Companies that discover potential misconduct can now point to a single DOJ-wide framework governing self-disclosure. Stinson attorneys Bernadette Sargeant, Reginald Harris and Alexandra Stanley explain how the new policy works and why the time to build voluntary disclosure infrastructure is before it’s needed.

In March, the DOJ issued a first-of-its-kind corporate enforcement and voluntary self-disclosure policy (CEP) governing how federal prosecutors evaluate corporate self-disclosure, cooperation and remediation. The CEP, which applies to all corporate matters except criminal antitrust proceedings, replaces the patchwork of policies that existed across DOJ components and US attorneys’ offices with a standardized set of rules.

Nine days later, the DOJ announced the first resolution under the CEP when it declined to prosecute French medical device company Balt SAS in connection with alleged violations of the FCPA, although two individuals were indicted for their roles in the alleged bribery scheme. According to the DOJ, Balt identified the misconduct during its own internal investigation and chose to self-report before the investigation was complete.

Taken together, the CEP and Balt declination may change how companies approach internal investigations. To take full advantage of the CEP in the event wrongdoing is discovered, companies need investigation protocols that account for the possibility of self-reporting from the outset, teams trained to recognize the kinds of findings that should accelerate a disclosure decision and counsel engaged early enough to preserve both privilege and strategic flexibility.

CEP framework

Federal prosecutors have long credited voluntary disclosure and cooperation (see U.S.S.C. §§ 8B2.1, 8C2.5(g)), but standards varied across offices. The CEP replaces that patchwork with a three-tier framework.

Under Part I, the DOJ will decline to prosecute a company that voluntarily self-discloses, fully cooperates and timely remediates as long as there are no aggravating circumstances. The company must still pay disgorgement and restitution.

Under Part II, companies that self-reported in good faith but fell short of the full voluntary self-disclosure standard — or that face aggravating circumstances — may receive a nonprosecution agreement (NPA) of fewer than three years, no compliance monitor and a 50%-75% fine reduction.

Under Part III, prosecutors retain discretion over the resolution, with penalty reductions capped at 50%.

The CEP also intersects with the DOJ’s corporate whistleblower awards pilot program: If a whistleblower reports misconduct both internally and to the DOJ, the company can still qualify for a declination but only if it self-reports within 120 days of the internal report. Companies that delay risk losing their window for the most favorable treatment.

Compliance

One CEP to Rule Them All?

by Jennifer L. Gaskin

March 18, 2026

Read moreDetails

Internal investigations

The Balt SAS resolution illustrates how the CEP works in practice. Balt self-disclosed while its internal investigation was still ongoing, consistent with the CEP’s call to self-disclose “at the earliest possible time, even when a company has not yet completed an internal investigation.” It then cooperated fully, providing all known relevant facts and identifying the individuals involved, and took timely remedial action, including disciplinary measures, termination of the business relationships at issue and improvements to its compliance program. The DOJ found no aggravating circumstances.

The DOJ simultaneously indicted two individuals associated with Balt, reinforcing that leniency for the company does not shield culpable individuals. As Assistant Attorney General A. Tysen Duva put it, the resolution “demonstrates the value of voluntarily self-reporting wrongdoing to the Department of Justice.”

Balt is proof that the CEP rewards speed and cooperation. But for companies to act quickly, the infrastructure must already be in place. Companies need to have compliance plans and procedures in place to respond to concerns, whether raised through hotline complaints, internal reporting, audits or other channels.

When a potential issue surfaces, a prudent company will need to conduct its own investigation with the support of counsel, whether internal or external. The CEP frames this as optional — “if the company chooses to conduct one” — but as a practical matter, an investigation is how a company determines whether and when to self-report, gathers the facts to satisfy the CEP’s cooperation requirements and positions counsel to advocate on its behalf.

Investigations should be structured from the outset to support what the CEP defines as full cooperation. That means proactively disclosing relevant facts, attributing those facts to specific sources rather than offering a general narrative, identifying responsible individuals, providing rolling disclosures as the investigation progresses, preserving documents — including those located overseas — and making employees available for interviews. The CEP’s cooperation standard demands more than passive responsiveness; it rewards companies that get ahead of the government’s questions.

