When President Donald Trump issued his executive order pausing enforcement of the FCPA (EO), many practitioners were taken by surprise. Now that the dust has settled some, and pending further guidance from AG Pam Bondi on what enforcement will look like going forward, it is time for companies to decide how to react, if at all, to the news.

The Anti-Corruption Report spoke with numerous practitioners – both on and off the record – to understand the current state of play and whether companies should adjust their compliance programs. This first article in a two-part series examines the ways that U.S. enforcement will be impacted, both in the near term and further down the line. The second article will cover international enforcement and whether companies should pull back on compliance. Spoiler alert: they should not.

See “Executive Order Presses Pause on FCPA Enforcement” (Feb. 12, 2025).

Current Status: Confusion

The first and most immediate result of the EO is uncertainty.

The EO creates “confusion for companies,” Khushaal Ved, a Hogan Lovells partner based in Singapore, told the Anti-Corruption Report, because “the pause does not repeal the FCPA.” Over the 180‑day pause called for in the EO, which can be extended at the discretion of AG Bondi, “it is not open season on bribery and corruption,” he said, since the laws are still in effect, but what enforcement will look like is unclear.

Companies’ confusion has grander implications beyond just FCPA enforcement, according to Glenn Agre partner Michael Bowen. “The core idea of the FCPA is simple,” he said. Suspending or reducing enforcement suggests that the principles underlying the FCPA are up for debate or that it “can be made subservient to prevailing political whim, which is the antithesis of the very idea of the rule of law.”

Years of Guidance Out the Window?

There was never perfect predictability in FCPA enforcement – as in any criminal enforcement – but the DOJ has gone out of its way to issue guidance and reassurance on what to expect.

Although outcomes are never assured with scientific precision, “much of the FCPA enforcement playbook was predictable, including, for example, which part of DOJ you were dealing with (the Fraud Section’s FCPA Unit) and which policies applied (such as the Criminal Division’s Corporate Enforcement Policy and the Evaluation of Corporate Compliance Programs),” James Koukios, a partner at Morrison & Foerster, told the Anti-Corruption Report. All that has changed. “We do not know whether any aspect of that playbook will remain in place after the pause concludes or what, if any, new standards and policies will replace them,” he said.

What Happens to Pending Cases?

The companies that will feel the greatest immediate impact of the EO are those that are currently, or were, at least up until recently, under investigation by the DOJ. According to the EO, AG Bondi is to “review in detail all existing FCPA investigations or enforcement actions and take appropriate action with respect to such matters to restore proper bounds on FCPA enforcement and preserve Presidential foreign policy prerogatives.”

“In the short term, the EO will directly impact companies that have pending FCPA enforcement actions or active federal FCPA investigations,” Karen Davis, a partner at Fox Rothschild, told the Anti-Corruption Report. “Most other companies likely will not see any immediate impact,” she predicted.

Companies under investigation face unanswered questions. “Are they just frozen in place? Should companies immediately argue that they should be dropped for the policy reasons suggested by the EO, or should they progress as they would have done in the past until they learn the results of the pause?” Koukios wondered.

What Is the Self-Reporting Calculus Now?

Companies that have discovered a bribery or corruption issue internally are another demographic directly impacted by the pause. For many years, the DOJ has issued guidance and offered incentives encouraging companies to self-report issues, most notably the Criminal Divisions Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP). However, the EO directs AG Bondi to issue updated guidelines or policies, including those that provide incentives for voluntary self-disclosure. While companies wait for those revised guidelines, the hard-won predictability provided by the CEP and similar guidance documents and incentives programs is on hold.

Thus, companies that have discovered issues face the difficult decision of whether to self-report. It is unclear what benefits they receive if they self-report with all current guidance under review, Koukios noted.

There is also uncertainty around whether the DOJ will even have any interest in the types of issues companies have identified, Koukios said. Just a few days prior to the EO, AG Bondi issued a memorandum to DOJ attorneys titled, “Total Elimination of Cartels and Transnational Criminal Organizations [TCOs]” (Bondi Memo), which directed the FCPA Unit to prioritize cases involving cartels and TCOs and shift focus away from cases without such a connection.

