScript-certified healthcare businesses address compliance challenges beyond certification requirements.

Abstract, an AI company for government and legal data, released Abstract Workers, a service that builds AI agents for legal, government affairs, compliance and policy teams to automate workflows and deliver completed work inside tools.

Other news

Traliant, a HR compliance training and solutions provider, announced David Ashman, who has 20 years experience leading product and engineering organizations, as chief product and technology officer.

Casepoint, a provider of AI-powered legal, investigative, compliance and data discovery solutions for government agencies and enterprises, announced it was awarded an exclusive blanket purchase agreement by the Department of War to provide eDiscovery software as a service, support services and training for the DoW’s Office of General Counsel, Defense Information Systems Agency OGC and Defense Legal Services Agency (DLSA), including 28 separate DLSA OGC offices supporting multiple offices and missions.

Eventus, provider of trade surveillance and financial risk solutions, won best trade surveillance solution at the 2026 TradingTech Insight Awards USA and was presented the award at a ceremony during the TradingTech Summit in New York.

International SOS, a security and health services company, launched a series of psychological support sessions designed to support employee mental health and well-being during crisis and uncertainty.

Synack, a penetration testing platform, announced an expanded partnership with Wolfpack Information Risk, a cybersecurity firm, to bring its Sara AI pentesting to organizations across South Africa.

Typeform, an AI engagement platform, announced it achieved ISO/IEC 42001 certification, the international standard for AI management systems.

The post GRC News Roundup: Bitdefender, Traliant, Darktrace, Casepoint & More appeared first on Corporate Compliance Insights.

Life sciences CCOs report highest compensation in survey

Compensation for chief compliance officers at organizations of all types continues to rise, according to a survey by executive recruiting firm BarkerGilmore, though CCOs in certain industries are likely to be much more well-compensated.

Among CCOs in life sciences, the median annual compensation was $785,000, while those in the consumer sector had a median compensation amount of $750,000, according to the survey of more than 250 CCOs. Nonprofit CCOs posted the lowest median compensation, $250,000. Similar patterns showed up in salary increase over 2025: the median salary rose by 5% in life sciences but just 2% in nonprofits.

Company revenue is also a driving factor, the report found. At the 90th percentile in total compensation, for firms both public and private with revenues over $5 billion, total compensation for CCOs, including base salary, long-term incentives and bonuses, exceeded $1.2 million annually, with those at private firms earning slightly more. Among companies with revenues of less than $500 million, the 90th percentile total compensation for CCOs at public companies was $650,000 and $710,000 at private ones.

Other key findings:

• Nearly two-thirds (62%) of CCOs in the survey said they were unlikely to change employers.
• Among those who are considering a job change, 19% said better compensation was the most motivating factor, followed by desire for new challenges or opportunities (16%) and stronger leadership alignment (13%).
• Women were better compensated than men, with the average woman (women accounted for 38% of the survey population) reporting total compensation of $530,000 and the average man reporting total compensation of $495,000.

Claude, ChatGPT score well on set of legal tasks

A recent study by Percipent, a legal services provider, tested how well popular public AI models, such as ChatGPT, Claude and Gemini, performed a variety of legal tasks, finding that several models performed well at certain tasks but struggled when it came to more complicated ones.

For an insurance coverage task, Percipent asked AI to analyze a duty-to-defend scenario under Illinois law and produce a coverage memo with specific citations. In employment law, Percipent asked AI to analyze a former employee’s potential discrimination claims and recommend a motion-stage posture and a settlement strategy.

The AI outputs were graded on a 100-point scale by practice-specific attorneys with an average of more than 25 years of experience. AI models used in the study were versions of Claude by Anthropic, versions of ChatGPT by OpenAI, Gemini by Google, Grok by xAI, versions of Kimi by Moonshot AI and DeepSeek AI. 

