When board oversight strays, so do companies, and if board oversight doesn’t exist, well, that can lead to an $8 billion fraud. Protiviti’s Jim DeLoach continues his series on governance failures with three more examples that provide lessons in sound business decision-making.

Last month, I identified lessons from two corporate governance failures resulting in the demise of two companies — Blockbuster and Washington Mutual — and one involving an audacious fraud in another company, Theranos. Lessons from governance failures highlight the importance of ethical behavior, risk management, accountability and board oversight. These failures often leave in their wake significant losses, reputational damage, brand erosion and legal penalties. They also destroy enterprise value and investor portfolios that had been built over many years.

Here, I address three more failures, including one in which there was no governance at all.

Overcooked books

No discussion of governance failures is complete without a mention of Enron. Once the darling of Wall Street with a high-profile CEO, a COO who had the “magic touch” and a CFO who received accolades from Fortune and CFO Magazine, Enron is a classic example of “The higher they get, the harder they fall.” The 25-year anniversary of Enron’s collapse, one of the most infamous in history, is approaching this fall. The sad story is one of financial fraud perpetrated through an opaque corporate and reporting structure that stretched the bounds of mark-to-market accounting to record projected profits as if they were actual profits earned, thereby inflating earnings reports.

A waiver of the Enron conflicts-of-interest policy by the board of directors enabled the CFO to engage in massive self-dealing using special purpose entities he controlled that were designed to move assets and debts off Enron’s balance sheet. This deception made the company appear more financially stable and less indebted than it actually was. He engineered complex financial instruments that few understood, often involving intricate investment partnerships and transactions that served no other purpose than to disguise the company’s debts and faltering lines of business. He personally managed two hedge funds to which Enron could sell failing assets to inflate revenue and profits while also getting them off the company’s books. And, of course, he enriched himself with millions in “management fees.”

The company’s public disclosures were intentionally designed to be so complex that few investors and analysts could decipher the true nature of its financial dealings and health. All these factors led to a massive lack of transparency that invited skepticism and scrutiny and led to a loss of credibility and trust.

Lesson 

What was the board thinking? Its waiver of policy enabled a serious conflict of interest that impaired the company’s control structure by allowing the CFO to stand on both sides of significant transactions. A fundamental tenet of internal control is the presumption that transactions are undertaken at arm’s length. Despite directors’ claims during the post-collapse blame game, the board knew enough about what was going on. They not only approved many of the deals, but they were also aware of and condoned the manipulation. For example, the CFO had a spreadsheet that tracked the impact of the structured finance deals he engineered on Enron’s credit rating to show how they allowed the company to be rated BBB+ when it was really a BB- company. When it was presented to the board, a director on the finance committee called him “a f—— genius.”

One need only examine the construction of the Sarbanes-Oxley legislation of 2002 to recognize that the story of Enron has many lessons to it. The SOX Act reads as if someone wrote a list of myriad corporate abuses on a whiteboard and patterned the legislation to address each abuse. The lesson emphasized above is that a board undertaking actions that enable unethical and misleading practices contributes to a flawed corporate culture that could ultimately take a company down. A flawed culture starts with the tone at the top.

Governance

Lessons Learned From 3 Corporate Governance Failures

by Jim DeLoach

April 27, 2026

Innovation, risk management & honesty should never hit these lows

Read moreDetails

A duty of loyalty failure

If I were pressed to name the best ice cream I have ever tasted, Blue Bell would be high on my list. With distribution centers in Texas, Oklahoma and Alabama, Blue Bell Creameries sells its offerings in over 20 states across the Southern, Western and Midwestern US. In 2015, the FDA and several state health agencies found evidence of the listeria bacteria in its products, which had resulted in the deaths of three people. As a result, Blue Bell had to recall all its ice cream products and shut down all its production operations. Needless to say, the impact on the company’s operations was devastating.

The company’s limited partners brought forth a complaint that the board breached its common law fiduciary duties. In ruling for the plaintiff, the court noted: “Directors have a duty ‘to exercise oversight’ and to monitor the corporation’s operational viability, legal compliance, and financial performance. A board’s ‘utter failure to attempt to assure a reasonable information and reporting system exists’ is an act of bad faith in breach of the duty of loyalty.”

This historic decision demonstrated that the high bar of the formidable Caremark standard could be scaled by the plaintiff bar in certain circumstances. In this decision, the court was compelled by the facts of the case — the simplicity of the company’s business model, the obvious enterprise risk of food safety, the lack of board focus on overseeing food safety issues and the absence of protocols by which the board expected to be advised of food safety reports and developments. According to the court, the facts created “a reasonable inference that the directors consciously failed ‘to attempt to ensure a reasonable information and reporting system exist(ed).’”

Lesson 

Although it applied to a limited partnership, the court’s ruling has important ramifications for public boards and executive management. In understanding who is responsible for the key risks, the broad strokes of the risk responses in place and the nature of any issues arising from them, the board should effectively monitor mission-critical matters and have significant matters escalated to its attention in a timely manner, especially those related to compliance. In the Blue Bell case, had the board members put in place an information and monitoring system, that action might have substantiated their defense of, “We weren’t told anything until it was too late.” The point is clear: The judiciary will not respect a hands-off approach like when Blue Bell’s directors apparently left the matter to management after finally recognizing the full magnitude of the problem.

Duped by a siren song

In Greek mythology, Sirens were dangerous creatures that lured sailors to shipwreck with their music and voices. The siren song of FTX, a major cryptocurrency exchange, led to collapse in 2022, exposed widespread fraud, misrepresentations and mismanagement. At the center of the story is FTX’s founder and controlling shareholder, Sam Bankman-Fried, whose star power contributed to the deception. 

The story of FTX is not one of a startup that began on sound footing and then steered in the wrong direction. It was a scam from the very beginning. When customers opened accounts on the FTX exchange, the funds were directed into bank accounts controlled by a sister company, Alameda Research, also owned and controlled by FTX’s founder. Alameda Research traded in cryptocurrency and “borrowed” as much capital from FTX as it needed to trade, operate and cover its risky bets. When customers tried to withdraw their funds, FTX could not cover the withdrawals, leading to a liquidity crisis because a significant portion of the firm’s assets were either tied up in illiquid investments or had been lost in the sister company’s recklessly risky trading. As a result, a run on the bank occurred and, ultimately, FTX declared bankruptcy. 