Remediation should not wait for the investigation to conclude, either. Companies should begin remedial measures as the investigation progresses, including but not limited to root-cause analysis, compliance program enhancements and disciplinary action against responsible employees. This demonstration of good faith positions the company for the strongest possible outcome under the CEP.

Self-reporting

Every investigation is different, and the decision to self-report requires careful judgment. But certain findings during an investigation should weigh heavily in favor of disclosure. The most obvious is credible evidence of criminal conduct, particularly bribery, fraud or corruption, that could implicate federal statutes.

The risk of being beaten to the DOJ’s door also matters. With the corporate whistleblower awards pilot program in effect, employees and other insiders have financial incentives to report misconduct directly to the department. Once a whistleblower has already reported internally, the company has at most 120 days to self-report and preserve its eligibility for a declination. Delay can be costly.

When the investigation identifies specific individuals who engaged in wrongdoing, self-reporting positions the company to demonstrate that it is not shielding bad actors, a consideration that clearly mattered in the Balt SAS resolution. Similarly, if there is a realistic possibility that the conduct will surface independently through regulatory audits, media reporting, civil litigation or other means, the CEP’s requirement that disclosure occur before “an imminent threat of disclosure or government investigation” makes early action essential.

Finally, the CEP’s broader Part II reduction range — 505–75% off the low end of the sentencing guidelines fine range — may signal that the DOJ intends to give credit in more situations than prior policies allowed, making self-reporting valuable even in less clear-cut cases. And because the CEP does not displace prosecutors’ traditional discretion under the “Principles of Federal Prosecution of Business Organizations,” internal investigations conducted by counsel also position the company to advocate through those avenues.

Conclusion

The Balt SAS resolution demonstrates what companies stand to gain by investing in compliance infrastructure and treating internal investigations as a strategic function rather than a reactive one. Under the CEP, the incentives for voluntary disclosure are more clearly defined and more consistently applied than ever before. The time to build that capability is now.

The post Navigating Self-Reporting Under the DOJ’s New Corporate Enforcement Policy appeared first on Corporate Compliance Insights.

The DOJ’s new corporate enforcement policy has a headline promise — leniency for companies that self-disclose, cooperate and remediate — but CoreStream GRC’s Paul Cadwallader argues the more important signal is about timing. The policy, read alongside the Balt SAS resolution, suggests companies will increasingly be judged not just on whether they remediate but on how early they can surface problems and act before the facts are fully assembled.

In March, the US Department of Justice announced its first-ever department-wide corporate enforcement policy for criminal cases. The policy is meant to create more consistency across the department and to incentivize companies to voluntarily self-disclose misconduct, cooperate and timely remediate.

The most important thing about this policy is not the headline promise of leniency. It is what the policy reveals about timing. Together with the Balt SAS resolution announced days later, the DOJ is signaling that companies will be judged not only on whether they remediate but on how early they can surface problems, investigate them and act before the case is fully formed.

The DOJ is making something much clearer than many companies have been willing to admit: Remediation is no longer judged only at the closing dates, after outside counsel is engaged, the facts are neatly assembled and the organization is preparing for settlement. Under this policy, remediation is increasingly being judged earlier, by whether a company can detect misconduct, escalate it, investigate it and act while the facts are still developing. The policy explicitly says the DOJ encourages voluntary self-disclosure at the earliest possible time, even when a company has not yet completed an internal investigation, and it says disclosure must happen within a reasonably prompt time after the company becomes aware of the misconduct.

The most useful detail in the DOJ’s March 19 announcement of the Balt resolution was not simply that the company self-disclosed; it was when. The misconduct was identified during an internal investigation that was ongoing at the time of disclosure, the department said. In other words, the company did not wait for every fact to be fully mapped before deciding to come forward. 

Historically, executive teams often waited until they had a fuller picture before deciding whether to escalate, disclose or intervene. This policy puts more weight on a different mindset: identifying a credible risk signal earlier, acting on it and being willing to make serious decisions before perfect information exists.

That should force an uncomfortable question inside a lot of organizations. Not, “Would we self-disclose if we found something serious?” but “Could we identify something serious early enough to still have that choice?”