Claude models scored the highest among the four tasks — insurance coverage, employment law, litigation document review and contract review and redline — though the survey’s authors cautioned against interpreting their results as having declared a winner. Claude tied with a ChatGPT model on employment law but was behind Claude models on the others.

“The point of the work is methodological,” the study said, “to show what a defensible legal AI evaluation looks like, to provide a repeatable framework for measuring real legal performance and to give legal teams a basis for asking sharper questions when they evaluate a tool.” 

Routine work revealed near-parity across most of the models, with nine of the 10 variants clustered within eight points of each other on document review, but complex reasoning revealed substantial performance differences. On the insurance coverage analysis task, for example, models were separated by as much as 37 points. 

Chad Main, attorney and founder of Percipient, told CCI that the extent to which teams will adopt AI for certain legal tasks depends in part on the risk posture of the organization in question.

“You can look at the stuff (AI models) did really well and go, ‘Look, if perfect is not required of this particular piece of legal work, hey, here we go, it’s a good example,’” Main said. “But then you go back to the coverage and employment, where it scored lower. The people that are risk-averse, especially coverage, you can say, ‘Hey, look, we’ve got to analyze policies, you’ve got to analyze facts, you’ve got to analyze human behavior,’ and no AI can do that all to the point of a human at this point.”

Other key findings:

• Reasoning-focused models consistently led analytical tasks. Across insurance coverage, employment law and contract review benchmarks, extended-thinking and reasoning-mode models outperformed their standard counterparts.
• Thinking longer matters when legal analysis is difficult. While reasoning models showed only modest gains on document review, they delivered significantly stronger performance on tasks requiring multi-step legal analysis and application of authority.
• Noise resistance is a critical differentiator. Models varied substantially in their ability to ignore irrelevant facts, avoid hallucinated authority, and focus on legally responsive issues, capabilities that directly impact reliability in real-world legal workflows.

A third of corporate clients considering breaking up with firms over AI

A massive gap splits corporate clients’ AI wants and what they’re getting from firms they work with, a new survey from Thomson Reuters reports.

More than three-fourths (78%) of respondents said receiving AI-enabled quality improvements from the firms they work with is very important or essential. However, only 6% said most or all of their providers deliver these improvements in AI. 

That leaves 31% reconsidering relationships in the next 12 months with firms that aren’t delivering on AI with a third of them estimating that more than $1 million in annual work is at risk.

The findings were based on a survey of 1,816 professionals across law, tax, audit, accounting, compliance, risk and global trade. Respondents span private practice firms as well as in-house corporate and government departments across 62 countries.

Just having a named AI strategy makes the technology work better for organizations, according to the survey. In firms and departments with a named strategy, 66% of professionals say AI is meeting or exceeding expectations for creating value at work. Where there is no active strategy, that figure drops to 22%, the survey said.

For organizations adverse to AI or slow to adopt the technology, professional consequences can be severe, the report warns.

More than a third (34%) of professionals use shadow AI, or tools their organization hasn’t sanctioned, in ways it can’t see, “a sign that adoption is outpacing governance, and a quiet liability for the organizations where it’s happening,” the report’s authors said.

60% of healthcare leaders checking off inadequate compliance

Healthcare leaders are checking off on compliance despite internal audit findings, according to a survey by Omega Systems, which found 60% of healthcare leaders have self-attested to HIPAA compliance while knowing their own audits flagged unresolved vulnerabilities and only 33% never attest until all risks are remediated.

Omega Systems surveyed 200 healthcare executives, IT leaders and practice administrators in the US.

With an upcoming change to the HIPAA security rule looming, nearly one in three (28%) respondents say they can’t meet the update’s requirement for written 72-hour data recovery procedures.

The survey also asked directly about cybersecurity and third-party vendors and found 85% of healthcare practices experienced at least one operational disruption caused by a third party. 

The post CCO Compensation on the Rise appeared first on Corporate Compliance Insights.