The trading bets generated losses, and the recordkeeping was sloppy, leading to a lack of transparency and a loss of trust. In essence, more than $8 billion in customer deposits were embezzled and used for other purposes, including personal luxury items for Bankman-Fried, elaborate advertising campaigns and political donations — an egregious violation of trust and fiduciary responsibility that prioritized risky ventures over the safety of customer assets.

Several factors enabled the fraud. The story begins with Bankman-Fried. He pitched a message of ethics and morality. He spun a narrative that fooled everybody. But it may also be true that everyone he fooled with his lies simply wanted to believe — and the list of believers is long. They include:

• The hedge funds burned by the bankruptcy. Investing in FTX was likely seen as a market-neutral-exposure play on crypto markets emphasizing a fee income model and no trading or balance sheet risk. That is what Bankman-Fried offered them. At the time these firms invested, FTX was viewed in the marketplace as a rapidly growing and profitable cryptocurrency exchange, with a high trading volume and a unicorn valuation. Thus, it appeared to be attractive as a high-potential investment opportunity.
• The politicians who received donations and appearance fees. Bankman-Fried used $100 million of the stolen funds, federal prosecutors said, to make political campaign contributions to both major US political parties so he could lobby Congress and regulatory agencies to support legislation and regulation to facilitate FTX’s operating model and growth. FTX also paid significant sums to a former US president and a former British prime minister to appear at a conference. These investments, along with various celebrity endorsements, were part of a scheme to enhance FTX’s illusory public image and appearance of legitimacy.
• The regulators struggling to keep up with the crypto market. Regulators were several steps behind FTX and its founder for a number of reasons. FTX operated in a regulatory vacuum, as the crypto industry was relatively new and regulations were still being developed. Also, because FTX was headquartered in the Bahamas, it was challenging for US regulators to exert control over the company. In addition, the founder’s public image and advocacy for regulation created a narrative that may have led regulators to look past the red flags.
• The media. Forbes named the founder the richest person on the planet under 30. He told journalists he would never lie. His aggressive marketing campaign included Super Bowl ads, celebrity endorsements and naming rights to the arena where the NBA’s Miami Heat play. FTX’s marketing campaigns promised that people who put their money in its accounts would earn higher yields than the average bank. Ever heard that one before?
• And, of course, the investors. Those who boosted crypto claimed they were in the vanguard of a revolution that would democratize finance and lead to generational wealth for all those who chose to believe. Rapidly rising prices silenced the skeptics. Investors, particularly wealthy investors, wanted to board the train of higher returns. The founder was the boy genius to whom they gravitated.

Lesson

The new FTX CEO tasked with leading the crypto exchange through bankruptcy stated that never in his career had he seen “such a complete failure of corporate controls and such a complete absence of trustworthy financial information.” That is quite an indictment by the man who also oversaw the Enron bankruptcy. And where was the board? Well, there wasn’t one, unless you consider a board consisting of the founder, an unnamed lawyer from Antigua and Barbuda and a former FTX executive to be an effective governing body. It didn’t even hold meetings or maintain records.

More importantly, there was a lack of independent governance between FTX and its sister crypto trading company. As discussed above, the FTX scandal also underscored the need for regulation in the cryptocurrency industry. The accounting firm that audited FTX’s financial statements apparently didn’t do a very good job, and it agreed to pay almost $2 million to the SEC to resolve actions alleging misconduct in its audits of FTX and auditor independence violations.

The lack of governance is beyond stunning. But just as remarkable is the lack of due diligence. Had the founder been asked if FTX had a chief risk officer, the answer would have been no. Had he been asked if the firm had a chief financial officer, the answer would also have been no. Bankman-Fried often boasted that FTX’s controls were among the strongest in the industry, with strict adherence to investor protection principles. Had someone asked him to provide some examples of this alleged control structure, his “answer” might have been enlightening. Furthermore, an inquiry regarding the composition of the board of directors would have disclosed that a functioning board acting as a check on the founder’s actions wasn’t in place.

One can only conclude that the power of the siren song created by Bankman-Fried and FTX along with the irrational exuberance over crypto kept very smart people from asking the questions that would have sounded alarm bells. It would have saved a lot of people a lot of money and trouble.

As a subscript, Forbes introduced a “Hall of Shame” list in 2023, highlighting 10 individuals who had previously been featured on its prestigious “30 Under 30” list but whose actions or reputations made the publication wish it could take back its prior recognition. Needless to say, the FTX founder made that list, too.

Lessons learned are not just about avoiding mistakes. When embraced by leaders and directors, the lessons can lead to stronger, more resilient and more effective organizations that are better equipped to navigate the complexities of the business environment. They also highlight the need for healthy skepticism.

The post Enron, Blue Bell & FTX: Revisiting Corporate Governance Failures appeared first on Corporate Compliance Insights.

Putting controls in place isn’t enough if you want people to actually do good behavior. Tegan Gebert, Chris Audet and Doug Eckstein of Gartner argue that it’s up to compliance leaders to be coaches for the business rather than just system engineers.

Despite strong motivation among business leaders to manage risk and compliance, Gartner research suggests that only one-third feels confident in their ability to do so. Traditional approaches, such as policy distribution and annual training, are falling short of building the muscle memory organizations need to keep pace with today’s fast-changing regulatory landscape.

The traditional approach to risk management is being challenged by the increasing speed, complexity and cross-functional nature of modern risks. This shifting environment calls for compliance teams to do more than oversee controls; they must empower business, risk and control owners to work together more proactively and effectively.

It’s important to build “risk reflex,” a culture where risk ownership and response are instinctive across the organization. For compliance, this means making it harder for the business to bypass the right behaviors by embedding controls more directly into business platforms or workflows, encouraging the business to think critically by asking thought-provoking questions or delivering more specific insights and reinforcing the “right” business behaviors through proper recognition.

The future of compliance isn’t about adding more oversight. It’s about engineering systems that encourage the right behaviors. Compliance leaders need to act less like enforcers and more like high-performance coaches, guiding their teams to make compliance instinctive. To achieve this.  Compliance leaders should focus on three core approaches.

1. Integrate compliance into daily operations

Engineer “hard to avoid” compliance. This means not only embedding controls directly into platforms or everyday workflows but also ensuring those workflows are so clearly useful, with such great visibility, that wanting to circumvent them would be unlikely. When compliance tasks are seamlessly integrated into routine business processes, it becomes easier and more natural for teams to do the right thing.

