New products & platforms

Fenergo, client lifecycle management software provider, launched a digital subscriptions integration in its Investor Portal, enabling buyside firms to digitalize and connect the end-to-end investor onboarding and fund subscription process, eliminating long-standing inefficiencies and fragmentation.

Bloomberg released BSpeech, voice transcription service for more than 50 languages, as part of Bloomberg Vault, enabling systematic surveillance, search and analysis of voice communications at scale.

ComplyAdvantage, a financial crime, risk, data and detection company, launched payment screening on its Mesh AI platform, bettering the platform’s abilities to intercept suspicious payments, review them and remain compliant against global sanctions risk.

MyComplianceOffice, a provider of compliance technology, unveiled platform enhancements across insider information management, trade surveillance and employee communications designed to help financial services firms simplify compliance.

Other news

Sovos, a tax compliance provider, announced it has opened a new Asia-Pacific hub in Mumbai, India.

The post GRC News Roundup: Fenergo, Bloomberg, Sovos & More appeared first on Corporate Compliance Insights.

Ethics reporting and compliance platform FaceUp has raised $5 million in Series A funding led by Fil Rouge Capital with participation from JIC Ventures. With the latest fundraising, FaceUp has earned about $9 million since it was founded in 2020.

Funding in the most recent round was also provided by Venture to Venture Fund and Gi21 Capital, according to a news release. Returning investors included Tilia Impact Ventures and Reflex Capital as well as angel investors and employees. The resources will go toward building FaceUp’s all-in-one ethics and compliance suite, gaining customers and partners and expanding reach, particularly in the US and UAE, the company said.

“I’m really excited about this growth investment, as it will allow us to move even faster toward our vision of becoming the leading solution for ethical and compliant workplaces worldwide,” Jan Slama, co-founder and CEO of FaceUp, said in the news release. “It will help us not only increase our ARR, expand our team and boost our product, but, most importantly, support even more organizations around the world in fostering trust, ethics, safety and integrity, while protecting their reputation, employees, resources and culture.”

The post FaceUp Raises $5M Series A Round appeared first on Corporate Compliance Insights.

New US sanctions on Cuba may look like another step in the countries’ fraught history. As Kathy Nugent of LexisNexis Risk Solutions explains, global operators can’t simply adhere to domestic laws, but must assess these sanctions and ask — what are we willing to risk?

On May 1, President Donald Trump issued Executive Order 14404, introducing new Cuba-related authorities under the International Emergency Economic Powers Act (IEEPA) and expanding measures tied to the national emergency declared earlier this year in Executive Order 14380. 

At first glance, this may appear to be another incremental step in a long-established Cuba policy. In practice, it materially raises the stakes for non-US firms and financial institutions that operate under different regulatory regimes but still do business with or depend on access to the US or its financial ecosystem. 

This is not just a Cuba story. It is a story about jurisdictional divergence, enforcement reach and the growing conflict-of-laws challenges facing global organizations. 

What the executive order actually does and why it is different 

The order complements OFAC’s long-standing Cuban assets control regulations with a broad IEEPA-based designation framework targeting certain foreign persons connected to Cuba. It authorizes the blocking of property and interests in property of foreign persons determined by the secretary of state or the secretary of the Treasury to be operating in or supporting key sectors of the Cuban economy, including energy, defense, metals and mining, financial services and security. 

It also permits action against current or former leaders or officials from the government of Cuba, as well as individuals and entities that materially assist, sponsor or otherwise support the government of Cuba or persons blocked under the order. This introduces an important nuance. The order does not only capture support to already designated parties but extends to support for the Cuban government, defined broadly to include its agencies, instrumentalities, controlled entities and persons acting for or on its behalf. 

Crucially, the order introduces secondary exposure for foreign financial institutions that conduct or facilitate significant transactions for or on behalf of persons blocked under the order. The Treasury may prohibit or impose strict conditions on the opening or maintenance of US correspondent or payable-through accounts and may also impose full blocking measures on the foreign financial institution itself. 

In practical terms, conduct that occurs entirely outside the US can now create designation risk for foreign persons and secondary exposure for foreign financial institutions, including potential restrictions on access to American financial infrastructure. 

Diverging regulatory regimes 

This is where challenges become more pronounced, particularly for close American allies and other major economies that may face the consequences of the extraterritorial application of these measures. 

Jurisdictions such as Canada, the EU and the UK maintain frameworks that do not mirror US restrictions on Cuba. In some cases, their laws explicitly permit commercial activity with Cuba that American law restricts or prohibits. 

That divergence is not new. What is new is how clearly the pressure point is defined: access to the US financial system. 

The executive order allows the Treasury Department to target foreign banks and intermediaries even where the underlying Cuba-related activity may be lawful under local law and without a clear jurisdictional nexus to the US, as long as the activity involves persons blocked under the order or meets the new designation criteria. This creates a familiar but increasingly acute dilemma for global firms: local legality vs. exposure to US measures. 

Why Canada, the EU and the UK should pay attention now 

For firms headquartered in these jurisdictions, particularly financial institutions, the order raises operational and strategic questions beyond purely legal considerations. 

Access to US dollar clearing and correspondent banking remains a strategic dependency. Many multinational organizations expect seamless dollar-based services even if only part of their business touches the US. At the same time, enforcement activity has increasingly focused on facilitation, indirect support and financial intermediation rather than purely direct dealings. 

The order explicitly extends exposure to entities that facilitate transactions for restricted parties, a concept authorities have historically interpreted broadly. Compliance frameworks built solely around domestic obligations are therefore no longer sufficient for institutions with exposure to the US market. 

Many segments of the financial sector are affected beyond banks. The order includes a broad definition of foreign financial institutions, from banks and money service businesses to dealers in precious metals, stones or jewels and everything in between. 

Risk

Venezuela Energy Reform and US Sanctions Relief Are Moving Together. Here’s What That Means.

by Terry Gilroy and Eugenio Hernández-Bretón

May 19, 2026

New OFAC general licenses create openings in Venezuela’s energy sector, but each carries different conditions

Read moreDetails

The compliance shift this accelerates 

This executive order reinforces trends financial crime compliance leaders have been navigating for years. Regulatory risk is not confined by geography. Exposure flows through correspondent networks, payment rails, trade finance, insurance or securities activities. Being compliant under local law does not insulate institutions from American enforcement risk or broader exposure. For a non-US actor, the relevant risks go beyond civil enforcement. They may include designation risk involving correspondent banking restrictions or blocking measures. 

Financial institutions continue to serve as the primary enforcement leverage. Access to liquidity and financial infrastructure remains the central pressure point. 

Risk assessments need to be scenario-based rather than purely rules-based. Institutions should be asking not only whether an activity is permissible today but what happens if a counterparty, sector or jurisdiction becomes tomorrow’s enforcement focus. 

Going forward, it is crucial for organizations to monitor new Cuba-related designations and assess ownership and control links to detect indirect exposure throughout business relationships. This is particularly important because the order targets not only listed persons but also support to the government of Cuba and dealings that may be interpreted as material assistance. 

What this means in practice 

For institutions operating across jurisdictions, this does not necessarily mean adding layers of controls. It means aligning risk appetite with geopolitical reality. 

Country risk assessments should explicitly consider foreign exposure, not only domestic requirements. Customer due diligence should extend beyond direct ownership to include sectoral exposure and facilitation risk. Transaction monitoring and screening programs should be capable of identifying indirect Cuba exposure, particularly through trade-related activity and intermediated payments. Governance models must allow for rapid escalation when US policy shifts, even if local regulators have not yet acted. 