Florida is cracking down on unauthorized workers, and businesses are being pulled in. Hector A. Chichoni and Ellen Gilmore of Greenspoon Marder explain the Sunshine State’s new employee verification requirements and just how bad it can get if a company finds itself on the wrong side of an audit.

As immigration policy and workplace enforcement continue to tighten across the US, Florida has positioned itself at the forefront of aggressive state-level enforcement.

Under Florida law, private employers with 25 or more employees and all public agencies are legally required to utilize the federal E-Verify system to confirm the employment eligibility of all new hires.

Crucially, this mandate is intricately tied to corporate tax obligations. The Florida Department of Revenue (FDOR) plays a central, administrative role in tracking this compliance through the state’s reemployment tax framework. While other agencies handle penal enforcement, FDOR serves as the primary gateway for identifying noncompliant businesses. Understanding the interplay between E-Verify usage, annual tax certifications and state revenue department audits is essential for any business operating in Florida.

Legal requirements

The Florida E-Verify law places strict operational timelines and record-keeping burdens on covered entities.

• The 25-employee threshold: Private businesses must begin using E-Verify the moment they hire a worker to bring their total headcount in Florida to 25 or more. While recent legislative efforts attempted to expand this mandate to all private employers regardless of size, those bills failed to pass, leaving the 25-employee threshold firmly intact.
• The three-day rule: Employers must verify a new hire’s employment eligibility within three business days of the employee’s first day of work for pay.
• System downtime exceptions: If the federal E-Verify system is down or inaccessible, employers are required by law to document the outage by taking daily screenshots illustrating the lack of access. During this time, they must utilize the standard federal Form I-9 protocol.
• Document retention: Employers must retain copies of all documents relied upon during the E-Verify and Form I-9 processes along with the official verifications generated by the system for a minimum of 3 years.

The Florida Department of Revenue does not directly enforce workplace immigration status, but it serves as the data-collection and compliance gatekeeper. 

Under the statute, every covered employer must certify its compliance with the E-Verify law annually on its first Florida reemployment tax return of the calendar year. For the vast majority of employers, this means the certification must be filed alongside their Q1 return, making the typical deadline April 30.

The rules for tax certification require an authorized signatory, and the certification cannot be delegated to third-party payroll providers or common tax agents. It must be completed and signed by an individual owner, a corporate officer, partner or a managing member.

Employee leasing companies hold the default responsibility for certifying the eligibility of a client company’s new hires. However, this responsibility can be legally transferred to the client company via a formal agreement.

HR Compliance

Latin American Employers Cannot Treat US Immigration as a Transactional Exercise Anymore

by Janine Guzmán and Xana Connelly

February 17, 2026

Strong recordkeeping requires complete petition files, wage evidence and change-management documentation when roles, duties or locations evolve

Read moreDetails

The reemployment tax audit process

Because E-Verify compliance is hard-coded into Florida’s tax infrastructure, it is a key focus during routine Florida reemployment tax audits. When an FDOR auditor reviews an employer’s books to evaluate wage reporting and tax accuracy, they cross-reference the annual E-Verify certifications against actual hiring dates, quarterly payroll spikes and Form I-9 documentation.

What to expect during an audit

• The auditor’s request: The FDOR will issue a formal request for all work records, payroll logs and I-9/E-Verify documentation for the audit period.
• Consequences of non-production: Failing to produce the requested compliance records triggers harsh tax penalties. Non-production results in the immediate loss of the business’s “earned tax rate” and forces the assignment of the standard 5.4% tax rate until the quarter after the records are successfully produced.
• Audit adjustments: If discrepancies are found regarding employee classifications or missing verification records, FDOR will issue a notice of intent to make audit changes (Form RT-FL11F). Employers have 30 days to protest or request a local conference before a final notice of proposed assessment is rendered. If the issues cannot be resolved at that level, a notice of proposed assessment is issued. An employer must then file a formal written protest within 60 days to prevent the tax assessment from becoming a final judgment
• Discrepancy extensions: If a reemployment tax audit uncovers systematic issues, the state can extend the audit on a year-to-year basis for up to five years, which is greater than the normal three-year lookback period for FDOR audits.