For example, by building due diligence requirements into a contract renewal process, organizations can ensure that compliance checks cannot be skipped. Similarly, embedding approval checkpoints within project management tools helps guarantee that regulatory steps are addressed at the right time, making noncompliance harder than compliance itself. The goal is to design systems where the right actions are visible, expected and reinforced by how the work gets done. Ensuring compliance is hard to avoid is not just about technology but about creating workflows and social norms that make the right behaviors prominent and difficult to bypass.

Compliance

Starting a New Job as a Chief Compliance & Ethics Officer? Do This in Your First 100 Days.

by Chris Audet

August 23, 2023

Read moreDetails

2. Foster risk ownership through meaningful dialogue

This strategy centers on provoking critical thinking. Rather than simply asking leaders if they are compliant, organizations should prompt them to consider whether they truly understand the risks and exposures they face. This shift encourages business leaders to take ownership of risk instead of viewing it as the sole responsibility of legal or compliance teams whom they report to.

By redesigning risk assessments and everyday conversations, compliance leaders can spark deeper engagement and more thoughtful responses. Ask questions to encourage business leaders to think about real-world effects and scenarios rather than just policy adherence. For example, instead of asking, “Have you done this compliance activity?” ask “What could go wrong for the business here?” This helps embed risk awareness and accountability across the organization. The quality of risk dialogue, whereby colleagues challenge assumptions, share insights and prompt reflection, is central to building reflexive risk ownership.

3. Celebrate and reward proactive behaviors

Finally, reinforcing the right behaviors is essential for building a culture of compliance. The focus must not only be on identifying the negative but acknowledging the positive.

Compliance leaders tend to report on violations; the emphasis is on what not to do. The counterbalance is giving greater recognition to people who do what they should be doing, reinforcing the actions or behaviors you want to see more often. Public recognition of teams and individuals who surface issues early or demonstrate proactive risk management can go a long way in shaping organizational culture. Sharing success stories and lessons learned helps normalize speaking up and continuous improvement, fostering an environment where compliance is valued and celebrated. Recognizing effort and openness, even when things go wrong, can spark a broader culture of learning and resilience.

The pace and complexity of today’s regulatory environment require a mindset shift from policing to coaching. Engineering compliance into daily operations, encouraging critical thinking and recognizing positive behaviors can close the confidence gap, empowering risk owners to better manage risk and compliance. Organizations who achieve this can make the right behaviors more automatic and more responsive to change. This creates lasting value. 

The journey to reflexive risk ownership starts now, and every business leader has an opportunity to shape a more resilient and responsive compliance culture.

The post How Compliance Officers Can Be Better Coaches appeared first on Corporate Compliance Insights.

Knowing how your business uses AI is pretty important in any situation, but that knowledge has taken on major compliance and risk relevance as the EU AI Act is rolled out, explains Sam Peters of ISMS.online. Companies need to know how they’ll be categorized under the act, which has important compliance dates starting later this year. The distinctions aren’t as clear as you may think.

As organizations prepare for the EU AI Act, most of the attention has gone to risk classifications, documentation requirements and looming enforcement deadlines. All of which are important. But there’s a more basic risk that isn’t getting nearly enough attention.

It’s not whether you understand the rules. It’s whether you understand what your organization’s role is under them.

The EU AI Act does not apply to organizations in a uniform way. The regulation applies extraterritorially, meaning that it applies to organizations that operate outside the physical borders of the EU. Section 2 of the act notes that any organization placing AI systems on the EU market or whose AI outputs are used in the EU may be in scope, regardless of where it physically resides.

What matters is where your organization sits in the AI value chain, not where your organization has offices. Get that wrong, and everything that follows, from risk assessments to governance controls, starts on shaky ground.

The regulation distinguishes among several roles, including providers, deployers, importers and distributors. Each carries a different set of obligations.

Providers face the heaviest lift. They are responsible for ensuring that AI systems meet strict requirements before entering the EU market, including conformity assessments, documentation and ongoing monitoring. Deployers, by contrast, use AI systems developed by others. Their obligations are narrower, centered on oversight, monitoring and appropriate use.

That sounds clean and easy to distinguish. In practice, the line between these roles is anything but clean.

How organizations could get it wrong

A common assumption is that if you are not building AI models from scratch, you are a deployer. That assumption can fall apart quickly. Under the act, a deployer can become a provider if it makes substantial modifications to an AI system or markets it under its own name. One should not look at that scenario as remote or an outlier. In fact, it generally reflects how modern software is built.

Take a typical SaaS company. It might integrate a third-party foundation model, fine-tune it for a specific use case and embed it into a broader product offering. That product is then sold into multiple markets, including the EU. What is that company, then? A deployer? A provider? Both? The answer is not always obvious.

Misclassification is only part of the problem. More often, organizations are not just one thing. A single company might develop parts of an AI system, integrate third-party components, deploy those systems internally and distribute them externally through partners. Each of those activities can trigger a different role under the regulation. The result is overlapping obligations that do not always line up neatly. Again, this is becoming standard operating reality rather than a rare exception.

For compliance teams, that creates a level of complexity most existing models were never designed to handle. Ownership gets blurry. Accountability gets split. And it becomes easier than it should be for critical obligations to slip through unnoticed.

Compliance

The EU AI Act’s ‘Wait and See’ Window Is Closing

by Naomi Grossman

April 6, 2026

AI literacy has survived attempts to water it down and remains a direct organizational obligation — not a policy aspiration

Read moreDetails

Why this creates real compliance risk

For organizations operating across borders, misunderstanding your role is a technical problem, yes, but it’s also a governance problem. If you assume you are a deployer when you meet the definition of a provider, the gaps show up quickly. Conformity assessments may not happen or documentation may be incomplete. Requirements around transparency, traceability and oversight could be missed altogether. And when regulators come knocking, demonstrating compliance becomes difficult.

The EU AI Act is clear on one point: It is not enough to say you are compliant. You have to be able to show it. This points to a broader issue. Many organizations are still treating AI as just another layer of IT, which is a mindset that doesn’t hold up.

AI systems behave differently. They evolve, depend on complex supply chains and can directly affect individual outcomes. That combination makes informal or loosely defined governance models hard to sustain.

Without clear structures to identify where AI is being used, assign ownership, understand how systems are built and modified and track how they are deployed across markets, organizations are left guessing. We all know that guessing is not a strong compliance strategy.

For compliance leaders, the priority is not to memorize every detail of the regulation. But they need to know enough to get clarity on where the organization actually sits within it.