For foreign financial institutions, exposure to these measures should be assessed through three layers of analysis. First, is the activity lawful under domestic law? Second, does the activity have a nexus to the United States, requiring strict compliance with applicable rules? Third, even without a direct link, could the activity expose the institution to secondary measures such as asset freezes or correspondent account restrictions? 

That third question is where the practical impact of the order is likely to be felt most acutely. 

How allies push back 

Canada, the EU and the UK are not passive in the face of extraterritorial measures. 

The EU relies on its blocking statute, a regulation originally introduced in response to US restrictions on Cuba. It prohibits EU persons from complying with certain foreign measures, nullifies related foreign judgments within the EU and allows EU companies to seek damages caused by their application. Limited exemptions exist but only where noncompliance would seriously damage EU or national interests. 

Canada has a parallel framework in the Foreign Extraterritorial Measures Act, which allows the government to block the enforcement of certain foreign measures in Canada and restrict compliance by Canadian entities. Like the EU statute, it is sovereignty driven and explicitly designed to counter the extraterritorial reach of American action, particularly those related to Cuba. 

The UK retained similar protections post-Brexit, preserving the principle that foreign rules should not automatically dictate lawful activity within UK jurisdiction. 

Beyond the Western Hemisphere, other major economies are also developing legal defenses against the extraterritorial effects of certain US measures. Following publication of the order, China announced implementation of its blocking statute for the first time in response to separate actions against Chinese companies imposed under Iran-related authorities. India has also reportedly been exploring a similar mechanism. 

These approaches matter legally and politically. They establish formal resistance, preserve policy autonomy and provide a basis for domestic remedies. They also deepen regulatory fragmentation and introduce complex compliance challenges. 

In practice, blocking statutes do not restore access to US correspondent accounts, US dollar liquidity or unblock assets. They can prevent legal compulsion but cannot neutralize economic dependence. For institutions with meaningful exposure to the US, the ultimate risk is not whether compliance is lawful locally but whether access to the system can be lost. That imbalance explains why firms continue to navigate between conflicting legal obligations even when protective frameworks exist. 

The bigger signal 

The Cuba executive order sends a broader message to global markets. Regulatory divergence is tolerated until it is not. 

When national security considerations intensify, exposure often expands, not only against primary targets but also against those who enable access, liquidity or legitimacy. For global operators, this does not require alignment with American foreign policy. It does require a clear-eyed assessment of exposure to these measures. 

The post Global Operators Need to Take a Hard Look at Cuba Sanctions appeared first on Corporate Compliance Insights.

Surveillance pricing, which uses consumer data to drive prices, has caught the eye of government officials, Kwamina Williford, Christopher J. Armstrong, Ashley Joyner Chavous, Benjamin Genn of Holland & Knight write. Companies must ensure their practices are transparent and defensible. Such efforts may not prevent scrutiny but will help prepare for a pricing fight.

Federal and state governments are escalating scrutiny of “surveillance pricing” and AI-enabled pricing practices, particularly where pricing relies on consumer data, opaque algorithms or insufficient price transparency. Although traditional dynamic pricing based on market conditions remains lawful, regulators are increasingly focused on personalized pricing tied to consumer data, price experimentation and how prices and fees are disclosed to consumers.

Against this backdrop, continued and increasingly aggressive government scrutiny is expected — from the FTC and Congress, as well as state attorneys general — of pricing practices that rely on consumer data, algorithmic decision‑making or shadowy pricing mechanics, even where companies maintain that prices are driven by traditional market factors rather than individualized profiling.

For companies that utilize variable pricing, ticketing fees, loyalty programs and algorithmic revenue management, this government activity creates near‑term compliance risk and controversy, even absent attempts at statutory or regulator limitations.

Federal regulators define “surveillance pricing” as pricing practices that use detailed consumer personal data — including location, browsing history, demographics or behavioral inferences — to set individualized prices or offers for the same product or service. The FTC has emphasized that advances in data collection and machine learning have made such pricing scalable and difficult for consumers to detect.

Critically, regulators distinguish dynamic pricing, which responds to market conditions (inventory, demand, seasonality), from personalized or surveillance pricing, which responds to characteristics of the individual consumer rather than the market as a whole. This distinction is increasingly central to enforcement, legislation and congressional oversight.

The FTC’s enforcement and surveillance pricing work

In 2024, the FTC launched a Section 6(b) study to examine how companies and intermediaries use consumer data to implement surveillance pricing and algorithmic decision‑making. The FTC continues to maintain public resources describing this work and its consumer protection rationale.

In testimony before Congress in April, FTC leadership confirmed that staff work on surveillance pricing continues and that the agency is assessing whether additional disclosures may be required when pricing is highly personalized or driven by consumer data.

The commission has also paired its surveillance pricing focus with aggressive enforcement on price transparency, particularly in live event ticketing. The FTC recently announced a settlement with a ticket exchange to resolve allegations that it failed to clearly and conspicuously disclose mandatory fees as required under the FTC Act and the agency’s rule governing unfair or deceptive fees. The FTC emphasized that total ticket prices must be disclosed upfront and prominently at all stages of the purchase process.

The implication is that pricing enforcement risk is no longer theoretical but an active priority grounded in FTC rule violations and Section 5 authority.

Going forward, the FTC is expected to aggressively pursue surveillance pricing and related deceptive pricing theories. Even where companies deny using personal data to set prices, the FTC has signaled that opacity, inconsistent consumer explanations or pricing outcomes that exceed reasonable consumer expectations may independently trigger investigation.

In this environment, the FTC is likely to scrutinize not only how pricing systems operate, but also whether consumer‑facing descriptions are accurate, consistent and sufficiently transparent to reflect underlying pricing mechanics.

Risk

Pricing Algorithms Raise New Antitrust Concerns

by FTI Consulting

May 13, 2025

Interdisciplinary frameworks can help manage legal, privacy and consumer protection risks

Read moreDetails

Congressional AI‑driven pricing investigation

In March, the House Oversight Committee formally launched an investigation into the use of surveillance pricing.

The committee sent letters to major travel and platform companies requesting documentation regarding revenue management algorithms, use of consumer data in pricing, testing and experimentation practices and internal communications describing pricing tools and outcomes. The committee has characterized surveillance pricing as a “black box” process in which algorithms infer willingness to pay more and adjust prices accordingly without consumer awareness or meaningful transparency. The investigation reflects a broader shift toward scrutiny of unilateral, data-driven pricing practices, including:

• Whether companies distinguish between market-based dynamic pricing and individualized pricing tied to consumer attributes
• How algorithmic pricing tools are tested, governed and monitored
• Whether pricing varies based on location, device or behavioral signals
• How pricing practices are described to consumers

The inquiry also suggests potential scrutiny of third-party vendors and pricing tools, not just internal systems.

Later, on May 11, the House Energy and Commerce Committee ranking member, Rep. Frank Pallone Jr., who is expected to become chairman if Democrats win control of the House in November, launched a new investigation into the use of surveillance pricing. The ranking member sent an initial round of letters to 25 major grocery and retail companies requesting responses and internal documentation regarding:

• Customer data elements used to inform or set prices.
• The use of AI to inform or set prices.
• Work with third parties to purchase, license or otherwise acquire data for use in informing or setting prices.
• Consumer options to opt-out of data collection.