Multi-agency enforcement and severe penalties

While the FDOR flags noncompliance through its tax return system, it reports violations to enforcement bodies such as the Florida Department of Commerce (formerly the DEO) and the Florida Department of Law Enforcement, which are empowered to conduct targeted and random audits.

The civil and financial exposure for failing to maintain compliance can quickly devastate a business:

• First offense: The Florida Department of Commerce issues a formal notice. The business is granted a 30-day grace period to cure the noncompliance.
• Three violations in a 24-month period: A mandatory civil fine of $1,000 per day begins accruing and will continue until sufficient proof of compliance is provided.
• Egregious or uncured violations: Constitutes legal grounds for the immediate suspension or total revocation of all state-issued business licenses.

Furthermore, the law carries criminal undertones for workers: It is a third-degree felony in Florida for an unauthorized individual to knowingly use false identification documents to bypass these verification checks.

Compliance checklist for Florida employers

To mitigate the risk of an unfavorable FDOR audit or state enforcement action, businesses should establish a rigid compliance protocol:

• Conduct regular internal I-9 audits: Periodically review Form I-9s and corresponding E-Verify receipts to ensure no new hire from July 1, 2023, onward was omitted.
• Sync HR and payroll timelines: Ensure that HR completes the E-Verify step within the required three-day window to prevent discrepancies in the quarterly reemployment tax logs.
• Isolate outage records: Create a dedicated digital folder for E-Verify system downtime screenshots so that “unverified” employees during those specific windows can be legally accounted for.
• Take ownership of tax filing: Ensure a principal officer is prepared to personally sign off on the E-Verify certification statement when filing the first reemployment tax return of the year, rather than assuming a third-party accountant will handle it.

The post Navigating Florida’s E-Verify Mandate: Compliance, Tax Certification & Audit Realities appeared first on Corporate Compliance Insights.

Ignoring prediction markets and employee temptations to bet on them isn’t going to make these new platforms go away. CCI editorial director Jennifer L. Gaskin explores what actions organizations should be considering to make sure they aren’t overlooking their risk for insider trading or reputation damage.

A growing number of state governments and the US Senate in recent months have issued blanket bans on employees using prediction markets. In other organizations, such as OpenAI and United Airlines, policies are more permissive, barring staff members from trading on prediction markets in cases where their insider knowledge would create an unfair advantage. But for most companies, the task of crafting a prediction market policy — and, even trickier, enforcing it — is just beginning, compliance and legal experts told CCI. 

Multiple people are facing criminal charges alleging they used insider information related to their jobs to make a buck — or in one case, 1.2 million bucks — playing on prediction markets, the increasingly popular peer-to-peer platforms where users can purchase yes/no contracts based on the outcome of real-world events, including sports, politics, even international warfare.

With the appetite for prediction markets exploding and with enforcement agencies signaling the likelihood of further actions, not doing anything about platforms like Kalshi and Polymarket may not be an option, Steve Silver, a shareholder in Littler’s Portland (Maine) office, told CCI.

For most companies, that means looking at device policies, handbooks, codes of conduct, insider trading policies, employment contracts, nondisclosure agreements and conflict-of-interest policies. But hoping the issue goes away is the worst possible move right now, Silver said.

“Until the federal government acts or the Supreme Court directs the states to act, you’ve got to do the best you can, which is, at its core, deciding a policy,” Silver told CCI. “And that doesn’t mean we need to have a written policy tomorrow. Ignoring it is probably the only way to be completely wrong right now.”

Enforcement actions so far

Prediction markets are formally regulated by the Commodity Futures Trading Commission (CFTC), which classifies the contracts as swaps. More than a dozen states have challenged the CFTC’s authority in the area, and Minnesota recently passed a total ban on the markets.