It should also be stated here: This isn’t just the DOJ talking. The SEC’s FY2025 whistleblower report says the commission received an estimated 27,000 whistleblower tips in FY2025, though about 12,000 of those were attributable to two individuals. More importantly, the SEC says award percentages may be increased when claimants participate in internal compliance or reporting systems, and it reduced eight awards in FY2025 for unreasonable reporting delay.

Featured

Internal Investigations: Getting It Right From the Outset

by David Hamilton

September 11, 2024

Read moreDetails

DOJ’s compliance-program guidance now looks even more operational

This is where the DOJ’s “Evaluation of Corporate Compliance Programs” should become more than reference material for lawyers. It becomes a blueprint for what remediation readiness looks like before a matter blows up.

The DOJ tells prosecutors to assess whether the company has appropriate processes for the submission of complaints and for protecting whistleblowers. It also directs prosecutors to examine whether complaints are routed to proper personnel, whether investigations are completed in a timely and thorough way and whether appropriate follow-up and discipline occur. The guidance goes further, asking whether the company applies timing metrics to ensure responsiveness and whether it tests the effectiveness of hotline or reporting mechanisms by tracking a report from start to finish.

That last point is especially revealing. The DOJ is not interested in whether a hotline merely exists. It is interested in whether the mechanism actually works, whether it produces timely action and whether the company can show that reports become decisions, investigations, accountability and program change.

That has several implications.

Speed of escalation now matters more

A reporting channel is not effective simply because it receives complaints. It has to get the right issue to the right people at the right speed. If a serious allegation sits in fragmented inboxes, bounces between HR, legal, audit and compliance, or waits for a committee cycle before triage, the company may lose the timing advantage the DOJ policy is effectively rewarding.

Misconduct rarely appears through a single channel

Most serious issues do not arrive in one clean, labeled stream. Early warning signs can emerge through hotline reports, internal audit findings, HR grievances, control testing, third-party due diligence, transaction monitoring, policy attestations, manager concerns, compliance reviews or patterns in operational data. That matters because the DOJ’s own compliance guidance asks what information a company collects to detect misconduct, whether it has access to the data needed to identify potential wrongdoing or program weaknesses, and whether it can show that issues are being identified at the earliest possible stage. It also emphasizes continuous improvement, periodic testing, monitoring and auditing.

Ownership of investigations is no small detail

The guidance also asks who determines which complaints or red flags merit further investigation, who makes that determination and who conducts the investigation. Those are not technical process questions. They go to whether the company can move from signal to action without confusion over ownership. Many organizations have written protocols. Far fewer have genuinely clear decision rights. When a serious issue emerges, uncertainty over who owns intake, who can elevate it, who decides materiality and who can authorize next steps quickly becomes more than an administrative weakness. In an enforcement environment that places real value on early disclosure and prompt remedial action, it can shape the outcome.

Remediation is broader than closing the case

The DOJ also asks whether investigations are used to identify root causes, system vulnerabilities and accountability failures, including among supervisory managers and senior executives. That is a much broader conception of remediation than disciplining one wrongdoer and closing the file. Balt is instructive here, too. The DOJ did not simply note cooperation; it pointed to internal control improvements, training and changes to business relationships. That is what credible remediation looks like in practice: not just ending the incident but changing the conditions that allowed it.

Incentives are part of the enforcement picture

The DOJ asks how companies incentivize compliance and ethical behavior, what percentage of executive compensation is structured to encourage enduring ethical business objectives and whether bonuses or deferred compensation can be canceled or recouped. That is a serious challenge to programs that still treat ethics as messaging while leaving the real reward system untouched. If pay, promotion and management pressure all tilt toward performance at any cost, delay is often being built into the system long before the first report is filed.

The post Need for Speed: What DOJ’s New Approach to the CEP Means for Internal Investigations appeared first on Corporate Compliance Insights.

Regulators won’t simply look at your AI outputs when scrutinizing your organization’s compliance, Jonny Frank, Nathan Gibson, Michael Costa and Kashif Sheikh of StoneTurn write. Your decision-making is being evaluated, and relying on the defense that AI told you to make a certain decision is a recipe for disaster.  