Even absent immediate legislation, congressional investigations create material risk, including compelled document production, public hearings, reputational exposure and referrals to the FTC, the DOJ or state attorneys general. Given bipartisan interest in the issue, this risk will persist regardless of outcomes in the congressional midterm elections.

In practice, congressional oversight often serves as an early forcing mechanism, requiring companies to explain and defend pricing practices well before formal enforcement begins. For travel, entertainment, housing, e-commerce and other companies, AI‑assisted pricing in consumer‑facing markets is now a priority oversight issue.

Faster-moving state regulation

State enforcement and legislative activity around surveillance pricing is accelerating and converging on consumer data use and transparency.

California is pursuing surveillance pricing through a privacy-enforcement lens, and New York has enacted a law requiring disclosure when personalized algorithmic pricing is used. In addition, Maryland has passed the Protection from Predatory Pricing Act, restricting certain practices and treating violations as deceptive trade practices.

Dozens of additional states are considering similar legislation, underscoring a rapidly expanding and fragmented regulatory environment.

AI’s role in heightening enforcement risk

The FTC has emphasized that machine learning and automated experimentation materially change the enforcement landscape by enabling granular consumer segmentation, rapid A/B price testing and optimization processes that are largely invisible to consumers.

Congress has echoed these concerns, characterizing AI pricing tools as amplifying the potential for unfair, deceptive or discriminatory outcomes where personalization is not transparent.

For companies, AI is now a risk multiplier when used in pricing, merchandising, bundling or fee presentation, particularly where experimentation occurs without consumer disclosure or governance controls.

Practical compliance takeaways for companies

Government activity suggests companies should prioritize:

1. Pricing data mapping. Identify whether consumer or device data influences base prices, fees, bundles, upgrades or recommended offers.
2. Clear separation of pricing models. Distinguish market‑based dynamic pricing from personalized pricing tied to consumer data.
3. Fee and price transparency audits. Ensure total prices and mandatory fees are clearly disclosed at all stages of the consumer journey, consistent with FTC expectations.
4. AI and experimentation governance. Implement appropriate controls for algorithmic pricing tools and A/B testing, including oversight of how models are deployed and evaluated.
5. Inquiry readiness. Ensure pricing practices can be clearly and consistently explained to regulators and Congress, with alignment across legal, business and communications functions regarding data use, pricing logic and consumer disclosures.

Companies should approach these steps with an eye toward regulatory scrutiny and practical defensibility, particularly as FTC enforcement and congressional inquiries continue to evolve.

This article was first published by Holland & Knight. It is adapted here with permission.

The post Surveillance Pricing: You’re Watching Consumers — and Government Is Watching You appeared first on Corporate Compliance Insights.

71% of execs who attend every board meeting give directors good grades

Fewer than half of executives believe boards of directors do an excellent or even good job, a survey by PwC and the Conference Board found. Only 41% of executives rated their boards’ effectiveness as excellent or good in 2025, according to the survey.

The survey took responses from 524 executives, most of whom lead companies with revenues of more than $1 billion across several industries.

The good news for boards: The 41% of happy execs was an increase from 35% in 2024, continuing an upward trajectory since 2022.

Notably, the percentage of approval increases as the frequency of interaction with boards increases. So executives who attended every board meeting reported a 71% good or excellent rating for the board, while executives who rarely interact with boards were at 17% good or excellent.

The top three reasons boards aren’t more effective:

• 47% said members serve on too many boards.
• 35% said members are too slow to react to emerging risks or opportunities.
• 34% said members don’t keep pace with digital transformation.

About half of companies are ‘very prepared’ for financial crime incidents

Legal, compliance and regulatory executives have lost confidence in their companies’ ability to handle financial crime with fewer than half saying they’re “very prepared” for incidents, according to a survey by AlixPartners.

The consulting firm’s survey solicited answers from 500 executives from financial services, technology, healthcare and life sciences, manufacturing and retail, finding that 48% said they were “very prepared” to address fincrime and fraud. They’re also losing faith in their technologies’ ability to prevent such risk, with 36% saying they’re “very confident” in these technologies. That’s down from 56% in 2025.

The survey also found that 63% of executives believe corporate legal disputes will increase this year compared to last year with 47% saying those disputes will be about cybersecurity and data privacy.

Speaking of cybersecurity and data privacy, 65% named cybersecurity and 58% named data privacy as the most concerning potential risk events, significant increases from 2025. About 75% reported their organizations haven’t taken measures to address AI-powered cyberattacks. 

Other key findings include:

• 80% said the fragmented AI regulatory landscape puts their organizations at risk.
• 65% said they don’t feel very prepared for new US sanctions and geopolitical and trade effects.
• 68% said they aren’t very prepared for supply chain disruptions, up from 59% in 2025.

12% of frontline managers say compliance is top of mind in a crisis

Just over 10% of frontline managers are looking to avoid compliance or policy issues when making calls under pressure, according to a survey from Dayforce. The study included almost 5,700 adult respondents who work in frontline organizations with at least 100 employees across large English-speaking countries.

The survey by the HR software provider found 12% of frontline managers said avoiding compliance or policy breaches is their top priority when they have to make decisions under pressure. At the same time, 67% of executives and managers acknowledge everyday shift-level decisions create compliance risk.

Disruptions for frontline businesses are causing inefficiencies, the survey found, with 65% reporting shift-level problems affecting performance. Of the frontline manager respondents, 42% said these issues were driving overtime. 

Almost three-quarters of frontline workers said they rely on workarounds on shifts and 90% reported they had to find ways to fill open shifts themselves. And the burden is taking a toll on workers with 89% saying shift issues affect their well-being, and 71% having considered leaving their job as a result.

90% of UK banking customers would drop institution over AML failures

Almost 90% of UK customers said they would abandon their bank over failures to prevent money laundering or terrorist financing, a survey by ThetaRay found.

The fintech company interviewed 1,023 UK-based respondents, concluding that 88% would drop their bank if such financial malfeasance was discovered, while 87% would discourage others from banking with institutions involved in such activities. 

About 80% of UK consumers rank AML effectiveness as a top priority when selecting a new provider. But those numbers are mirrored in UK bank customers’ faith, with 88% saying they trust their banks.

About 70% of respondents said speed and clarity of digital onboarding directly dictates whether they complete an application or abandon the process entirely. However, the report also revealed that 96% demand “clear explanations” of onboarding requirements and security-related delay.

The post Fewer Than Half of Execs Say Their Board Excels appeared first on Corporate Compliance Insights.

A positive SOC 2 report means an organization has the security controls in place to work with, right? Recent allegations that SOC 2 auditor Delved faked compliance reports reveal the gap between what a document says and what is actually happening inside a vendor’s environment, argues Clarence Chio, CEO of Coverbase.

For years, the SOC 2 report has been the de facto signal of trust in B2B software. Enterprise procurement teams demand it, sales teams race to get it, and once a vendor hands it over, everyone breathes a little easier and moves on. When an independent auditor reviews a company’s security controls and signs off, the implicit message is that there’s no further need to dig deeper.

At least that was the case.

That implicit trust is now under serious scrutiny following allegations against Delve, the Y Combinator-backed compliance startup that raised $32 million at a $300 million valuation. A group calling itself DeepDelver, made up of anonymous, former customers who compared notes, published a detailed investigation based on a leaked internal spreadsheet, alleging that Delve systematically fabricated audit reports for hundreds of clients.