A pair of cases this year illustrate that enforcers, including the DOJ and US attorney’s offices, are focusing their attention on individuals so far.

In April, the DOJ charged a US Army soldier in connection with a trade worth more than $400,000 just hours before it was revealed that a surprise US raid had captured Venezuelan President Nicolas Maduro, and in May the US attorney for the Southern District of New York announced charges against a Google engineer accused of using his knowledge of search term volume to win contracts totaling more than $1.2 million. If convicted, they each face the potential of multi-year prison sentences.

CFTC Director David I. Miller has indicated more enforcer attention of prediction market activity is likely, saying in March remarks at an NYU Law School event, “Insider trading in the prediction markets — where there is misappropriated information — is precisely the kind of serious violation that we are going after vigorously. We will aggressively detect, investigate and, where appropriate, prosecute insider trading in the prediction markets.”

If only because regulators and enforcers are watching, companies across industries should be paying attention, said Carolyn Pokorny, co-chair of Akerman’s white-collar crime and government investigations practice and a former acting US attorney for the Eastern District of New York.

“There is an enforcement push right now going on in this space, and that should create a sense of urgency in companies.” Pokorny said. “You know, there’s a lot of money involved. The trading on these platforms is absolutely huge. To the extent it gets further and further legitimized, you can expect to see further people trading on these markets.”

In both criminal cases, individuals, not their employers, are the ones facing charges. But while the legal risk doesn’t (yet) extend to the organizations, the reputation risk certainly does, experts agreed.

“Why should Google care that it happened?” Pokorny asked. “I would say the risk is reputational. And it’s an embarrassment for them. I would think for any company, that would be first and foremost.”

Featured

Prediction Market Risk Is Hiding in Your Organization Whether You Know It or Not

by Jennifer L. Gaskin

April 15, 2026

Read moreDetails

Featured

‘If It Quacks Like a Duck’: Prediction Markets, Sports Betting & Insider Trading

by Jennifer L. Gaskin

January 14, 2026

Read moreDetails

Early best practices

Public attention on prediction market risks spiked after the Maduro-related trade in January, and global trading volume on Polymarket rose by more than 35% between January and April 2026, according to Pew data. That suggests the likelihood of employees taking part in prediction market activity is on the rise. Silver and Pokorny pointed to similar starting places for corporate integrity professionals: analyzing current policies. 

Silver, an employment law specialist, suggested reviewing confidentiality agreements, handbooks and device policies, while Pokorny also flagged NDAs but called attention to insider trading policies, personal trading rules and policies on conflicts of interest and gambling.

Pokorny noted that even for companies that have insider trading policies that could apply here, it’s worth taking a closer look since those policies almost certainly predate prediction markets.

“I think a lot of the policies are written around securities and don’t mention these kinds of trades. They were written at a time when prediction markets [weren’t] even contemplated,” Pokorny said. In other words, policy modernization may be the best option for some companies.

Others, Silver suggested, could consider brand-new rules written uniquely for prediction markets, as well as potentially expanding the aperture of existing policies.

“What are your existing policies or your agreements and who do they cover?” Silver said. “Because a lot of times those agreements, you’re giving that to high-level executives, maybe some engineers. Maybe that needs to be broader. Maybe you do need, in addition to the handbook, maybe it’s a standalone policy.”

Notably, both of the men charged this year in connection with prediction markets trades are also accused of violating a variety of agreements to safeguard confidential information. As an exchange-listed company, Google’s parent, Alphabet, has an insider trading policy, though its public-facing code of conduct, which references its insider trading policy, has not been updated since 2024. Meanwhile, a draft defense authorization bill released in June includes an explicit prohibition on service members and other Defense Department employees from using nonpublic information on prediction markets.