Additionally, it is not clear to whom companies should self-report, Koukios observed. The Bondi Memo included an announcement of revisions to the Justice Manual that make it easier for U.S. Attorneys’ Offices to charge FCPA and FEPA violations, shifting the cases from the main purview of the FCPA Unit.

See “2024 in Review: Policy Changes Seek to Shift the Self-Reporting Calculus” (Jan. 15, 2025).

America First Leaving Honest Companies Behind

The language of the EO focuses on protecting “American companies” and “American citizens and businesses.” However, a significant portion – almost half by some counts – of corporate FCPA cases have been brought against companies headquartered outside of the U.S.

Targeting Foreign Companies

After the pause ends and new guidelines are introduced, non-U.S. companies may find themselves with increased FCPA risk.

“Given the administration’s goal of ‘America First,’ the Trump DOJ may look to focus enforcement efforts on non-U.S. companies going forward, particularly those operating in industries and regions that the administration sees as a threat to national security or to U.S. economic interests,” David Last, a partner at Cleary Gottlieb and former Chief of the DOJ FCPA Unit, told the Anti-Corruption Report.

Ved also expects that the “America First” agenda likely will result in no new FCPA investigations near term, but “any future FCPA enforcement will be directed towards non-U.S. headquartered companies.”

The “EO emphasizes the importance of preserving American competitiveness, particularly with regard to resources deemed by the administration to be of national security or economic interest,” Koukios observed. With this focus, any revised guidelines issued by AG Bondi “could authorize prosecution of non-U.S. companies for FCPA violations where U.S. national security or economic interests are implicated, while directing prosecutors not to pursue FCPA violations against U.S. companies in similar circumstances,” he suggested.

Less Threat of Litigation for U.S. Companies

The good news for U.S.-based companies is that they are less likely to be targeted for investigation and prosecution by the DOJ.

“U.S. companies will receive more favorable treatment given the expressly stated purpose of the new guidelines and policies,” predicted Jaimie Nawaday, a partner at Seward & Kissel.

While it is difficult to know how things may play out, “given the way that the EO is drafted, U.S. companies clearly may be the biggest beneficiaries of the temporary pause on FCPA enforcement and revised guidance going forward,” Last surmised.

Challenges for Honest U.S. Companies

While U.S. companies that have FCPA issues may benefit from the EO, U.S. companies that are putting in the effort to avoid bribery and corruption may find themselves worse off.

Without the FCPA as a defense, and the DOJ at their backs, U.S. companies and their employees may find themselves greater targets for bribe requests, Ved warned. They could also “become the target of international, local regulators who fear standards may be slipping at these U.S. companies operating abroad,” he said.

Most U.S. companies will not see the EO as an invitation to start paying bribes, Last suggested. “In fact, most companies recognize that the best way to ‘level the playing field’ is by having enforcement that targets competitors that are paying bribes to foreign officials in the countries in which they are operating,” he said.

SEC Enforcement?

The EO is directed solely at pausing and reevaluating DOJ enforcement of the FCPA, but makes no mention of the SEC, which has been a significant player in FCPA enforcement. When it comes to corporate settlements, the SEC’s burden of proof is lower, so there have been more SEC corporate settlements than DOJ settlements, making this an important area of risk for companies listed on U.S. exchanges (the only companies subject to SEC jurisdiction).

Interim Changes at the SEC

Like the DOJ, there have been significant changes at the SEC since inauguration day, Davis pointed out. SEC Commissioner Gary Gensler resigned and was replaced by Acting Chairman Mark Uyeda, who has already called for priority shifts.

For example, the SEC requested a delay in pending litigation over the SEC Climate Risk Disclosure Rules, whose adoption Uyeda had voted against, to “provide time for the Commission to deliberate and determine the appropriate next steps.” The SEC also rescinded Staff Legal Bulletin Number 14L, which had allowed for a greater number of shareholder proposals to be included on proxy statements. “Both of these moves signal a change in course, but whether FCPA enforcement will also shift remains an open question,” Davis observed.