The allegations are significant. According to the investigation, 493 of 494 SOC 2 reports examined were nearly identical, containing the same paragraphs, grammatical errors and nonsensical descriptions, with only the company name and logo changed. The group also accused the auditor of including pre-written conclusions and test procedures in draft reports before clients had submitted any evidence and allowing trust pages to go live the moment clients first logged in. Board meeting minutes were allegedly fabricated. Risk assessments reportedly came pre-filled with default entries.

Delve has denied the allegations, and it is important to note that they remain unproven. But the questions they raise about the SOC 2 framework itself deserve serious attention regardless of how the Delve matter is ultimately resolved.

How did we get here

Delve didn’t invent the underlying problem. What these allegations suggest is that it may have industrialized it.

The original SOC 2 model required an independent, licensed auditor to review a company’s security controls, examine evidence and issue an opinion. The process was expensive and slow because doing it right takes time and genuine expertise. A proper SOC 2 engagement required auditors to spend meaningful time with the team, going through controls in granular detail. That thoroughness was the point. When a vendor showed up with a SOC 2, it meant something.

Over time, the compliance automation market grew rapidly, with new entrants promising to compress months of work into days and significant costs into a fraction of the original investment. For businesses trying to unlock enterprise deals gated by SOC 2 requirements, the appeal was obvious.

The risk was always that when speed and cost become the primary selling points of a compliance product, something could give. 

Data Privacy

What Oracle’s TikTok Dance Can Teach Everyone About Good Data Governance

by Rita W. Garry

February 4, 2026

Read moreDetails

The stakes are not abstract

For most software companies, the consequences of a fraudulent compliance report would be primarily legal and reputational. For companies handling protected health information, the exposure is far more serious. HIPAA violations can result in significant mandatory penalties and potential criminal liability.

The downstream implications of the Delve situation extend well beyond the company itself. At least one public company reportedly marketed “SOC 2 Type II audited” status in SEC filings based on a Delve report. Enterprise customers, including some large technology companies, appear to have accepted Delve-issued compliance documentation as part of their vendor review process.

Every enterprise security team that accepted a Delve report as evidence of a vendor’s security posture may now have a gap in its audit trail, and the document they relied on could, in the end, be worthless.

The right question was never ‘Do you have a SOC 2?’

However the Delve situation plays out, these discussions highlight something the vendor risk management industry has known for some time but has been slow to act on: A document is only as reliable as the process behind it.

The SOC 2 model is built on a chain of trust. The vendor trusts the auditor, the enterprise trusts the report, and the whole system rests on the assumption that the audit actually happened. The allegations against Delve didn’t invent a flaw in the SOC 2 framework. Instead, they revealed how thin that chain of trust can become under pressure.

The question “Does this vendor have a SOC 2?” was always the wrong question. The right question is “Does this vendor actually do what their SOC 2 claims?” Those are not the same question, and the answer to the first tells you almost nothing about the answer to the second.

A SOC 2 Type II report was never meant to be a security guarantee. It is confirmation that specific, scoped controls operated effectively during a defined observation window. When that attestation is generated before any evidence is gathered, it no longer provides evidence of anything.

What the industry needs to reckon with

The vendor risk community’s immediate response, requiring companies that received Delve-issued documentation to seek independent verification before relying on those reports in risk decisions, is the correct protocol for this specific crisis. But it doesn’t resolve the larger question the situation raises.

The deeper issue is that the compliance industry built its trust infrastructure on a foundation of documents and point-in-time attestations. The Delve allegations are an extreme example of what can go wrong, but the underlying vulnerability — that is, the gap between what a document says and what is actually happening inside a vendor’s environment — predates Delve and will outlast it.

Rebuilding trust in vendor risk management means grappling with that gap honestly. It means asking harder questions about what attestations actually measure, how observation windows are defined and whether the evidence behind a certification reflects current operational reality, or is it just a snapshot taken under controlled conditions months ago.

The post SOC 2 Is Broken. The Delve Scandal Is Showing Us How. appeared first on Corporate Compliance Insights.

Proving an organization has a compliance program ready to go is easy. Proving the program worked on an exact transaction is a whole other issue, Jim Sadler of AutoRek explains. Compliance teams that design provability into programs will spend less time reconstructing evidence and more time on strategic work. 

Ask a compliance officer whether their program is well-designed, and the answer is almost always yes. The policies are thorough. The training is documented. The governance structure has been reviewed, revised and approved at the board level. The harder question is whether that same program can prove, right now, that a specific control operated correctly on a specific transaction last quarter. For many firms, answering that takes weeks of manual reconstruction across multiple systems. 

Inability to provide concrete proof drives more examination findings than weak policies or inadequate training. Examiners want something more granular. Provability should be a design requirement from the start rather than a reporting function attached afterward. If done from the get-go, controls that generate proof as a byproduct of operating eliminate the need for reconstruction entirely and set up compliance teams for success in the long run.

Retrofitting that philosophy into an existing compliance program is difficult under stable conditions. Under current market conditions, it is becoming urgent, because three converging forces are widening the provability deficit faster than most firms recognize.

Forces compounding the provability deficit

Regulatory changes trigger a predictable response inside most compliance departments: update the policy document, circulate the revision, log the change. What rarely follows is a corresponding update to the control logic that enforces it. The policy reads one way while the control logic underneath may still reflect the old rules. That misalignment only surfaces when an examiner tests the control rather than the document, and by then the firm has been operating under a false sense of compliance. In a regulatory environment where multiple jurisdictions are updating requirements simultaneously, this problem multiplies. A firm that updated five policies in a quarter but only re-engineered two of the corresponding controls has three examination findings waiting to be discovered. Treating every regulatory change as a control re-engineering event rather than a documentation update closes that exposure before an examiner finds it.

Where regulatory change creates a provability problem through drift, AI creates one through opacity. Logic behind an automated decision that nobody captures at the point of decision is gone permanently. There is no interview to conduct, no email chain to pull, no analyst notes to review. The decision happened inside a model, and if the model’s reasoning was not logged at execution, the evidentiary trail ends there. Firms adopting AI-driven processes in lending, risk scoring and transaction monitoring are generating outcomes at a volume and speed that make after-the-fact reconstruction impossible. Regulators are paying closer attention to AI-driven outcomes precisely because the decision-making process is opaque by default, and the efficiency gains do not offset the evidentiary liability they create. Every model-driven result requires captured inputs, logic and output in a form someone can review later. Without that record, the decision is indefensible regardless of whether it was correct.

Governance

When Efficiency Becomes Fragility

by Stuart J. Green

March 30, 2026

It may be time to reconsider your structure: raze, enrich and grow

Read moreDetails

The challenge is compounded by the speed at which AI adoption is outpacing governance. Compliance teams that took years to build evidentiary frameworks around manual processes are being asked to extend the same level of oversight to AI-driven workflows that were deployed in weeks. The provability requirement does not shrink because the process became faster. It grows, because the decision volume and complexity both increase while the ability to trace any single decision back to its inputs decreases.

These challenges become harder to manage as organizational complexity increases alongside them. Every new asset class, jurisdiction or distribution channel adds another evidence chain a firm needs to maintain, and the evidence-producing capacity does not grow with it. A firm operating across three regulatory regimes with two product lines has a manageable number of proof points. After an acquisition and two product launches, that same firm has multiplied its evidence obligations without proportionally expanding its ability to meet them.

Each of these forces is difficult to address individually. Together, they create a compounding effect. A firm responding to regulatory changes while adopting AI and absorbing an acquisition is facing all three at once, layered on top of a provability framework that was under-built before any of them arrived. The firms that recognize this compounding dynamic early and restructure their controls accordingly will carry a significant advantage into their next examination cycle.