Insider trading policies tend to reference material nonpublic information (MNPI), which carries a specific legal meaning: information significant enough to affect a company’s stock price that is not available to the public. But prediction markets are much broader, and information that can be abused in the context of prediction markets might not meet the definition of MNPI for securities law purposes. For example, a contract on whether certain words or phrases would appear in an upcoming episode of “Love Island USA” had just under $1,000 in trading volume on prediction market Kalshi as of this writing in June 2026. Since the show is not live, any number of individuals would already know the answer to those yes/no questions, but their knowledge would have no effect on the stock price of Comcast, the parent company of NBCUniversal/Peacock.

So simply expanding insider trading policies isn’t a cure-all, particularly considering not every company with prediction market risk even has an insider trading policy. Making sure employees know they can’t misuse what they learn on the job to make a quick buck is the point, Silver said.

“Probably the number one common factor is we want to make clear that you should not be trading based on our information,” Silver said. “And that is whether it’s considered a trade secret or it’s just nonpublic information — information that you only know because of your job. We don’t want you trading on that, and that’s really as close to ‘best’ as you can do at this point.”

Compliance executive Mary Shirley suggested that if a new policy is required, companies should consider banning employees from any trades involving the company. Short of that, Shirley suggested that communication with employees about what is permitted — new policy or not — is critical. That could be a tweak to the code of conduct, a topical email blast tied to a news event or working a prediction market scenario into annual training.

Congratulations, you have a policy: Now what?

Of course, writing a policy is just the first step, and depending on the company’s existing culture, it might be the easiest. Next comes training, enforcement and monitoring, the last of which is perhaps the biggest challenge of all, experts told CCI. 

Kalshi, the Polymarket rival, has begun collecting information about traders’ employers, and it does not permit anonymous trading, as Polymarket does. Those two factors mean that certain companies may be able to monitor what their employees are doing on Kalshi.

Some financial services firms, for example, have begun using an integration between Kalshi and StarCompliance, a regtech platform in the financial sector, allowing companies to monitor employees’ Kalshi trades.

Kelvin Dickenson, chief product officer at StarCompliance, was upfront about that scope. All of StarCompliance’s clients are financial services firms, he told CCI — “that’s really the lens” the tool was built through, meaning it doesn’t address monitoring outside of the regulated finance sector. But through that lens, too, there are limitations; one is that companies must rely on their employees to disclose that they have a Kalshi account. 

And currently, monitoring is all they can do, though that could change. Future updates may include pre-clearance, or requiring approval before a trade, standard practice for securities at many financial firms, Dickenson said, but prediction markets may move too fast for pre-clearance to be useful.

“[Companies] don’t want to create a very frictionful experience for their employees, because people who are active in prediction markets today work at a very quick speed,” Dickenson said. “They’re going to see a stake, they’re going to say, ‘Hey, I like those odds,’ and they’re going to go for it. What they don’t want to do is spend time putting in a pre-clearance, getting the decision back and then by the time that’s happened, the odds have changed and they’re no longer interested in it, or the market’s just not available anymore.”

That doesn’t mean that companies not monitoring what employees are doing on the platforms are taking no actions at all, Shirley said, pointing out that there are plenty of risk areas around which companies aren’t monitoring. Organizations should, for example, use the tools they already have to see how well trainings are landing.

“For review and monitoring, I’d use my compliance week as a pulse check on colleagues — a quiz-type question around prediction markets to see if there’s knowledge happening there, to check if the communications and training are being absorbed and applied,” Shirley said.

Regardless of whether they are doing formal monitoring or even writing a new policy, talking openly about the issue gives employees a place to go for questions, Shirley and Silver agreed.

“I still believe the vast majority of employees are trying to do the right thing,” Silver said. “And they may have legitimate questions, like, is this OK? And so providing them a resource is a good idea.”

The post Congratulations, You Have a Prediction Market Policy; Now What? appeared first on Corporate Compliance Insights.