AI is changing the speed and scale of compliance work, identifying anomalies in real time and surfacing risks that would have taken weeks to find manually.

But speed without structure creates different risks. Regulators are not evaluating your algorithms. They are evaluating your decisions — how you reached them, whether they are supported, and whether they hold up under scrutiny. Using AI isn’t the risk. In fact, neglecting the use case for AI can create a different risk entirely. Where organizations can find themselves in the hot seat is treating AI output as the defense behind every conclusion it helps produce.

The defensibility gap

Recent allegations involving a provider of AI-automated auditing and compliance reviews underscore a growing problem: the defensibility gap. Whistleblowers allege the firm bypassed authentic reviews and used “certification mills” to rubber-stamp compliance reports.

Whether those specific allegations are proved, the lesson is clear: If you cannot explain and defend the result, the process does not matter. In today’s environment, where AI missteps are scrutinized and amplified, a weak or opaque process risks not only regulatory exposure but immediate reputational damage.

The allegations also highlight a broader structural issue: Independence required for credible assurance breaks down when a single platform implements compliance measures and evaluates their effectiveness. For companies facing DOJ or SEC scrutiny, “check-the-box” automation is a liability.

What regulators expect is straightforward: a clear, auditable trail; evidence of independent judgment; and conclusions that can be explained and defended

Where AI helps and where it doesn’t

AI is powerful where scale and pattern recognition matter. This can include identifying anomalies across large datasets, canning contracts or transactions for outliers and surfacing potential misconduct signals. These capabilities are not theoretical. Many compliance teams use AI to accelerate reviews that previously took weeks. The technology works.

But uncovering the genesis of a compliance failure is rarely rooted in data alone. That requires an understanding of why people acted, whether controls were bypassed and whether leadership reinforced — or undermined — the program

AI cannot interview a whistleblower effectively. It cannot assess tone at the top. It cannot distinguish a technical failure from a cultural one. These require human judgment. That is where experienced professionals add irreplaceable value — not as a check on AI but as the judgment layer that makes AI outputs meaningful.

Risk

Deepfakes Are Now a Board-Level Risk & Regulators Are Watching

by Matt Flegg

May 1, 2026

Recent UK regulatory developments are making deepfake risk a board-level disclosure and accountability issue, not just an IT problem

Read moreDetails

The shift in skillset

As AI becomes embedded in compliance, the job is changing. Less time gathering data. More time interpreting it and acting on it. Four capabilities matter most:

• Model validation: Understanding what the AI is doing, where it is most effective and how to spot when its outputs need a closer look.
• Data integrity: Ensuring inputs are reliable, knowing that bad data can produce confident but wrong answers.
• Contextual judgment: Recognizing when controls exist on paper but fail in practice.
• Defensible conclusions: Translating outputs into a clear, supportable narrative that explains why a conclusion was reached.

Questions to ask before deploying AI

AI compliance-testing products are sure to proliferate. Ask these questions from your vendor to assess whether the output will stand up to scrutiny:

• Who is accountable if the tool flags or clears an issue?
• What evidence supports the conclusion?
• Does the same system design, implement and test controls?
• Does the tool produce auditable documentation or just outputs?
• What are the limits of the model?
• What data is excluded?
• How are false positives and false negatives handled?
• Would you rely on this output in front of the DOJ or SEC?

AI will continue to transform how compliance work gets done, but it will not lower the bar. Prosecutors and regulators evaluate whether a program is adequately resourced, empowered and effective. Technology is but one piece of the puzzle.

In other words: Do not expect credit for automation alone. Every automated insight still needs a human who can stand behind it. In the end, compliance is not about what your system can detect. It is about what your organization can defend.

AI has permanently raised the bar for what defines ”defensible” compliance. The leaders of this new era will not be those who avoid AI, nor those who automate blindly. They will be the firms that pair powerful technology with the professional judgment required to explain, defend and stand behind every conclusion.

The post ‘Blame the Bot’ Won’t Cut It in Front of Regulators appeared first on Corporate Compliance Insights.

Organizations have treated new technology as something visible and reviewable. That model is breaking down because of platforms’ built-in AI agents, business advisor Bill Lewis explains. For these agents, compliance teams must be building visibility, assigning ownership, documenting permissions and making sure default settings do not quietly become policy.