Provability as an audit discipline

Addressing the provability deficit at the level of individual controls is necessary, but it is not sufficient on its own. The discipline also needs to be embedded into how firms evaluate their programs internally. Internal audit functions should expand their scope to test for provability alongside adherence. Most audit programs assess whether controls exist and whether staff follow them. Provability belongs in that same assessment. Can the firm prove a specific control operated correctly on a specific date for a specific transaction without manual reconstruction? Without that capability, the control functions but cannot account for itself.

Provability deserves the same investment and rigor given to program design. The compliance teams that treat it as a design discipline rather than an afterthought will spend less time reconstructing evidence and more time on the strategic work that examination readiness is supposed to enable. Every examination comes down to one question. Did the program work? The answer lives in the evidence trail, and the time to build it is before the question gets asked.

The post Compliant But Unprovable: Why Controls That Work Fail Examinations appeared first on Corporate Compliance Insights.

Most forced labor compliance frameworks ask companies to publish statements and describe their policies. The EU’s new forced labor regulation operates differently — it gives authorities the power to block imports and pull products from shelves if forced labor is found anywhere in the supply chain. Arnall Golden Gregory attorneys Allison Raley and Nikita Kulkarni explain why the regulation — which applies to any company whose products touch the EU market, regardless of size or sector — demands a level of supply chain visibility that many compliance programs don’t yet have.

It rarely starts with a headline. It starts with a question your team cannot answer. A distributor in Germany forwards a nongovernmental organization (NGO) report naming a factory you have never heard of. A customer in France asks whether a particular product line will still be eligible for sale once the EU’s new forced labor regulation takes effect. A customs broker flags rumors that certain shipments could be detained if regulators start asking for documentation you do not have.

For companies that sell into, operate in or export from the EU, this scenario is no longer theoretical. The EU’s Regulation 2024/3015 on prohibiting products made with forced labor on the EU market, adopted on Nov. 19, 2024, turns forced labor from a disclosure question into a trade ban with teeth. 

Beginning Dec. 14, 2027, authorities will be able to pull products from the EU market, block imports and exports and order disposal or remediation where they find forced labor anywhere in a product’s supply chain. Member states may also impose financial penalties, the nature and level of which are to be determined under national law. This is not about whether a company has the right statement on its website. It is about whether the company’s products can move.

The good news is that the regulation does not require a mystery playbook that only regulators can see. It does, however, demand that companies treat forced labor as a core trade, compliance and investigations risk, not an ESG afterthought. The companies that will be best prepared are those starting now to build a forced-labor framework which operates at the product level and can stand up to tough questions from authorities, customers and boards.

How does the EU’s forced labor ban change the risk equation?

The forced-labor regulation (FLR) sits on top of a growing stack of modern slavery and human rights rules, including the Corporate Sustainability Due Diligence Directive (CSDDD), the EU deforestation regulation and national supply chain laws such as Germany’s Supply Chain Act. Many of those laws focus on transparency: publish an annual statement, describe your policies, explain your due diligence. The FLR is different. It gives EU and national authorities the power to ban products that they conclude were made, in whole or in part, with forced labor anywhere in their supply chain. A single tainted component or production step can put an entire stock-keeping unit (SKU) at risk. Importantly, compliance with the CSDDD’s due diligence obligations does not create a safe harbor under the FLR; a product can still be banned, regardless of whether the company has met its CSDDD requirements.

The scope is broad. The FLR applies to any “economic operator” that places products on the EU market, makes them available there or exports them, regardless of size or sector. Unlike the CSDDD, there is no employee count or revenue threshold; small and medium-sized enterprises are within scope if their products touch the EU market. The regulation covers goods at every stage of production — from raw materials to finished products — and applies to forced labor both inside and outside the EU, using the definition set out in the International Labour Organisation’s Forced Labour Convention, 1930 (No. 29), as supplemented by its 2014 protocol and the organization’s indicators of forced labor. That means a small technology company shipping hardware, a global healthcare manufacturer supplying devices and a services firm selling branded equipment into EU offices are all in the frame if their products cross EU borders.

The way cases start also matters. Unlike the US Uyghur Forced Labor Prevention Act, which relies on a rebuttable presumption tied to a specific region, the FLR uses a risk-based “substantiated concern” model. Authorities will screen public information; NGO and media reports; stakeholder complaints; and, once available, an EU-wide database of higher-risk regions, sectors and products to decide which operators and SKUs to investigate.

Investigations proceed in two phases: a preliminary phase during which the lead competent authority assesses available information and may request data from the economic operator within 30 working days, and, if concerns are not resolved, a full investigation phase. During a full investigation, authorities can request detailed supply chain information, seek input from workers and civil society and in some cases coordinate with bodies capable of gathering information on the ground outside the EU. Companies that respond slowly or with inconsistent or incomplete information increase the risk that regulators will question not only their supply chains but the seriousness of their compliance programs.

For senior leaders, the practical shift is this: Forced labor is no longer just a reputational and reporting topic. It is an operational and commercial risk that can shut down sales into an entire region. The questions that matter now include:

• Which products are placed on or exported from the EU, and who owns FLR risk for those SKUs?
• How far down the supply chain those products can be traced today and where do visibility gaps remain?
• Can a company’s existing human rights, ESG and trade controls generate the kind of evidence authorities will look for if they open an investigation?

Companies that cannot answer those questions quickly will struggle if their products are the ones regulators choose to test first.

Featured

A Year After Designation of Cartels as Terrorists, What Is the Risk Landscape for Multinationals Operating in Mexico?

by Robert Johnston, Brian Mich and Ulla Pentinpuro

February 18, 2026

A year after the Trump Administration designated six Mexican cartels as foreign terrorist organizations, the compliance implications for multinationals are still coming into focus — and they are severe.

Read moreDetails

Frameworks that regulators will take seriously

The FLR does not require companies to build a brand new compliance silo. It does require them to tighten and refocus what they already have. In practice, credible preparation tends to rest on four pillars: governance and ownership, risk assessment and scoping, third‑party and supply-chain controls as well as documentation and metrics.

Clarify governance and ownership

Today, forced labor risk often lives in several places at once: ESG or sustainability teams draft modern slavery reports, supply chain teams manage suppliers, legal tracks new regulations, and trade compliance focuses on customs and sanctions. The FLR pushes toward a more integrated model. Companies should identify an executive sponsor and a cross‑functional working group that owns FLR implementation and reports to the C‑suite and, where appropriate, the board.

That group should include compliance, legal, trade, procurement or sourcing, operations, human rights/ESG and internal audit. Its mandate is not to redo everyone’s job but to coordinate decisions about risk appetite, priorities and escalation. A simple responsible, accountable, supportive, consulted, informed matrix for FLR‑related decisions and regulatory interactions can prevent the finger‑pointing and delay that so often make investigations harder than they need to be.

Make risk assessment and scoping product‑specific

Many companies have already conducted high‑level human rights risk assessments. Under the FLR, the focus needs to narrow. Authorities will scrutinize specific products, not just corporate‑level policies. A practical starting point is to create an inventory of all products that are placed on or exported from the EU. For each, companies should identify:

• The countries and regions where key inputs are mined, grown or produced.
• The sectors and tiers (for example, raw materials, processing, assembly, packaging) most associated with forced labor risk.
• What the company actually knows today based on supplier data, audits, grievance reports or other information as opposed to what it assumes.