More change is sure to come at the SEC when Chair nominee Paul Atkins is confirmed in his role, which is likely to occur sometime in the spring of 2025. “For now, the SEC website still lists FCPA enforcement as a high priority,” Davis noted.

Falling In Line

While it is unclear how the SEC will proceed, the experts agreed that the Commission is unlikely to completely disregard the EO and its expressed distaste for FCPA enforcement. Additionally, the “Ensuring Accountability for All Agencies” executive order issued on February 18, 2025, gives the White House more direct control of the SEC, Nawaday noted.

“The EO does not speak to SEC enforcement, but it would be surprising if the SEC does not take some step to align its enforcement policies with the President’s agenda,” Koukios said.

The expectation that the SEC will align its enforcement posture with the EO also “means that the SEC will not continue to push the bounds of the internal controls and books and records provisions as in its SolarWinds enforcement action,” Spivack predicted.

At the same time, SEC enforcement may not perfectly mirror DOJ enforcement going forward, according to some commenters. The SEC and DOJ have different missions and stakeholders, and any change in focus by the SEC must consider the impact on investors, Last said. “Part of the SEC’s enforcement efforts under the FCPA are geared towards ensuring that publicly traded companies have accurate books and records and reasonable internal controls over financial accounting.”

See our two-part series on the SolarWinds decision: “Court Narrows Case, but SEC’s Surviving Claims Alarm CISOs” (Aug. 28, 2024), and “Practical Takeaways for Cyber Communications” (Sep. 11, 2024).

FEPA

While the EO explicitly pauses FCPA enforcement, it does not mention enforcement of the Foreign Extortion Prevention Act (FEPA). Initially signed into law by President Joe Biden in December 2023, and then revised in July 2024 in the Foreign Extortion Prevention Technical Corrections Act, the law is designed to allow the DOJ to bring charges against those who accept bribes in addition to those who pay them.

“While FCPA targets those who offer bribes, FEPA complements it by addressing the ‘demand side,’ criminalizing officials who request or accept illicit payments,” Davis explained.

With the EO’s stated goal of protecting American companies, the DOJ could potentially use FEPA to prosecute foreign officials they believe are undermining U.S. national security or economic interests, Koukios said. However, those cases might be few and challenging. “Because FEPA requires a U.S. nexus, and if one assumes the EO suggests that the administration will be less likely to fault U.S. companies for foreign bribery, it might be difficult for DOJ to find jurisdiction to pursue such cases,” he added.

Additionally, prosecuting a foreign official has larger implications than prosecuting a civilian. “Indicting a foreign official is a diplomatically and geopolitically sensitive situation,” Ved observed. As a result, “there will be many discussions between international diplomats and enforcement agencies that may prompt and prefer local enforcement rather than a FEPA charge,” he predicted.

See “The New New Foreign Extortion Prevention Act” (Oct. 9, 2024).

Focus on Cartels and TCOs

The official title of the Bondi Memo may offer clues as to what FCPA and FEPA enforcement could look like going forward: a heavy focus on cartels and TCOs. But it is unclear how the Bondi Memo interacts with the EO and what targeting cartels and TCOs will mean for companies.

Interplay Between the Bondi Memo and the EO

The Bondi Memo was issued on February 5, 2025, and explicitly contemplates future FCPA enforcement, albeit focused on cartels and TCOs. But then on February 10, 2025, the EO was issued, fully suspending all FCPA enforcement without acknowledging the Bondi Memo at all or discussing cases involving human trafficking, guns or drugs.

There is a way that the two documents could be read in harmony with each other, but it is not an easy melody. “One could see an argument that such cases fall within the general ‘national security’ concerns discussed in the EO,” Koukios suggested. “It could be that the Bondi Memo is superseded by the EO, or it could mean that the Bondi Memo will inform the new guidelines that emerge at the end of the pause,” he said.