That means asking some basic questions. Where is AI being used across the business, including in products, services and internal operations? Which of those systems have an impact on operations in the EU? How are those systems built, particularly when third-party components are involved? Are systems being modified, fine-tuned or rebranded in ways that change their classification? And who exactly owns each system from a governance standpoint?

The answers tend to be more complicated than expected, though that is not necessarily surprising given the complexity of the regulation itself. But if this complexity is not surfaced, compliance decisions are being made on incomplete information.

Misunderstanding your organization’s role under the EU AI Act is not a small mistake. It is a foundational one, that can cause a butterfly effect that ripples outward into larger compliance failures. Organizations that take the time now to get that foundation right will be in a much stronger position, not just for this regulation, but for what comes next.

The post The Most Overlooked Risk in the EU AI Act: Misunderstanding Your Role appeared first on Corporate Compliance Insights.

If the only intelligence you’re thinking of is artificial, your compliance and risk programs are missing out on a crucial element, writes Chris Tamdjidi of Awaris, a consulting and training company. Physiological intelligence is more than trusting your gut, it’s about training your intuition to make helpful risk decisions.

The COO of a global logistics company once described his risk radar in disarmingly simple terms: “Give me 15 minutes in any facility, and I can feel what’s wrong.” He wasn’t talking about dashboards or audit reports but something harder to defend in a board paper: a felt sense. A pattern of signals — a supervisor’s tension, a half-second pause before answering, managers avoiding eye contact — that his body forms into a hypothesis before his conscious mind can explain it.

For a risk and compliance audience trained to value documented evidence, this kind of statement sits uncomfortably. Yet, his track record was hard to dismiss. The places that gave him a bad feeling were, often enough, the places where something was actually going wrong.

This is physiological intelligence: the trained capacity to read the signals your body and senses are picking up and to treat them as a legitimate source of information about a complex system.

How it actually works

There is nothing mystical about this. Our conscious, deliberative mind, the part that writes the risk register, is limited in throughput. Most of us struggle to multiply two two-digit numbers in our heads. Meanwhile, non-conscious processing — recognizing a face in a crowd or sensing a shift in tone — runs in parallel at far higher bandwidth. If conscious thought is loose change in your pocket, non-conscious processing is the entire economy.

Emotions and bodily sensations are one of the main ways that the non-conscious system reports back. A flicker of unease on a shop floor is not noise but the output of a pattern-recognition engine drawing on thousands of past cues — micro-expressions, sounds, culture — and flagging a deviation. The COO’s 15 minutes were not magic but a lifetime of pattern recognition, delivered as a feeling.

Crucially, a felt sense is not the same as the truth. It is a hypothesis, not a verdict. But it is a trainable hypothesis generator, and ignoring it is a form of negligence.

Why compliance has always quietly relied on this

Risk professionals do this constantly even if they don’t describe it that way. An auditor asks one more question because something doesn’t sit right. A compliance officer escalates a third-party relationship she can’t fully justify on paper. An investigator senses a witness is holding back. We dress these moments in procedural language, but the initial signal is often physiological.

A 2011 study of Israeli parole judges by Ben-Gurion University and Columbia University professors showed the cost of not listening to these signals. Across 1,100 hearings, favorable rulings dropped sharply, from around 65% at the beginning of sessions, not long after breakfast, to almost none as the early sessions came to a close. The favorable rulings returned to about 65% after breaks, when judges had eaten. The judges would likely have denied that hunger or fatigue were shaping their decisions, but their bodies were signalling depletion. This showed up as a systematic, invisible bias, one that made them more prone to irritation, more likely to dismiss applications and more likely to reject them, holding real consequences for the people in front of them.

The lesson for compliance leaders isn’t just “trust your gut.” It is instead, “listen to and train your gut signals.”  The training part is important: Unless you train people to notice and interpret these signals, they will quietly steer decisions anyway and usually in ways nobody is accountable for.

Leadership and Career

Why Experience Still Matters in an Automated Finance World

by Ryan Padget

May 8, 2026

AI is reshaping workflows in finance, but the judgment that protects organizations remains deeply human

Read moreDetails

It is tempting to assume that as AI systems take on more of the analytical heavy lifting in risk and compliance — anomaly detection, transaction monitoring, control testing — the human “felt sense” becomes a quaint relic. Actually, I believe the opposite is true.

AI excels at processing what has been encoded but is blind to what hasn’t. It cannot see that a critical control team is exhausted and close to breaking. It cannot sense when overconfident outputs go unchallenged because no one feels safe to speak. These are the failure modes behind major compliance breakdowns, and they sit in the human layer of human-AI systems.

Physiological intelligence is how we surface the risks that sit between the model and the people using it. The more decisions we delegate to AI, the more critical it becomes that humans can read the felt signals the system cannot generate.

As we are inundated with data, screens and insightful analysis, a quieter risk emerges, visible on any train or plane: No one is looking up anymore. Few are checking what they see, feel or hear. Our physical senses risk degrading as we become entranced by screen-mediated intelligence, increasingly trusting what data and AI tell us without checking our own sensory perception or gut.

What to do

Treat physiological intelligence the way you treat any other control: as something that must be trained, practiced and embedded in habits, not assumed.

Build short body-and-mood checks into risk meetings. Before reviewing AI outputs, ask what people are noticing in themselves and the room. Train compliance teams in mindfulness and interoception, not as well-being perks, but as risk-sensing tools. Make it psychologically safe to say “something doesn’t feel right, but I can’t tell you why,” and create space to investigate rather than override it.

Interestingly, none of this is new. Research on high-reliability organizations by Karl Weick and Kathleen Sutcliffe shows that businesses operating under extreme risk rely on collective mindfulness, attention to frontline operations and deference to the expertise of those closest to the work, including the felt sense that those people bring. Crucially, this depends on environments where people feel safe to speak up when something doesn’t seem right.

The COO’s 15 minutes were not a substitute for data. They were an early-warning system that data alone could not provide. In an AI-driven workplace, that early-warning system is no longer a nice-to-have. It is part of how grounded, balanced, defensible risk judgement actually gets made.

The post Why the Human Body Still Matters in an AI-Driven Workplace appeared first on Corporate Compliance Insights.

New products & platforms

Fenergo, client lifecycle management software provider, launched a digital subscriptions integration in its Investor Portal, enabling buyside firms to digitalize and connect the end-to-end investor onboarding and fund subscription process, eliminating long-standing inefficiencies and fragmentation.

Bloomberg released BSpeech, voice transcription service for more than 50 languages, as part of Bloomberg Vault, enabling systematic surveillance, search and analysis of voice communications at scale.