External sources like international organization reports, civil society research and, in the future, EU risk indicators and databases can help refine that view. The goal is a prioritized list of EU‑facing SKUs and supply chains where enhanced due diligence is warranted, not a perfect global map on day one.

Calibrate third‑party and supply chain controls to that risk

Once higher‑risk products and supply chains are identified, companies can decide where to go deeper. At the program level, this often means defining what “baseline” and “enhanced” forced labor due diligence look like for different categories of suppliers and intermediaries. Baseline expectations might include adherence to a supplier code of conduct, completion of a human rights questionnaire and contractual commitments to prohibit forced labor and cooperate with investigations. Enhanced expectations might add more detailed traceability, on‑site or third‑party assessments, worker‑voice tools or independent verification of high‑risk tiers.

Contracts play a central role. The FLR will put pressure on companies to demonstrate that they can obtain the information they need about upstream facilities and that they have real options if concerns arise. While there is no one‑size‑fits‑all clause, companies should examine whether their agreements allow them to request product‑level data, access relevant sites (directly or through trusted third parties), require corrective action plans and, as a last resort, suspend or terminate relationships where forced labor is confirmed. Those decisions are commercial as well as legal, and they are best made before a shipment is sitting in port.

Treat documentation and metrics as part of your defense file

In every recent wave of enforcement — whether under sanctions, export controls or UFLPA — companies that fare better tend to be those that can produce organized, contemporaneous records of what they did and why. The FLR will be no different. Authorities will not just ask whether a policy was in place; they will look at how that policy operated for the product in front of them.

That means thinking now about how to store and retrieve:

• Supplier lists and facility information tied to specific SKUs.
• Due diligence reports, audit findings and corrective action plans.
• Internal escalation records, including how concerns were raised, evaluated and resolved.

Basic metrics like the percentage of EU‑facing SKUs with mapped supply chains to defined tiers, the number of higher‑risk suppliers with active remediation plans or the time taken to close findings help leadership monitor progress and give regulators a more concrete picture of program maturity.

Getting investigation-ready

Because the FLR is enforced through targeted investigations, “investigation readiness” should not be an afterthought. It should be a design principle.

To avoid scrambling under that kind of pressure, companies can develop an FLR-specific investigations-and-escalation protocol that builds on existing frameworks for anticorruption, sanctions or human rights issues. Because the burden falls on the economic operator to demonstrate that its products are not tainted by forced labor once an investigation is opened, front-loading evidence collection is critical. Key elements include:

• Clear triggers for opening an internal review, such as receipt of an authority’s information request, credible allegations about a supplier or facility or serious findings from an audit or grievance mechanism.
• A cross‑functional investigations team that includes compliance, legal, trade, human rights or ESG, supply chain and communications, with defined roles at each stage.
• Standard expectations for how quickly initial fact‑finding should occur, how evidence is collected and preserved and how decisions are documented.

Companies should also think through at a policy level how they will approach remediation if an internal review finds indicators of forced labor. That may include expectations for supplier corrective action plans, timelines for improvement, criteria for exiting a relationship and approaches to addressing harm to affected workers in coordination with credible local partners. Under the FLR, if a product ban is imposed, authorities can require economic operators to withdraw or dispose of the product and donate remaining goods for charitable or public interest purposes. The specifics of remediation will vary by case, but a principled framework can help demonstrate to authorities that the company is not improvising its response in the heat of an investigation.

A practical way to test readiness is to run a tabletop exercise around a hypothetical FLR investigation for one or two higher‑risk product lines. The exercise does not need to be elaborate. The core questions are straightforward:

• How quickly can a list of all known suppliers and facilities involved in this product be produced?
• What documentation exists to show the due diligence performed and the response to any issues?
• Who would speak to regulators and who has authority to make time‑sensitive decisions about remediation, disclosure and communications?

Gaps revealed by the exercise can become concrete work items for the next 12 to 18 months.

Action items for the next year

The FLR’s enforcement date of Dec. 14, 2027, may feel distant, but the lead time is not as long as it seems once supply chain complexity, contract cycles and internal budget processes are factored in. Some enabling provisions, including the establishment of the EU-wide portal and database, will take effect earlier, and companies should monitor the European Commission’s implementing and delegated acts for further operational detail. 

For most organizations, the most effective approach will be to focus on a clear, staged work plan rather than an all-at-once overhaul. Over the next year to year and a half, companies can:

• Confirm who owns FLR implementation, designate an executive sponsor and charter a cross‑functional working group that reports regularly to senior leadership.
• Build a focused inventory of EU‑facing products and prioritize a first wave of higher‑risk SKUs and supply chains for deeper mapping and due diligence.
• Define baseline and enhanced forced labor due diligence expectations and begin aligning supplier contracts so the company can obtain the information and cooperation it will need under the FLR.
• Develop or refine an FLR‑specific investigations and escalation protocol and test it through at least one scenario exercise.
• Upgrade documentation and data practices so that product‑level supply chain and due diligence information can be retrieved quickly in the event of an inquiry.
• Integrate FLR considerations into existing risk assessments, internal audits, training and board reporting so that forced labor is treated as a standing compliance and trade risk rather than a one‑off project.

No company can eliminate forced labor risk entirely, especially in complex, multitier supply chains. What regulators and stakeholders will look for under the EU’s forced-labor regulation is whether companies can show with evidence that they understand where their exposure lies; they are taking reasonable, risk‑based steps to address it; and they are prepared to respond when questions come. Companies that do that work now will be in a stronger position when the calls and letters start to arrive.

The post The EU Is Making Forced Labor a Trade Compliance Problem, Not Just an ESG Issue appeared first on Corporate Compliance Insights.

Ask an Ethicist columnist Vera Cherepanova tackles a dilemma almost certainly playing out in more than one boardroom right now: what are the ethical considerations of deploying agentic AI. Answering the question means tackling thorny issues about whether agents are designed to give better service — or something else entirely.

I am a board director of a large, listed company. In recent board meetings, we have been discussing how to enhance our CRM system by adding what management calls a “digital workforce.”

Our current SaaS CRM provider has a new agentic AI offering that management is eager to pilot. The promise is attractive: intelligent agents integrated into customer workflows, using real-time data to respond to customer needs, resolve routine issues and escalate more complex matters to human employees. The agents would operate independently within guardrails customized for our company.

Management sees this as a productivity and customer-experience opportunity. The commercial model is appealing, too: We would pay for outcomes or usage, not software licenses.

That raises questions I do not think we have fully examined. How should the board oversee an organization in which human and digital workers operate side by side? Before we commit to buying a digital workforce, I want to understand what ethical responsibilities come with it. What should we be asking? — BF

Your question is an excellent one because management is presenting this as a technology upgrade, while the board should recognize it as something much larger. Managing a workforce that includes both humans and digital workers cannot be confined to a technology implementation project. It is a board-level governance issue for several reasons.

The first reason is because AI is moving here from an assisting role — helping humans with certain tasks — to acting on behalf of them and, in some cases, on behalf of the company as a whole. That calls for a different oversight model, one capable of distinguishing between different levels of AI autonomy and adjusting scrutiny accordingly. Ceteris paribus, the more independently these systems act, the more closely they should be governed.

Second, as your dilemma suggests, the actions of intelligent agents will directly inform the customer’s experience of the organization. Therefore, a useful question for the board to ask, in full honesty, is whether these agents are deployed to serve customers better or to make it harder for customers to reach the company. The commercial model provides an additional insight: If the company pays for “resolved” outcomes, the system may be tuned to classify more issues as resolved regardless of whether the customer would agree.