Historically Insignificant Part of FCPA Enforcement

Even before the EO was issued, the Bondi Memo was puzzling because FCPA cases rarely involve cartels and TCOs. It has happened – for instance, in the case of the protection payments Ericsson made to ISIS to obtain access to terrorist-controlled transportation routes and cities – but not commonly.

“Organized crime, by definition, can infiltrate any industry or business enterprise and has historically subverted everything from small family businesses to fish markets to regional construction and carting industries to financial brokers to banking,” Bowen observed. But the FCPA is not necessarily the best tool to address those crimes. “Although cartels and TCOs undoubtedly benefit from corrupt governments, few, if any, FCPA enforcement actions have directly involved cartels or TCOs,” Koukios said.

The dearth of cases involving cartels and TCOs may be because the business nexus required under the FCPA is difficult to allege in cases involving such clear crimes. “Narcotics trafficking is arguably a business that falls within the FCPA’s business nexus requirement, but there has historically been no benefit to DOJ testing this theory,” Koukios said.

And there are tools that are much better suited to prosecuting cartel and TCO cases. “The existing menu of statutes that target cartel/TCO-related criminal conduct, including laws addressing guns, drugs, and human trafficking, are much easier to prove and generally carry much more substantial penalties,” Koukios noted. “To use the language of the EO, adding FCPA charges in such cases does not seem to be an ‘efficient use of Federal law enforcement resources.’ It will simply bog down otherwise straightforward cases.”

Even if cartels and TCOs have not been a primary focus in the past, directing enforcement resources toward them is consistent with this administration’s broader approach to immigration and national security, Davis noted, pointing to another executive order designating certain cartels and TCOs as foreign terrorist groups.

Shifting Risk

Taken together, the America First agenda, the omission of the FEPA from the EO, and the focus on cartels and TCOs starts to sketch in what U.S. enforcement might look like under the Trump administration and how it shifts the risk calculus for companies.

“DOJ’s enforcement of the FEPA (as well as the FCPA) may target foreign officials and other individuals who are permissive of the exact type of cartels and criminal organizations that the Trump administration is looking to fight – specifically, corrupt officials who enable cartels and organized crime, allowing them to thrive and threaten national security,” Last proposed.

Regions where cartels and TCOs operate may become riskier in terms of U.S. enforcement. So far, the administration has indicated that Latin America will be the region with the greatest focus. “DOJ may focus on non-U.S. companies and financial institutions, particularly those operating in Latin America given the administration’s focus on immigration and secure borders,” suggested Lisa Vicens, a partner at Cleary Gottlieb. This region has seen its fair share of FCPA enforcement actions, she noted, largely due to its proximity to the U.S., frequent travel of individuals from there to the U.S., and the use of the U.S. financial system and its banks. But interest in the region for bribery and corruption cases may be about to intensify.

Other high-conflict regions may also become increasingly risky places to do business, Koukios said. “The companies that would likely be most impacted are those that operate in conflict-affected regions, where refraining from engaging in business with organizations that could be classified as cartels or TCOs is more challenging,” he added.

According to Stephanie Yonekura, a partner at Hogan Lovells, the DOJ may look at industries that have been infiltrated by TCOs and cartels in high-conflict regions. “That likely means agriculture, extractive, infrastructure, energy, logistics, and other industries where cartels have either entered or required protection payments from legitimate companies,” she said.

See “How the DOJ Keeps Stretching Its Extraterritorial Reach” (Jul. 31, 2024).

Corporate compliance efforts have to navigate internal challenges, such as perception gaps between different levels of seniority and between generations. At the same time, many companies’ compliance programs are failing to keep up with third-party and supply-chain risks – and the related regulatory requirements.

These are among the major findings of the 2025 Ethics & Compliance Program Effectiveness Report – Caught in the Middle (Report), published by LRN. This latest of the firm’s annual reports on the effectiveness of compliance programs compiled responses from eight countries and 26 industries.

A new feature compared to previous versions of the Report is that LRN not only gleaned answers from compliance professionals, but also from a wide range of company employees. In all, 1,500 compliance professionals, along with 1,500 other employees, responded to the survey.