Most compliance teams are still preparing for AI as if it arrives through a formal proposal. That is no longer the main risk.

A new class of software is appearing inside the enterprise systems companies already use and trust — Microsoft 365, Google Workspace, Salesforce and others. These tools do more than answer questions. They can read information, make recommendations, trigger workflows, move data between systems and, in some cases, act with a degree of autonomy that creates real compliance exposure before anyone knows it.

Many organizations are not prepared for the way agentic AI is entering business: quietly, through routine software changes, default settings, partner ecosystems and embedded capabilities that do not always trigger the same scrutiny as a new standalone deployment.

For compliance and risk teams, this matters. If an AI capability can access sensitive data, influence decisions, initiate actions or operate inside a regulated workflow, it must be governed.

Traditionally, companies treated new technology as something visible and reviewable. A business team would request it, IT would assess it, security would review it, legal would check the contract, and leadership would decide whether the risk was acceptable. That model is breaking down. Agentic capabilities can appear inside tools already approved by organizations. In some cases, they may be available before internal approval or compliance review.

This trend has created a risk blindspot and a governance problem. If an organization does not have a clear inventory of where AI agents exist, what they are allowed to do, which systems they touch and who controls them, then it cannot honestly say it is managing the risk. It is simply assuming the risk is under control because the software came from a trusted vendor.

Why the risk is different now

The threat is not that AI agents are mysterious or futuristic. The threat is that they are becoming ordinary.

Microsoft has said it now has visibility into more than 500,000 AI agents inside its own company and that those agents were generating tens of thousands of employee responses each day. Google products allow agent sharing within organizations unless administrators change defaults. Salesforce has continued expanding agentic offerings into regulated sectors, including healthcare.

These are not edge cases; they are signals of how enterprise software is changing. The compliance challenge is that these tools do not need to be malicious to create risk. A well-intentioned agent that can read confidential information, summarize sensitive records, trigger a workflow or transfer data between systems can still create serious problems if no one has defined boundaries, oversight, auditability or accountability.

In other words, the risk is not just what the agent is. It is what the organization has allowed it to become.

Governance

Responsible AI Governance Starts With Ownership

by Diana Kelley

April 30, 2026

AI governance must be collaboration among IT, HR, legal, compliance and leadership

Read moreDetails

New questions and governance

Compliance, risk, legal, executive and board oversight is necessary with systems deploying AI agents. An AI agent that mishandles sensitive information or behaves unexpectedly is not just a technology incident. It is an enterprise governance failure.

Organization leaders must ask: Which systems contain agents? Which teams are using them? Which are sanctioned? Leaders also have to ask what can these AI agents do? Are they limited to drafting text, or can they access regulated data, recommend actions, trigger workflows, move information or act autonomously? Finally, leaders need to know: Who controls the AI agents? Who approves them? Who sets the rules? Who reviews the logs? Who is accountable if something goes wrong?

If those answers are unclear, an organization is exposed.

Existing governance frameworks simply were not designed for software that spreads through normal enterprise tasks without a distinct launch moment while having the ability to make and act on decisions. That means compliance leaders need to move from a project-based mindset to an inventory-based mindset. This starts by asking the questions above.

An inventory-based approach toward AI agents is especially important in regulated environments, where the combination of sensitive data, workflow automation and delegated authority can create exposure under privacy, security and sector-specific obligations.

A company does not need to wait for a catastrophic incident to discover that an agent has been over-permissioned.

The practical takeaway

The right response is not panic; it is achieving clarity. Compliance teams should assume that AI agents are already entering the enterprise through trusted software and should treat them as a live governance category. That means building visibility, assigning ownership, documenting permissions and making sure default settings do not quietly become policy. 

This article was first published on LinkedIn; it is adapted here with permission.

The post Your Next AI Risk Is Inside the Systems You Trust the Most appeared first on Corporate Compliance Insights.

Organizations can carefully craft rules for compliance, but if outcomes defy the rules — say safety incidents despite safety mandates — what is going on? As strategic facilitation consultant Sean Blair writes, certain unexamined forces are driving these results.