Third, introducing digital labor will affect human labor in ways management might be understating. The usual promise is that as machines take over mundane tasks, humans will move to more interesting and enriching work full of meaning. That might be the case for some. More often, though, employees are expected to train the agents, manage them, improve them and ultimately compete with them. So, a good board question is whether human work is actually becoming more meaningful, or whether humans are being turned into machine validators until the final phase-out.

One especially revealing area to look at is escalation. What seems a technical detail on the surface, this is where the “ethics of AI” and the company’s values meet.

The agent must know when to stop and hand over to a human, and deciding on the settings says a lot about what the company cares about most. For example:

• If the agent escalates only when there is legal risk, that says the company prioritizes exposure.
• If it escalates when it detects a vulnerable customer, that says the company prioritizes care.
• If it escalates only for high-value clients, that says something else.

This is a non-exhaustive list of issues to consider, but the central point must be clear: Introducing a digital workforce shouldn’t really be wrapped up in the language of a new software feature. In fact, it might be one of the most consequential decisions you take as a board director. Treat it as such.

Ethics

Who’s Really to Blame When a White Hat Goes Gray?

by Vera Cherepanova

April 22, 2026

Coordinated disclosure is a three-cornered relationship; when the company-researcher part collapses, the user is the one left exposed

Read moreDetails

Readers respond

The previous question came from a cybersecurity professional grappling with the fallout of a white-hat disclosure gone wrong. The dilemma revolved around whether a researcher’s decision to release exploit code after feeling mistreated by a company could ever be ethically justified — and whether companies themselves have a duty to handle vulnerability disclosure well enough that frustrated white hats do not turn gray, leaving customers to bear the consequences.

In my response, I noted: “The underlying ethical question is not only was the researcher justified; it is also did the company have an ethical responsibility to its customers to handle the researcher well enough that this did not happen? In that sense, your dilemma is about whether customer protection should include managing the human relationship with white hats well enough that they do not turn gray. Indeed, cyber vulnerability disclosure is a three-cornered relationship, rather than a bilateral one. If the company-researcher part of it collapses, the users will bear the downside.

“The answer is partly yes, though not absolutely. A company does not owe a researcher whatever they demand; that’s why it’s called a coordinated disclosure and not a ransom. It can’t let outsiders dictate internal processes either. But if a company benefits from coordinated disclosure norms, then it does owe customers a disclosure process that is credible, fair, timely and respectful enough that white hats have a realistic reason to stay inside the responsible lane. It is part of the company’s duty of care to users.” Read the full column here.

Is your organization’s vulnerability process creating more risk than it solves? Thanks, Vera, for reminding us that cybersecurity is ultimately a human and ethical challenge, not just a technical one. — CG

Have a response? Share your feedback on what I got right (or wrong). Send me your comments or questions.

The post How You Handle AI Agents Says More Than You Might Think About Your Company’s Values appeared first on Corporate Compliance Insights.

The combination of Venezuela’s hydrocarbons law reform and seven new OFAC general licenses is creating new openings in the country’s energy sector, but each license carries distinct conditions and the secondary sanctions picture for non-US companies is more complicated than the general relief implies. Baker McKenzie attorneys Terry Gilroy and Eugenio Hernández-Bretón explain what compliance officers need to know.

The recent partial reform of Venezuela’s organic hydrocarbons law in tandem with the relaxation of US sanctions on Venezuela are creating a more favorable environment for foreign investment to support increased production in the Venezuelan oil and associated gas industry.

Key changes expected under the reforms, announced in January, include:

• A more favorable and flexible taxation, contributions and royalty system, establishing caps and allowing for potential reductions of the tax and royalty burdens for private sector companies operating or looking to invest in Venezuela. The new system also repeals some prior taxes and declares certain contributions as inapplicable for this sector. The net result should be a more attractive system for investors.
• Permitting minority shareholders participating in a joint venture with PdVSA (Petróleos de Venezuela) or mixed company to manage operations, open and manage bank accounts in any currency and within and outside of Venezuela and to commercialize hydrocarbons produced. This is a significant shift away from the former state-exclusive model and is expected to encourage investments to support increased oil production in Venezuela.
• Permitting arbitration (including outside of Venezuela) and alternative dispute resolution mechanisms. The previous legal framework allowed dispute resolution only through local courts.
• For both privately owned operators and mixed operating companies, the mandatory inclusion of a clause for the maintenance of the project’s economic financial balance. This guarantees investors that the initial economic financial balance, as well as any additional benefit subsequently acquired, is maintained throughout the life of the agreement.

These changes should help better secure long-term investments in Venezuela’s oil and associated gas sector.

In light of these amendments, existing mixed companies and production sharing agreements (locally referred to as CPPs) will be the subject of review to ensure that they are adjusted to the parameters of the new law within 180 days from the date that the reform went into effect (Jan. 29, 2026). During this period of transition, the former tax system will continue to be applied.

It is important to note that, so far, no announcements or changes have been made to legislation governing non-associated gas.

The US sanctions perspective: Recent general licenses issued by OFAC

Outside of Venezuela, US sanctions are shaping investment considerations for companies operating both within and outside of the US. Since January, the US Office of Foreign Assets Control (OFAC) has issued various general licenses and guidance that provide some sanction relief, primarily as it relates to the oil and gas sector in Venezuela. However, the government of Venezuela and relevant state-owned entities still remain subject to blocking under US sanctions. These general licenses create avenues for US persons to engage in oil trading, upstream energy services, investment planning and, most recently, broader PdVSA transactions, including for Venezuelan origin gold.

General License 46

GL 46 is primarily downstream in nature, authorizing established US entities to engage in transactions ordinarily incidental and necessary to the lifting, exportation, sale, transportation, storage and refining of Venezuelan-origin oil, even where those transactions involve the government of Venezuela or PdVSA. This GL does not authorize upstream investment or new production. It also imposes strict conditions. For example, contracts with the government of Venezuela or PdVSA must be governed by US law and provide for dispute resolution in the US. Payments under these agreements must be made into US Treasury-controlled foreign government deposit funds accounts with limited exceptions.

General License 47

This GL complements GL 46 by authorizing the export, sale and transport of US-origin diluents to Venezuela. Diluents are essential for moving and processing Venezuela’s heavy crude. Unlike GL 46, GL 47 does not require that activity is conducted by an established US entity, but it otherwise retains similar contractual and payment conditions of GL 46 with respect to the governing law, dispute resolution and payments to PdVSA.

General License 48

Focused on upstream activities, GL 48 authorizes US persons to provide goods, technology, software and services necessary for the exploration, development, production and maintenance of oil and gas operations in Venezuela. This includes repair and refurbishment of existing infrastructure. It expressly prohibits the formation of new joint ventures (JVs) or other entities in Venezuela for purposes of exploration and development. In effect, GL 48 supports operational continuity but not ownership expansion.

General License 49

GL 49 opens the door for future investment planning, authorizing US persons to negotiate and enter into contingent contracts for new oil and gas investments in Venezuela provided that performance of such agreements is expressly conditional on future OFAC approval.

General License 50

GL 50 is a company-specific general license rather than a general authorization to the broader market. It authorizes transactions related to oil and gas sector operations in Venezuela for specifically named companies in the general license. These companies may conduct activities ordinarily incident to their Venezuelan operations, subject to specific contractual conditions.