ComplyAdvantage, a financial crime, risk, data and detection company, launched payment screening on its Mesh AI platform, bettering the platform’s abilities to intercept suspicious payments, review them and remain compliant against global sanctions risk.

MyComplianceOffice, a provider of compliance technology, unveiled platform enhancements across insider information management, trade surveillance and employee communications designed to help financial services firms simplify compliance.

Other news

Sovos, a tax compliance provider, announced it has opened a new Asia-Pacific hub in Mumbai, India.

The post GRC News Roundup: Fenergo, Bloomberg, Sovos & More appeared first on Corporate Compliance Insights.

Ethics reporting and compliance platform FaceUp has raised $5 million in Series A funding led by Fil Rouge Capital with participation from JIC Ventures. With the latest fundraising, FaceUp has earned about $9 million since it was founded in 2020.

Funding in the most recent round was also provided by Venture to Venture Fund and Gi21 Capital, according to a news release. Returning investors included Tilia Impact Ventures and Reflex Capital as well as angel investors and employees. The resources will go toward building FaceUp’s all-in-one ethics and compliance suite, gaining customers and partners and expanding reach, particularly in the US and UAE, the company said.

“I’m really excited about this growth investment, as it will allow us to move even faster toward our vision of becoming the leading solution for ethical and compliant workplaces worldwide,” Jan Slama, co-founder and CEO of FaceUp, said in the news release. “It will help us not only increase our ARR, expand our team and boost our product, but, most importantly, support even more organizations around the world in fostering trust, ethics, safety and integrity, while protecting their reputation, employees, resources and culture.”

The post FaceUp Raises $5M Series A Round appeared first on Corporate Compliance Insights.

New US sanctions on Cuba may look like another step in the countries’ fraught history. As Kathy Nugent of LexisNexis Risk Solutions explains, global operators can’t simply adhere to domestic laws, but must assess these sanctions and ask — what are we willing to risk?

On May 1, President Donald Trump issued Executive Order 14404, introducing new Cuba-related authorities under the International Emergency Economic Powers Act (IEEPA) and expanding measures tied to the national emergency declared earlier this year in Executive Order 14380. 

At first glance, this may appear to be another incremental step in a long-established Cuba policy. In practice, it materially raises the stakes for non-US firms and financial institutions that operate under different regulatory regimes but still do business with or depend on access to the US or its financial ecosystem. 

This is not just a Cuba story. It is a story about jurisdictional divergence, enforcement reach and the growing conflict-of-laws challenges facing global organizations. 

What the executive order actually does and why it is different 

The order complements OFAC’s long-standing Cuban assets control regulations with a broad IEEPA-based designation framework targeting certain foreign persons connected to Cuba. It authorizes the blocking of property and interests in property of foreign persons determined by the secretary of state or the secretary of the Treasury to be operating in or supporting key sectors of the Cuban economy, including energy, defense, metals and mining, financial services and security. 

It also permits action against current or former leaders or officials from the government of Cuba, as well as individuals and entities that materially assist, sponsor or otherwise support the government of Cuba or persons blocked under the order. This introduces an important nuance. The order does not only capture support to already designated parties but extends to support for the Cuban government, defined broadly to include its agencies, instrumentalities, controlled entities and persons acting for or on its behalf. 

Crucially, the order introduces secondary exposure for foreign financial institutions that conduct or facilitate significant transactions for or on behalf of persons blocked under the order. The Treasury may prohibit or impose strict conditions on the opening or maintenance of US correspondent or payable-through accounts and may also impose full blocking measures on the foreign financial institution itself. 

In practical terms, conduct that occurs entirely outside the US can now create designation risk for foreign persons and secondary exposure for foreign financial institutions, including potential restrictions on access to American financial infrastructure. 

Diverging regulatory regimes 

This is where challenges become more pronounced, particularly for close American allies and other major economies that may face the consequences of the extraterritorial application of these measures. 

Jurisdictions such as Canada, the EU and the UK maintain frameworks that do not mirror US restrictions on Cuba. In some cases, their laws explicitly permit commercial activity with Cuba that American law restricts or prohibits. 

That divergence is not new. What is new is how clearly the pressure point is defined: access to the US financial system. 

The executive order allows the Treasury Department to target foreign banks and intermediaries even where the underlying Cuba-related activity may be lawful under local law and without a clear jurisdictional nexus to the US, as long as the activity involves persons blocked under the order or meets the new designation criteria. This creates a familiar but increasingly acute dilemma for global firms: local legality vs. exposure to US measures. 

Why Canada, the EU and the UK should pay attention now 

For firms headquartered in these jurisdictions, particularly financial institutions, the order raises operational and strategic questions beyond purely legal considerations. 

Access to US dollar clearing and correspondent banking remains a strategic dependency. Many multinational organizations expect seamless dollar-based services even if only part of their business touches the US. At the same time, enforcement activity has increasingly focused on facilitation, indirect support and financial intermediation rather than purely direct dealings. 

The order explicitly extends exposure to entities that facilitate transactions for restricted parties, a concept authorities have historically interpreted broadly. Compliance frameworks built solely around domestic obligations are therefore no longer sufficient for institutions with exposure to the US market. 

Many segments of the financial sector are affected beyond banks. The order includes a broad definition of foreign financial institutions, from banks and money service businesses to dealers in precious metals, stones or jewels and everything in between. 

Risk

Venezuela Energy Reform and US Sanctions Relief Are Moving Together. Here’s What That Means.

by Terry Gilroy and Eugenio Hernández-Bretón

May 19, 2026

New OFAC general licenses create openings in Venezuela’s energy sector, but each carries different conditions

Read moreDetails

The compliance shift this accelerates 

This executive order reinforces trends financial crime compliance leaders have been navigating for years. Regulatory risk is not confined by geography. Exposure flows through correspondent networks, payment rails, trade finance, insurance or securities activities. Being compliant under local law does not insulate institutions from American enforcement risk or broader exposure. For a non-US actor, the relevant risks go beyond civil enforcement. They may include designation risk involving correspondent banking restrictions or blocking measures. 

Financial institutions continue to serve as the primary enforcement leverage. Access to liquidity and financial infrastructure remains the central pressure point. 

Risk assessments need to be scenario-based rather than purely rules-based. Institutions should be asking not only whether an activity is permissible today but what happens if a counterparty, sector or jurisdiction becomes tomorrow’s enforcement focus. 