LRN chief advisory officer Ty Francis spoke to the Anti-Corruption Report about the latest publication. This article distills insights from the Report along with his comments.

See “Survey Finds Increased Value in Having a Culture of Compliance” (Feb. 26, 2025).

Are Senior Leaders Out of Touch?

While senior executives may have a rose-tinted view of how ethically their company is run, lower-level employees are much less likely to believe their company is ethical.

A Disconnect Between the Frontline and Leadership

The existing “disconnect between organizational leaders and frontline employees” acts as a “persistent and significant” barrier to ethics and compliance program effectiveness, according to the Report.

One area in which this emerges is employees’ own assessment of the extent to which they incorporate ethical values into their decisions. Among C-suite executives, 81% report that they do. But moving down the levels of company hierarchy, this percentage gets smaller. Among frontline workers, such as factory employees, just 42% report that their decision-making is aligned with organizational values.

“[L]eadership may believe in the robustness of their ethical framework,” but there is not enough “ethical role-modeling from leaders as perceived by employees,” the Report explains.

In addition, lower-level employees are often skeptical about how fairly misconduct is treated across the company. “Employees frequently note disparities in how values are enforced, particularly at the managerial level, where middle managers may not always embody the high standards expected of others,” the Report notes. Additionally, the Report identifies “an accountability gap, wherein enforcement mechanisms may either be inadequately implemented or unevenly applied.”

This could be because company managers are not “cascading” their messages about ethical conduct effectively enough to those in the lower echelons, Francis suggested.

While senior leaders perceive themselves as having become adept at modeling “tone from the top,” Francis explained, “frontline workers are seeing inconsistencies with how organizational justice is being adopted around the organization.”

This is partly because, as senior management makes directives, middle managers are not doing a good enough job of conveying company values to those under them in the hierarchy. “So a lot of these frontline workers are left in the cold,” Francis observed.

The leadership gap “has been increasing year on year,” Francis said. Top leaders may have well-turned mission statements, but middle management has not conveyed them well, he explained. “Middle managers play a massive role in making sure that messaging isn’t getting clogged up in the middle.”

See our three-part series “How to Build a Compliant Culture and Stronger Company From the ‘Middle’”: Part One (Apr. 1, 2015), Part Two (Apr. 15, 2015), and Part Three (Apr. 29, 2015).

Feedback Loops Can Become More Inclusive

Frontline employees could be more involved in feedback loops to evaluate the effectiveness of compliance enforcement, the Report finds. Indeed, the Report suggests that “anonymous feedback systems, and accessible reporting mechanisms,” can help frontline employees “feel heard.” One way to do that is for “leaders to engage directly with frontline employees to build trust and gain insights.”

“Very few companies actually measure their ethical culture,” Francis observed. Companies may believe that HR and engagement surveys are enough, but he disagrees. Since these are not anonymous and do not ask questions about psychological safety – such as the fear of retaliation if an employee speaks up – they do not really address how employees feel.

To foster more shared understanding of ethical standards and increase the perception of accountability mechanisms as being fair across all levels, companies can try using “town halls, anonymous feedback systems, and accessible reporting mechanisms to ensure frontline employees feel heard,” the Report says. Companies should create “opportunities for leaders to engage directly with frontline employees” and provide training programs that stress “the importance of consistent enforcement and the role of every employee in upholding ethical standards.”

Companies should consider initiating “anonymous digital suggestion boxes” and “periodic ethics reviews at all leadership levels” whose results are shared with employees, according to the Report.

See “Speak-Up Technology: Can It Move the Needle on Workplace Culture?” (May 10, 2023).

The Younger Generation Brings Both Challenges and Opportunities

Members of Generation Z (Gen Z) – the cohort of young adults born between 1997 and 2012 that make up the youngest ranks of employees at companies – are often values-driven and likely to be skeptical of companies’ commitment to ethics. In addition, they are often ready to depart from company rules if they think it is justified.