General License 51

GL 51 concerns Venezuelan-origin gold and is the first OFAC-issued general license to apply beyond the energy sector. It authorizes established US entities to import, refine, resell and export Venezuelan-origin gold, covering transactions involving Venezuela’s state mining company. GL 51 was recently replaced by an amended General License 51A , which among other key changes expands the original scope of the license to cover “Venezuelan-origin minerals.”

General License 52

GL 52 authorizes all transactions between PdVSA or PdVSA entities and established US entities. It includes the governing law and payment requirements consistent with the earlier GLs. GL 52 covers all transactions involving PdVSA that were not already authorized by the other new Venezuela GLs related to oil and gas, including petrochemicals. Notably, GL 52 authorizes the entry into new investment contracts for exploration, development or production activities in the Venezuela oil and gas sectors, meaning that US persons do not need to rely on GL 49 to enter contracts with PdVSA or related entities. The practical impact of GL 52, however, may be limited in that it does not authorize transactions involving the government of Venezuela other than those necessary for the activity set forth in the GL. For example, activities involving other government of Venezuela-owned industries, such as mining or electricity generation are not authorized.

Opinion

On Venezuela Investment — Opportunity or Siren Song?

by Matteson Ellis and Collmann Griffin

March 16, 2026

Energy sector’s hesitation after fall of Maduro could be softening

Read moreDetails

Sanction implications for non-US companies

There are two types of sanctions that the US government deploys that are relevant for non-US-headquartered companies as well as foreign subsidiaries of US companies:

• Primary sanctions: Apply if US persons or US touchpoints are involved. Violations of primary sanctions can result in criminal and civil penalties. Within OFAC’s recent suite of licenses, most require the involvement of a US company.
• Secondary sanctions: Not monetary or criminal penalties but can include blacklisting by the US Treasury Department. The US government uses secondary sanctions to impose its foreign policy and national security objectives on companies that are otherwise not impacted by primary sanctions.

For non-US companies engaging in activities with Venezuela, US touchpoints can include:

• Direct engagement in an activity with a US company.
• The use of US dollars as the settlement currency. This touchpoint would not typically arise in an intra-Venezuela transaction but likely would in a cross-border matter.
• The involvement of US citizens or permanent resident aliens who are employed by a non-US company, creating individual liability and exposure.
• A non-US company that is a subsidiary of a US company. Whether this is a touchpoint depends on whether the subsidiary has corporate authority to engage in these types of activities independently or requires approval or support from the US parent company.

As a precedent, the US government has penalized non-US companies for violating US primary sanctions. Whether the US government will follow suit in relation to Venezuela likely depends on how the activity relates to the US administration’s broader priorities.

Ultimately, non-US companies should consistently check for US touchpoints and evaluate their US sanctions exposure where existing general licenses don’t apply. For those with no US touchpoints but who are engaged in cross-border transactions in the energy sector in Venezuela, there should be no US primary sanctions risk, but there is still a risk of secondary sanctions.

Under longstanding OFAC guidance, non-US companies engaged in activities covered under a GL that only applies to US persons would not be subjected to secondary sanctions for engaging in those same activities. On March 31, OFAC issued guidance in the form of FAQ 1247, providing specific comments on the application of US secondary sanctions. This FAQ notably does not reference a requirement for non-US companies to include US governing law or US dispute resolution provisions in order to avoid the risk of US secondary sanctions.

It is likely that for businesses that are overall directionally consistent with the GL, this risk would be relatively low given that OFAC has so far taken no action against non-US companies already engaged with PdVSA in relation to the energy sector.

In cases where the relevant GL requires that a contract be governed by US law or have a US dispute resolution mechanism, for non-US companies entering a contract with PdVSA, it’s unlikely that this would be the case and therefore they could be exposed to potential secondary sanctions risk.

Impact of recent changes on contracts of commercialization for the refinement and sale of crude oil

As Venezuela’s new hydrocarbons law fundamentally changes who can commercialize, refine and market crude oil in Venezuela and under what contractual structures they are permitted to operate, there are several types of relevant agreements that might be applicable.

Productions sharing agreements (PSAs)

A PSA is a contractual agreement between the foreign or independent oil company (IOC) — the investor — and the state-owned enterprises, in this case PdVSA. This agreement is a critical pillar for investment as it is required for the exploration and production of oil.

Under this type of contract, the ownership of the resources remains with the host state (in this case, Venezuela). While the IOC does not have immediate property rights over production or mineral or mining rights, it does have an economic right to its share of the oil with respect to the specific oil field.

The PSA outlines minimal capital commitments from the IOC, who must supply the funds needed for exploration and production activities and generally supports the national oil company (NOC) during exploration. The NOC may have an option to contribute costs of development if there is a commercial discovery.

The IOC recoups its costs when production begins. Therefore, if no production occurs, then all costs and investments will result in a loss for the IOC. Compensation is calculated by reference to the production and the profit generated by the oil, meaning these are long-term contracts tied to the life of the oilfield, and it is important to understand the laws of the host country.

Crude oil sale and purchase agreement (CSPA)

Also known as a crude offtake agreement, this type of contract governs the sale and purchase of crude oil, typically, between an upstream producer — which could be either the independent oil company, national oil company or a joint venture — and a trader or refinery. The buyer would typically be a commodity trader or a large IOC.

This type of contract looks at the quantity and quality requirements of the oil that will be sold and includes provisions like take-or-pay, supply obligations, delivery terms, pricing framework, title and risk transfer, payment, termination and dispute resolution terms.

Terms for CSPAs are typically much shorter than a PSA, often a one-off transaction or covering sales between six and 12 months with the option to renew for a longer term of one to five years.

These contracts are often financed by third-party financiers, banks and lenders so the tenor of financing mirrors the duration of the offtake agreement. The longer the term of the CSPA, the more likely it is that a price review mechanism will be put into place given the potential for fluctuation and volatility of crude oil prices.

Tolling or processing agreements (TPAs)

A TPA is a key agreement for companies that do not own refining capacity, allowing a crude owner to have its crude processed in a refinery for a fee and receive back refined products such as jet fuel, diesel or gasoline. The relevant parties in this agreement are the refinery owner or operator and the crude owner, producer or trader. The key elements include a fixed or variable processing fee dependent on the refinery complexity, a yield agreement specifying the product slate and expected yields, and quality and loss provisions.

During the refinement process, there might be loss, contamination or off-spec outputs, which should also be outlined in the contract terms. Contract terms can also include required refinery resources, such as utilities and storage charges, steam, water and tankage.

The average term of a TPA is typically between one and three years but can be shorter for merchant refinements.

There are several other types of agreements that also will be affected by the new hydrocarbons law, including those pertaining to the disposing of crude oil, crude swaps and exchange agreements, crude prep prepayment, pre-financing, storage, tank leases, commercial support and transportation agreements.

What’s next?

The recent changes to Venezuela’s organic hydrocarbons law mean that international companies, including those based in the US, have a renewed opportunity to perform primary activities like the exploration, extraction, initial transportation and storage of hydrocarbons in Venezuela.

The relevant agreements may also lead to private sector companies having the authority to commercialize hydrocarbons produced either as a minority shareholder managing a mixed operating company or as a private sector company operating under a contract for the development of primary activities.

At the same time, a more relaxed US sanctions environment is allowing companies to explore these opportunities, but on both fronts, careful planning and understanding the latest developments is key to ensuring compliance with both US sanctions requirements and Venezuelan law.

The post Venezuela Energy Reform and US Sanctions Relief Are Moving Together. Here’s What That Means. appeared first on Corporate Compliance Insights.