Going forward, it is crucial for organizations to monitor new Cuba-related designations and assess ownership and control links to detect indirect exposure throughout business relationships. This is particularly important because the order targets not only listed persons but also support to the government of Cuba and dealings that may be interpreted as material assistance. 

What this means in practice 

For institutions operating across jurisdictions, this does not necessarily mean adding layers of controls. It means aligning risk appetite with geopolitical reality. 

Country risk assessments should explicitly consider foreign exposure, not only domestic requirements. Customer due diligence should extend beyond direct ownership to include sectoral exposure and facilitation risk. Transaction monitoring and screening programs should be capable of identifying indirect Cuba exposure, particularly through trade-related activity and intermediated payments. Governance models must allow for rapid escalation when US policy shifts, even if local regulators have not yet acted. 

For foreign financial institutions, exposure to these measures should be assessed through three layers of analysis. First, is the activity lawful under domestic law? Second, does the activity have a nexus to the United States, requiring strict compliance with applicable rules? Third, even without a direct link, could the activity expose the institution to secondary measures such as asset freezes or correspondent account restrictions? 

That third question is where the practical impact of the order is likely to be felt most acutely. 

How allies push back 

Canada, the EU and the UK are not passive in the face of extraterritorial measures. 

The EU relies on its blocking statute, a regulation originally introduced in response to US restrictions on Cuba. It prohibits EU persons from complying with certain foreign measures, nullifies related foreign judgments within the EU and allows EU companies to seek damages caused by their application. Limited exemptions exist but only where noncompliance would seriously damage EU or national interests. 

Canada has a parallel framework in the Foreign Extraterritorial Measures Act, which allows the government to block the enforcement of certain foreign measures in Canada and restrict compliance by Canadian entities. Like the EU statute, it is sovereignty driven and explicitly designed to counter the extraterritorial reach of American action, particularly those related to Cuba. 

The UK retained similar protections post-Brexit, preserving the principle that foreign rules should not automatically dictate lawful activity within UK jurisdiction. 

Beyond the Western Hemisphere, other major economies are also developing legal defenses against the extraterritorial effects of certain US measures. Following publication of the order, China announced implementation of its blocking statute for the first time in response to separate actions against Chinese companies imposed under Iran-related authorities. India has also reportedly been exploring a similar mechanism. 

These approaches matter legally and politically. They establish formal resistance, preserve policy autonomy and provide a basis for domestic remedies. They also deepen regulatory fragmentation and introduce complex compliance challenges. 

In practice, blocking statutes do not restore access to US correspondent accounts, US dollar liquidity or unblock assets. They can prevent legal compulsion but cannot neutralize economic dependence. For institutions with meaningful exposure to the US, the ultimate risk is not whether compliance is lawful locally but whether access to the system can be lost. That imbalance explains why firms continue to navigate between conflicting legal obligations even when protective frameworks exist. 

The bigger signal 

The Cuba executive order sends a broader message to global markets. Regulatory divergence is tolerated until it is not. 

When national security considerations intensify, exposure often expands, not only against primary targets but also against those who enable access, liquidity or legitimacy. For global operators, this does not require alignment with American foreign policy. It does require a clear-eyed assessment of exposure to these measures. 

The post Global Operators Need to Take a Hard Look at Cuba Sanctions appeared first on Corporate Compliance Insights.

Surveillance pricing, which uses consumer data to drive prices, has caught the eye of government officials, Kwamina Williford, Christopher J. Armstrong, Ashley Joyner Chavous, Benjamin Genn of Holland & Knight write. Companies must ensure their practices are transparent and defensible. Such efforts may not prevent scrutiny but will help prepare for a pricing fight.

Federal and state governments are escalating scrutiny of “surveillance pricing” and AI-enabled pricing practices, particularly where pricing relies on consumer data, opaque algorithms or insufficient price transparency. Although traditional dynamic pricing based on market conditions remains lawful, regulators are increasingly focused on personalized pricing tied to consumer data, price experimentation and how prices and fees are disclosed to consumers.

Against this backdrop, continued and increasingly aggressive government scrutiny is expected — from the FTC and Congress, as well as state attorneys general — of pricing practices that rely on consumer data, algorithmic decision‑making or shadowy pricing mechanics, even where companies maintain that prices are driven by traditional market factors rather than individualized profiling.

For companies that utilize variable pricing, ticketing fees, loyalty programs and algorithmic revenue management, this government activity creates near‑term compliance risk and controversy, even absent attempts at statutory or regulator limitations.

Federal regulators define “surveillance pricing” as pricing practices that use detailed consumer personal data — including location, browsing history, demographics or behavioral inferences — to set individualized prices or offers for the same product or service. The FTC has emphasized that advances in data collection and machine learning have made such pricing scalable and difficult for consumers to detect.

Critically, regulators distinguish dynamic pricing, which responds to market conditions (inventory, demand, seasonality), from personalized or surveillance pricing, which responds to characteristics of the individual consumer rather than the market as a whole. This distinction is increasingly central to enforcement, legislation and congressional oversight.

The FTC’s enforcement and surveillance pricing work

In 2024, the FTC launched a Section 6(b) study to examine how companies and intermediaries use consumer data to implement surveillance pricing and algorithmic decision‑making. The FTC continues to maintain public resources describing this work and its consumer protection rationale.

In testimony before Congress in April, FTC leadership confirmed that staff work on surveillance pricing continues and that the agency is assessing whether additional disclosures may be required when pricing is highly personalized or driven by consumer data.

The commission has also paired its surveillance pricing focus with aggressive enforcement on price transparency, particularly in live event ticketing. The FTC recently announced a settlement with a ticket exchange to resolve allegations that it failed to clearly and conspicuously disclose mandatory fees as required under the FTC Act and the agency’s rule governing unfair or deceptive fees. The FTC emphasized that total ticket prices must be disclosed upfront and prominently at all stages of the purchase process.

The implication is that pricing enforcement risk is no longer theoretical but an active priority grounded in FTC rule violations and Section 5 authority.

Going forward, the FTC is expected to aggressively pursue surveillance pricing and related deceptive pricing theories. Even where companies deny using personal data to set prices, the FTC has signaled that opacity, inconsistent consumer explanations or pricing outcomes that exceed reasonable consumer expectations may independently trigger investigation.

In this environment, the FTC is likely to scrutinize not only how pricing systems operate, but also whether consumer‑facing descriptions are accurate, consistent and sufficiently transparent to reflect underlying pricing mechanics.