Expectations but Little Trust

Gen Z employees are twice as likely to report skepticism regarding managerial fairness. They often have “expectations for equity, transparency, and consistent ethical behavior,” but are unlikely to trust that managers are ethical, the Report states.

At the same time, an unusually high 29% of Gen Z respondents said it is acceptable to break the rules if needed to get the job done, according to the Report.

While overall, 55% of respondents agreed that managers uphold the same standards they expect of others, 48% of Gen Z workers believe their managers hold themselves to the same ethical standards as others – the lowest percentage across the generations. Additionally, among all generations, Gen Z scored the lowest for the statement, “Employees in my organization voice their opinions in team meetings, even in front of managers.”

There would therefore seem to be a risk of “reduced compliance engagement” among this generation, the Report deduces.

“Everyone wants to know about the Gen Z conundrum,” Francis remarked. Given that this generation will soon be a large percentage of the workforce, company leaders are keen to know how to deal with it, he noted.

Gen Z’s Values Focus As an Asset

This ethically motivated generation could be powerfully engaged in a company’s efforts provided it takes stock of their positions and preferences.

“This is an incredible opportunity to engage with a generation that wants to be engaged with,” Francis said. Faced with young employees who are “questioning leadership, skeptical about some of the decision-making processes, wanting to be involved in these operational changes,” leaders should “jump on that, rather than seeing it as some blockade to what they are trying to do,” he argued.

Gen Z members “want to be proud of the companies they work for,” Francis commented. It is important for companies to make good use of Gen Z’s “enthusiasm and willingness to speak up,” he remarked.

Companies could do more to design training with Gen Z in mind, taking account of their thought processes, Francis suggested. While Generation X may be happy with an annual review of their job performance, Gen Z members seek quicker feedback on how they are doing and how to improve. “They are using data,” he pointed out.

Creating opportunities for that generation to voice their concerns and state how a company can do a better job is helpful, Francis said. Engaged employees are “less likely to commit ethical misconduct,” he stressed. Companies will find it beneficial to create “behavior-based cultures that lead by values, not so much by rules.”

It is vital for company leaders to “communicate how ethical decisions are made and modeled,” emphasizing “fairness and accountability,” according to the Report. “[T]raining programs tailored to address the unique concerns of each generation, with a specific focus on Gen Z’s expectations for equity and values-driven leadership” can be particularly helpful, the Report suggests.

Moreover, companies would benefit from “avenues for Gen Z and other employees to voice their concerns about leadership and ethical practices without fear of retaliation,” the Report asserts.

See “Rethinking Click-Through Training: The Pluses and Minuses” (Feb. 26, 2025).

Insufficient Attention Paid to Third-Party and Supply-Chain Risks

Third-party and supply-chain compliance emerged from the Report as an area of insufficient focus for many companies. This exposes them to possible risky behavior among partner companies they are not trying hard enough to get to know. Moreover, a rising tide of international law means ever-increasing enforcement risks for companies that are not paying enough attention in this field.

Lagging Due Diligence

The Report finds that adoption rates for third-party and supply-chain due diligence remain low. “[O]nly 27% of organizations overall dedicate significant effort to due diligence before engaging third parties,” and “programs overall do not plan to significantly prioritize third-party due diligence in the near future,” it says. This means companies face risks “including fraud, bribery, and regulatory penalties.”

Compliance measures within supply chains are something that only 24% of organizations name as a training focus area, despite this being a time of “strengthening regulations.”

“Insufficient oversight can result in violations of labor laws, environmental regulations, and contractual obligations,” the Report states. In “industries with sprawling supply chains, such as retail and manufacturing,” there is “a higher prevalence of compliance failures due to limited monitoring,” it finds.

The lack of due diligence may be the result of overwhelmed procurement functions that lack the resources to do more than their standard onboarding process, Francis said. Additional precautions can be seen as “a resourcing burden” at a time when procurement managers are under pressure from their own company to approve third parties, he commented.