Every compliance framework rests on an assumption so fundamental it rarely gets examined: If you design the right rules, people will follow them.

The assumption is understandable. Rules are visible, auditable and enforceable. They give compliance professionals something concrete to point to. And for straightforward, predictable behaviors in stable environments, they work reasonably well.

But organizations are not straightforward or stable. They are complex, dynamic systems in which behavior emerges from the interaction of forces most compliance frameworks are not designed to see. Rules address the visible surface. The forces that actually drive behavior operate beneath it, largely invisible, largely unexamined and far more powerful than any policy document.

This is not a criticism of compliance professionals. It is an observation about the limits of the tool most commonly used and a case for adding something to it.

What frameworks typically examine

A well-designed compliance framework will cover regulatory requirements, internal policies, audit procedures, risk controls and escalation mechanisms. These are necessary. The problem is what they structurally cannot reach.

Peter Senge, whose work on organizational learning has influenced management thinking for 35 years, identified the concept of mental models, the deeply ingrained assumptions and beliefs that shape how people act, often invisibly and often in direct contradiction to stated policies. Organizational mental models, the collective assumptions embedded in how decisions actually get made, who genuinely gets heard and what behavior is tacitly rewarded regardless of what the policy says, are particularly powerful and particularly difficult to surface.

A compliance framework addresses the espoused rules. The mental models determine the actual behavior. When they conflict, the mental models win every time.

Compliance

Future-Proofing Global Compliance Policies

by Steph Holmes

April 28, 2026

Why compliance leaders must shift from a “document-first” to a “data-first” philosophy in the AI era

Read moreDetails

The invisible forces

Consider a fast-growing engineering company that expanded from several hundred to several thousand employees in under five years. Over the same period, it developed a troubling record of serious safety incidents. The compliance frameworks were in place. Safety protocols existed. Audit procedures ran. And yet the system produced outcomes nobody designed.

I found myself wondering about the relationship between the growth and the incidents. Not as an accusation but as a genuine systems question. What happens to a culture when the pressure for growth becomes the dominant force shaping every decision? How does that hunger for expansion show up in how safety protocols are actually followed on the ground? How does it affect whether newer employees feel confident raising concerns? How does it shape what a middle manager does when speed and safety come into tension at 4 p.m. on a Friday?

Nobody designed the safety failures, but the system produced them. And I would be surprised if the invisible force driving the system, the impatience for growth at pace embedded in leadership behavior, culture and reward structures, had ever appeared as a named, examined factor in any compliance review.

This is what compliance frameworks tend to miss: the system of unexpressed forces that shapes behavior far more reliably than any policy. The unspoken beliefs of the leadership team. The gap between stated values and actual reward structures. The things everyone knows but nobody says. These are not weaknesses to be managed through better rules; they are system forces that need to be understood.

Why rules alone are insufficient

The research on this is consistent and sobering. There is a well-documented gap between espoused theory, what organizations say they believe and require, and theory-in-use, what their actual behavior reveals. Executives claim they want honest escalation of concerns while subtly punishing those who raise them. Policies mandate transparency while meeting dynamics suppress dissent. Compliance training emphasizes integrity, but reward structures incentivize the opposite.

When these forces are in tension, the invisible ones win. This isn’t because people are malicious, but because the system they inhabit sends clearer signals through incentives, norms and leadership behavior than any compliance document can overcome.

This creates a specific problem for risk and audit professionals. You can design a control environment of great sophistication and still miss the most significant risks, because those risks are not in the processes you are auditing. They are in the invisible system operating beneath the processes.

Making the invisible visible

The compliance function has a genuine opportunity here, one that extends its value well beyond traditional audit and control work. The question is how to surface the invisible forces that no framework currently reaches.

Systems thinking, applied practically, offers a methodology for doing precisely this. Not systems thinking as abstract theory, which has been intellectually compelling but operationally elusive for decades but systems thinking made tangible: where leadership teams can build physical representations of the forces actually shaping their organization, including the ones that never appear in a compliance document.

An approach I have developed integrates three methodologies specifically for this purpose. Teams use popular building blocks to make three-dimensional physical representations of the forces operating in their system. Impatience as a named agent in the model. A belief about what leadership really rewards. A fear of honest escalation. These stop being unspoken and become discussable, because they are no longer attached to any individual. They sit on the table, open to collective inquiry.