Risk

Pricing Algorithms Raise New Antitrust Concerns

by FTI Consulting

May 13, 2025

Interdisciplinary frameworks can help manage legal, privacy and consumer protection risks

Read moreDetails

Congressional AI‑driven pricing investigation

In March, the House Oversight Committee formally launched an investigation into the use of surveillance pricing.

The committee sent letters to major travel and platform companies requesting documentation regarding revenue management algorithms, use of consumer data in pricing, testing and experimentation practices and internal communications describing pricing tools and outcomes. The committee has characterized surveillance pricing as a “black box” process in which algorithms infer willingness to pay more and adjust prices accordingly without consumer awareness or meaningful transparency. The investigation reflects a broader shift toward scrutiny of unilateral, data-driven pricing practices, including:

• Whether companies distinguish between market-based dynamic pricing and individualized pricing tied to consumer attributes
• How algorithmic pricing tools are tested, governed and monitored
• Whether pricing varies based on location, device or behavioral signals
• How pricing practices are described to consumers

The inquiry also suggests potential scrutiny of third-party vendors and pricing tools, not just internal systems.

Later, on May 11, the House Energy and Commerce Committee ranking member, Rep. Frank Pallone Jr., who is expected to become chairman if Democrats win control of the House in November, launched a new investigation into the use of surveillance pricing. The ranking member sent an initial round of letters to 25 major grocery and retail companies requesting responses and internal documentation regarding:

• Customer data elements used to inform or set prices.
• The use of AI to inform or set prices.
• Work with third parties to purchase, license or otherwise acquire data for use in informing or setting prices.
• Consumer options to opt-out of data collection.

Even absent immediate legislation, congressional investigations create material risk, including compelled document production, public hearings, reputational exposure and referrals to the FTC, the DOJ or state attorneys general. Given bipartisan interest in the issue, this risk will persist regardless of outcomes in the congressional midterm elections.

In practice, congressional oversight often serves as an early forcing mechanism, requiring companies to explain and defend pricing practices well before formal enforcement begins. For travel, entertainment, housing, e-commerce and other companies, AI‑assisted pricing in consumer‑facing markets is now a priority oversight issue.

Faster-moving state regulation

State enforcement and legislative activity around surveillance pricing is accelerating and converging on consumer data use and transparency.

California is pursuing surveillance pricing through a privacy-enforcement lens, and New York has enacted a law requiring disclosure when personalized algorithmic pricing is used. In addition, Maryland has passed the Protection from Predatory Pricing Act, restricting certain practices and treating violations as deceptive trade practices.

Dozens of additional states are considering similar legislation, underscoring a rapidly expanding and fragmented regulatory environment.

AI’s role in heightening enforcement risk

The FTC has emphasized that machine learning and automated experimentation materially change the enforcement landscape by enabling granular consumer segmentation, rapid A/B price testing and optimization processes that are largely invisible to consumers.

Congress has echoed these concerns, characterizing AI pricing tools as amplifying the potential for unfair, deceptive or discriminatory outcomes where personalization is not transparent.

For companies, AI is now a risk multiplier when used in pricing, merchandising, bundling or fee presentation, particularly where experimentation occurs without consumer disclosure or governance controls.

Practical compliance takeaways for companies

Government activity suggests companies should prioritize:

1. Pricing data mapping. Identify whether consumer or device data influences base prices, fees, bundles, upgrades or recommended offers.
2. Clear separation of pricing models. Distinguish market‑based dynamic pricing from personalized pricing tied to consumer data.
3. Fee and price transparency audits. Ensure total prices and mandatory fees are clearly disclosed at all stages of the consumer journey, consistent with FTC expectations.
4. AI and experimentation governance. Implement appropriate controls for algorithmic pricing tools and A/B testing, including oversight of how models are deployed and evaluated.
5. Inquiry readiness. Ensure pricing practices can be clearly and consistently explained to regulators and Congress, with alignment across legal, business and communications functions regarding data use, pricing logic and consumer disclosures.

Companies should approach these steps with an eye toward regulatory scrutiny and practical defensibility, particularly as FTC enforcement and congressional inquiries continue to evolve.

This article was first published by Holland & Knight. It is adapted here with permission.

The post Surveillance Pricing: You’re Watching Consumers — and Government Is Watching You appeared first on Corporate Compliance Insights.

71% of execs who attend every board meeting give directors good grades

Fewer than half of executives believe boards of directors do an excellent or even good job, a survey by PwC and the Conference Board found. Only 41% of executives rated their boards’ effectiveness as excellent or good in 2025, according to the survey.

The survey took responses from 524 executives, most of whom lead companies with revenues of more than $1 billion across several industries.

The good news for boards: The 41% of happy execs was an increase from 35% in 2024, continuing an upward trajectory since 2022.

Notably, the percentage of approval increases as the frequency of interaction with boards increases. So executives who attended every board meeting reported a 71% good or excellent rating for the board, while executives who rarely interact with boards were at 17% good or excellent.

The top three reasons boards aren’t more effective:

• 47% said members serve on too many boards.
• 35% said members are too slow to react to emerging risks or opportunities.
• 34% said members don’t keep pace with digital transformation.

About half of companies are ‘very prepared’ for financial crime incidents

Legal, compliance and regulatory executives have lost confidence in their companies’ ability to handle financial crime with fewer than half saying they’re “very prepared” for incidents, according to a survey by AlixPartners.

The consulting firm’s survey solicited answers from 500 executives from financial services, technology, healthcare and life sciences, manufacturing and retail, finding that 48% said they were “very prepared” to address fincrime and fraud. They’re also losing faith in their technologies’ ability to prevent such risk, with 36% saying they’re “very confident” in these technologies. That’s down from 56% in 2025.

The survey also found that 63% of executives believe corporate legal disputes will increase this year compared to last year with 47% saying those disputes will be about cybersecurity and data privacy.

Speaking of cybersecurity and data privacy, 65% named cybersecurity and 58% named data privacy as the most concerning potential risk events, significant increases from 2025. About 75% reported their organizations haven’t taken measures to address AI-powered cyberattacks. 

Other key findings include:

• 80% said the fragmented AI regulatory landscape puts their organizations at risk.
• 65% said they don’t feel very prepared for new US sanctions and geopolitical and trade effects.
• 68% said they aren’t very prepared for supply chain disruptions, up from 59% in 2025.

12% of frontline managers say compliance is top of mind in a crisis

Just over 10% of frontline managers are looking to avoid compliance or policy issues when making calls under pressure, according to a survey from Dayforce. The study included almost 5,700 adult respondents who work in frontline organizations with at least 100 employees across large English-speaking countries.