This means companies are not sufficiently addressing “a reputational risk issue,” Francis surmised. This is particularly true as Gen Z and its high expectations for ethical behavior become a larger segment of both the workforce and consumers. “In five years’ time, probably half the working population will not want to do business with people who use unethical partners,” he predicted.

No company today has the excuse of several decades ago that it did not know about exploitative conditions used by a third party, Francis warned. Statutes such as the E.U.’s Corporate Sustainability Due Diligence Directive place intensifying emphasis on periodic monitoring of third parties for dangers such as human trafficking and forced labor, he added.

See “E.U.’s Corporate Sustainability Due Diligence Directive Demands Environmental and Social Compliance” (May 8, 2024).

Data Tools Make Due Diligence More Efficient

Companies can address supply-chain and third-party risks more effectively by using data tools. The Report recommends implementing “third-party risk processes and tools that incorporate consistent vetting protocols and ongoing monitoring via centralized platforms.”

Companies should recognize that more efficient use of data can streamline the process of tackling risks, Francis commented. Such tools may help a company identify a specific part of a supply chain, such as a small category of suppliers in a specific country, he explained.

“Embedding supply chain compliance controls and risk assessment into enterprise resource planning” can ensure “visibility into every tier of the supply chain,” the Report says.

Companies should approach the training of partner companies with the same level of dedication with which they train their own employees, Francis suggested. Once suppliers understand the company’s values, they will start operating according to the same principles, he predicted.

Companies should work with “specialized third-party compliance firms to augment organizational capacity where resources are limited,” the Report advises.

See “How Internal Investigations Can Let the Compliance Team Shine” (Jan. 29, 2025).

High-Impact Programs Lead in Tech Use

Not all compliance programs are equal in their ambitions, their deployment of tools and techniques, and their effectiveness. To differentiate between companies who responded to its survey, LRN used a methodology for categorizing companies based on compliance impact. To provide year-over-year insights, this methodology has stayed consistent for almost three decades, the Report says.

Categorization Based on Self-Description

LRN categorizes compliance programs as high-impact, medium-impact or low-impact, basing itself on companies’ self-reports of their programs’ cultural effect. LRN elicited companies’ accounts in three areas: ethical decision-making, organizational justice and freedom of expression.

The key question under ethical decision-making was stated as: “Are the choices employees make animated by values or expediency?” Under organizational justice, LRN’s central question was: “Are senior executives and high performers held to the same standards of conduct as other employees?” In the area of freedom of expression, the question was: “Do employees speak up, contribute willingly, and exchange ideas freely?”

Tactics Correlate With Impact Level

The Report identified a growing sophistication gap in the tactics deployed in high-impact programs compared to medium-impact ones.

One difference is in the use of benchmarking tools. “The benchmarking gap between high- and medium-impact programs has grown to 1.9x, with high-impact programs nearly twice as likely to use benchmarking data, reporting data, and leverage advanced tools, including data analytics,” the Report notes.

The use of such tools helps companies “measure performance against their peers and industry standards,” the Report says. “High-performing programs leverage these tools to drive data-driven decisions.”

Misconduct trend analysis can provide insights that help with “identifying, addressing, and preventing misconduct effectively.” High-impact programs demonstrate a greater reliance on such analysis, “with 63% of these programs actively utilizing this tool compared to only 33% of medium-impact programs,” according to the Report.

High-impact programs use speak-up data more effectively, too. “They are 2.0x more likely to analyze this data, enabling them to proactively address risks, foster a culture of openness, and reinforce employee trust in compliance processes,” the Report states.

High-impact programs devote more effort to understanding the complexities of government regulations that affect operations. “They are 1.9x more likely than medium-impact programs to prioritize this effort, allowing them to navigate regulatory challenges with precision and agility,” the Report says.

High-impact compliance programs are also ahead of the game when it comes to third-party vigilance. “They are 2.3x more likely to prioritize third-party evaluation and ongoing audits, minimizing risks, and ensuring alignment with ethical and compliance standards,” the Report notes.