Senge’s “Fifth Discipline” provides the conceptual framework for understanding what you are looking at. And dialogue, in the tradition of David Bohm, creates the conditions for genuinely honest conversation about what the model reveals, the kind of conversation that defensive routines normally prevent.

The result is not a replacement for compliance frameworks. It is a complement to them: a way of examining the system of forces that operates beneath those frameworks and that determines whether they work in practice or only on paper.

The post Compliance Frameworks Miss Invisible Forces, but They Matter the Most appeared first on Corporate Compliance Insights.

Traliant has appointed Evan Kramer as CEO, the New York-based HR compliance training and solutions provider said.

Kramer brings experience leading growth-focused companies across technology-enabled services, education technology, marketing technology, SaaS and financial technology. He most recently served as CEO of MarketFully, a global multilingual content marketing platform. He also previously served as CEO of AcquireUp and Knowfully Learning Group, where he helped scale digital learning and professional education platforms. Traliant provides HR compliance training to more than 14,000 organizations worldwide and is backed by private equity firm PSG.

“Traliant is uniquely positioned to lead this shift by combining cinematic storytelling, behavioral science and legal expertise with a platform that helps organizations stay compliant, audit-ready and better protected every day,” Kramer said in a news release.

The post Traliant Appoints New CEO appeared first on Corporate Compliance Insights.

Eventus has appointed Cameron Routh as CEO, succeeding founder Travis Schwab, the Atlanta-based trade surveillance and financial risk solutions provider said.

Routh brings more than two decades of experience in financial technology. He most recently served as CEO of Delta Data, a provider of software solutions for the public assets pooled fund industry, where he led the company through a period of growth and operational scale.

He previously served as head of Maxit Tax Solutions at Refinitiv, a London Stock Exchange Group company, and spent more than a decade at Scivantage in senior leadership roles, including chief commercial officer. Earlier in his career, Routh co-founded GainsKeeper, which was later acquired by Wolters Kluwer.

Schwab built Eventus over the past 11 years into a provider of trade surveillance solutions. Terminus Capital Partners took a majority stake in Eventus in February 2026.

The post Eventus Names New CEO; Founder Exits appeared first on Corporate Compliance Insights.

A practical, business-focused look at third-party cyber risk as the natural next step in TPRM

eBook

A Practical Guide to Third-Party Cyber Risk Management

What’s in this eBook from Ethixbase360:

Cyber risk isn’t contained within your organization anymore. The breaches that cause the most damage today often start with the third parties you rely on. As companies expand across cloud, SaaS and outsourced services, attackers are increasingly using suppliers as the most efficient way into multiple businesses at once.

This guide takes a practical, business-focused look at third-party cyber risk as the natural next step in TPRM. It unpacks why incidents are increasing, how vendor ecosystems are being exploited and why many organizations remain exposed despite having risk processes in place. Because the real question isn’t whether you’re secure, it’s how confident you are that your third parties won’t become the easiest way into your business.

Download the eBook to:

• Understand how the third-party cyber risk landscape is evolving as reliance on external providers grows and why this is driving a rise in incidents.
• See why attackers target vendors, using a single supplier to access multiple organizations and significantly increase the scale and impact of breaches.
• Move from fragmented, point-in-time approaches to more integrated, resilient risk management models that reflect how organizations actually operate.
• Learn how to embed cyber risk across the full vendor lifecycle, from onboarding and segmentation to due diligence, contractual controls and continuous monitoring.
• Clarify ownership across the organization, recognizing that third-party cyber risk requires shared accountability across compliance, security, procurement and the business.
• Improve visibility as vendor risk evolves over time, with continuous monitoring to identify changes in exposure and emerging threats between assessments.

About Ethixbase360

With Ethixbase360, organizations can operationalize ownership transparency by integrating UBO into third-party risk management and sanctions compliance within a single, defensible framework.

The post A Practical Guide to Third-Party Cyber Risk Management appeared first on Corporate Compliance Insights.