The survey by the HR software provider found 12% of frontline managers said avoiding compliance or policy breaches is their top priority when they have to make decisions under pressure. At the same time, 67% of executives and managers acknowledge everyday shift-level decisions create compliance risk.

Disruptions for frontline businesses are causing inefficiencies, the survey found, with 65% reporting shift-level problems affecting performance. Of the frontline manager respondents, 42% said these issues were driving overtime. 

Almost three-quarters of frontline workers said they rely on workarounds on shifts and 90% reported they had to find ways to fill open shifts themselves. And the burden is taking a toll on workers with 89% saying shift issues affect their well-being, and 71% having considered leaving their job as a result.

90% of UK banking customers would drop institution over AML failures

Almost 90% of UK customers said they would abandon their bank over failures to prevent money laundering or terrorist financing, a survey by ThetaRay found.

The fintech company interviewed 1,023 UK-based respondents, concluding that 88% would drop their bank if such financial malfeasance was discovered, while 87% would discourage others from banking with institutions involved in such activities. 

About 80% of UK consumers rank AML effectiveness as a top priority when selecting a new provider. But those numbers are mirrored in UK bank customers’ faith, with 88% saying they trust their banks.

About 70% of respondents said speed and clarity of digital onboarding directly dictates whether they complete an application or abandon the process entirely. However, the report also revealed that 96% demand “clear explanations” of onboarding requirements and security-related delay.

The post Fewer Than Half of Execs Say Their Board Excels appeared first on Corporate Compliance Insights.

A positive SOC 2 report means an organization has the security controls in place to work with, right? Recent allegations that SOC 2 auditor Delved faked compliance reports reveal the gap between what a document says and what is actually happening inside a vendor’s environment, argues Clarence Chio, CEO of Coverbase.

For years, the SOC 2 report has been the de facto signal of trust in B2B software. Enterprise procurement teams demand it, sales teams race to get it, and once a vendor hands it over, everyone breathes a little easier and moves on. When an independent auditor reviews a company’s security controls and signs off, the implicit message is that there’s no further need to dig deeper.

At least that was the case.

That implicit trust is now under serious scrutiny following allegations against Delve, the Y Combinator-backed compliance startup that raised $32 million at a $300 million valuation. A group calling itself DeepDelver, made up of anonymous, former customers who compared notes, published a detailed investigation based on a leaked internal spreadsheet, alleging that Delve systematically fabricated audit reports for hundreds of clients.

The allegations are significant. According to the investigation, 493 of 494 SOC 2 reports examined were nearly identical, containing the same paragraphs, grammatical errors and nonsensical descriptions, with only the company name and logo changed. The group also accused the auditor of including pre-written conclusions and test procedures in draft reports before clients had submitted any evidence and allowing trust pages to go live the moment clients first logged in. Board meeting minutes were allegedly fabricated. Risk assessments reportedly came pre-filled with default entries.

Delve has denied the allegations, and it is important to note that they remain unproven. But the questions they raise about the SOC 2 framework itself deserve serious attention regardless of how the Delve matter is ultimately resolved.

How did we get here

Delve didn’t invent the underlying problem. What these allegations suggest is that it may have industrialized it.

The original SOC 2 model required an independent, licensed auditor to review a company’s security controls, examine evidence and issue an opinion. The process was expensive and slow because doing it right takes time and genuine expertise. A proper SOC 2 engagement required auditors to spend meaningful time with the team, going through controls in granular detail. That thoroughness was the point. When a vendor showed up with a SOC 2, it meant something.

Over time, the compliance automation market grew rapidly, with new entrants promising to compress months of work into days and significant costs into a fraction of the original investment. For businesses trying to unlock enterprise deals gated by SOC 2 requirements, the appeal was obvious.

The risk was always that when speed and cost become the primary selling points of a compliance product, something could give. 

Data Privacy

What Oracle’s TikTok Dance Can Teach Everyone About Good Data Governance

by Rita W. Garry

February 4, 2026

Read moreDetails

The stakes are not abstract

For most software companies, the consequences of a fraudulent compliance report would be primarily legal and reputational. For companies handling protected health information, the exposure is far more serious. HIPAA violations can result in significant mandatory penalties and potential criminal liability.

The downstream implications of the Delve situation extend well beyond the company itself. At least one public company reportedly marketed “SOC 2 Type II audited” status in SEC filings based on a Delve report. Enterprise customers, including some large technology companies, appear to have accepted Delve-issued compliance documentation as part of their vendor review process.

Every enterprise security team that accepted a Delve report as evidence of a vendor’s security posture may now have a gap in its audit trail, and the document they relied on could, in the end, be worthless.

The right question was never ‘Do you have a SOC 2?’

However the Delve situation plays out, these discussions highlight something the vendor risk management industry has known for some time but has been slow to act on: A document is only as reliable as the process behind it.

The SOC 2 model is built on a chain of trust. The vendor trusts the auditor, the enterprise trusts the report, and the whole system rests on the assumption that the audit actually happened. The allegations against Delve didn’t invent a flaw in the SOC 2 framework. Instead, they revealed how thin that chain of trust can become under pressure.

The question “Does this vendor have a SOC 2?” was always the wrong question. The right question is “Does this vendor actually do what their SOC 2 claims?” Those are not the same question, and the answer to the first tells you almost nothing about the answer to the second.

A SOC 2 Type II report was never meant to be a security guarantee. It is confirmation that specific, scoped controls operated effectively during a defined observation window. When that attestation is generated before any evidence is gathered, it no longer provides evidence of anything.

What the industry needs to reckon with

The vendor risk community’s immediate response, requiring companies that received Delve-issued documentation to seek independent verification before relying on those reports in risk decisions, is the correct protocol for this specific crisis. But it doesn’t resolve the larger question the situation raises.

The deeper issue is that the compliance industry built its trust infrastructure on a foundation of documents and point-in-time attestations. The Delve allegations are an extreme example of what can go wrong, but the underlying vulnerability — that is, the gap between what a document says and what is actually happening inside a vendor’s environment — predates Delve and will outlast it.

Rebuilding trust in vendor risk management means grappling with that gap honestly. It means asking harder questions about what attestations actually measure, how observation windows are defined and whether the evidence behind a certification reflects current operational reality, or is it just a snapshot taken under controlled conditions months ago.

The post SOC 2 Is Broken. The Delve Scandal Is Showing Us How. appeared first on Corporate Compliance Insights.