Stay ahead of regulatory change and position TPRM as competitive advantage

2026 outlook

Navigating Third-Party Risk in the Pharmaceutical and Life Sciences Sector

What’s in this guidebook from Ethixbase360:

Since the release of the 2025 outlook, the regulatory and enforcement landscape has continued to shift. Pharmaceutical and life sciences companies face sustained regulatory scrutiny, expanding ESG obligations and intensifying geopolitical pressure on global supply chains. The 2026 edition reflects these developments, examining how regulatory expectations are rising and how enforcement activity continues to evolve across jurisdictions.

Against this backdrop, pharmaceutical and life sciences organizations must balance rigorous compliance demands with the need to remain agile and competitive. Third-party relationships sit at the center of this challenge. Extensive networks of external partners support every stage of the journey from discovery to market, but they also extend risk well beyond organizational boundaries. When third-party risk is not managed effectively, the consequences can include regulatory breaches, operational disruption, reputational harm and escalating costs.

Ethixbase360’s “Pharma & Life Sciences 2026 Outlook” delivers a clear view of the sector’s most material third-party risk exposures, the regulatory direction of travel and the operational capabilities required to manage risk at scale in an increasingly complex environment.

Inside the 2026 edition you’ll find:

• Enforcement updates under the FCPA, with heightened expectations around demonstrable program effectiveness.
• Practical implications of the adopted Corporate Sustainability Due Diligence Directive (CSDDD), alongside expanding ESG-related enforcement and disclosure requirements
• Evolving trade and forced-labor controls, including developments under the Uyghur Forced Labor Prevention Act (UFLPA) and tightening parallel import regimes.
• Sector-specific exposure across API sourcing, contract manufacturing, data integrity and cross-border distribution networks.
• Resilience strategies for scaling third-party risk programs, including risk tiering, continuous monitoring, defensible due diligence and AI-assisted workflows supported by human oversight.
• The business case for mature TPRM, linking effective third-party governance to investor confidence, M&A readiness, operational agility and brand protection.

Designed for compliance, legal, procurement and risk leaders, this outlook equips organizations to embed greater visibility, accountability and resilience across extended third-party ecosystems.

About Ethixbase360

With Ethixbase360, organizations can operationalize ownership transparency by integrating UBO into third-party risk management and sanctions compliance within a single, defensible framework.

The post 2026 Outlook: Navigating Third-Party Risk in the Pharmaceutical & Life Sciences Sector appeared first on Corporate Compliance Insights.

When ownership transparency becomes a strategic control

eBook

UBO Due Diligence

What’s in this eBook from Ethixbase360:

Ultimate beneficial ownership (UBO) has moved from a background compliance consideration to a core business risk. Across sanctions, export controls, anti-corruption and illicit finance enforcement, regulators are increasingly focused not just on who a third party is but who ultimately owns, controls or benefits from it. UBO due diligence has evolved from a one-time onboarding task to a continuous, defensible requirement. Declarations alone are no longer enough; regulators now expect proof.

This guide explores why UBO sits at the center of third-party risk management and what organizations must do to keep pace with tightening global expectations.

Download the eBook to:

• Understand why UBO is no longer an AML tick-box exercise: See how sanctions, export controls and geopolitical pressure have elevated ownership transparency into a frontline compliance control.
• Navigate key regulatory developments shaping ownership analysis: Get clarity on the Corporate Transparency Act (CTA) and BOI regime, OFAC’s 50% rule, export control expectations, evolving European AML reforms and uneven global registry access.
• Identify why traditional UBO programs fall short: Learn how structural complexity, data gaps, and manual processes create blindspots that enforcement actions increasingly expose.
• Build a defensible, audit-ready UBO framework: Discover the core components of a modern program, including multi-source verification, ownership mapping, monitoring triggers and documented decision trails.
• Move beyond name-based screening to ownership intelligence: Understand why risk often sits within corporate structures — and how continuous monitoring strengthens compliance, resilience and defensibility.

About Ethixbase360

With Ethixbase360, organizations can operationalize ownership transparency by integrating UBO into third-party risk management and sanctions compliance within a single, defensible framework.

The post UBO Due Diligence: Ownership Transparency as Strategic Control appeared first on Corporate Compliance Insights.