One more area in which the Report asserted that high-impact compliance programs take the lead is preparedness for the risks posed by artificial intelligence (AI). “High-impact programs lead in addressing the challenges posed by emerging technologies. They are 2.2x more likely to focus on AI risks,” it says.

Closing the Gap

Various approaches can address the gap between high-impact and medium-impact compliance programs. “Addressing these challenges requires targeted investments in benchmarking tools, robust training programs, and collaborative knowledge-sharing to ensure compliance programs can evolve with confidence and agility,” the Report explains, suggesting that companies invest in data literacy programs and developing cost-effective benchmarking platforms.

“Companies are trying to find more economic ways of creating robust compliance programs without having to add on four or five members of staff,” Francis observed, suggesting that adopting data tools is a good option. High-impact programs make use of data to predict issues, and this means “they can apply resources more effectively,” he explained.

Using data can help a company avoid addressing compliance issues in needlessly costly ways, Francis said. Instead, it can “dig down” and pinpoint a problem area within its operation, and then “direct resources to fix that.”

See “To Work Effectively, CCOs Need Authority, Autonomy and Information” (Nov. 6, 2024).

Most compliance training is thought of as dry and boring, but if packaged as a dramatic TV show, it can excite and engage employees, according to compliance experts at a company that has seen and reformed its fair share of compliance issues. During the 2024 Compliance & Ethics Institute hosted by the Society of Corporate Compliance and Ethics, Kelly Sargeant, Ericcson’s global head of compliance training and communications, and Vidya Krishnan, its global chief learning officer, explained how their narrative approach to training integrates lessons from different fields without a prohibitive price tag. They also explained how, once a program is up and running, a combination of artificial intelligence and staff contributions can make it ever more efficient.

See “Rethinking Click-Through Training: The Pluses and Minuses” (Feb. 26, 2025).

Generating Excitement

Ericsson introduced its new-look mandatory training program in 2021, with a format intentionally resembling a TV show. The content was captivating, engaging and relatable, Sargeant said.

A trailer was made available to employees of the multinational technology group during the weeks prior to the launch, with a countdown to the release date to generate anticipation. “We wanted it to feel like a movie trailer,” Sargeant explained.

Stories Instead of Lectures

The intention was to create an experience similar to watching a show on the internet outside work hours. “We call it the Netflix approach. People are busy, but they have time for Netflix,” Krishnan noted. Just like the online TV platform, the training program offered “not a lecture” but “a character-driven story,” she observed. “Humans are hardwired to remember stories much better than they are hardwired to remember lectures,” she emphasized. A TV show is able to “act subliminally” on a viewer, she noted.

To help employees stay immersed in the material, efforts were made to meet professional TV standards with the writing of the screenplay and production details such as lighting, Krishnan said.

Realistic Situations

The training episodes present true-to-life scenarios with “many risky business situations,” Sargeant explained. “It begins with someone traveling to an event and they get stuck at an airport,” she said, and then, “the first thing they are asked for is a facilitation payment.”

The show explores situations including “dealing with corrupt officials and with third parties,” according to Sargeant. It reveals “the consequences of corrupt behaviors,” both for the person choosing those behaviors and for the company, she explained.

Among the manifestations of corruption depicted are sham contracts, fake invoices, bribes, kickbacks, challenges around sponsorships and donations, and difficult hospitality situations such as a business partner proposing a lavish restaurant visit, Sargeant recounted. The content is derived from collaboration within the company, “making sure there are scenarios that everyone can relate to or has actually experienced,” she said.

The episodes intentionally “rip from the headlines,” presenting dilemmas that have affected the company, Krishnan said. “The scenarios depicted have happened – and have happened at Ericsson,” she noted. It underlines employees’ sense that, “it could happen to me, it could happen here.”

It has been an essential consideration in writing the training shows that they portray “whatever the risks are to the company,” according to Sargeant. The episodes educate employees about “right now, what is happening in the world,” she said.

Convincing Cast

The episodes were filmed in a way that makes the actors appear like real Ericsson employees – sporting their Ericsson badges when they are supposedly at work in an Ericsson location.

The doffing of Ericsson badges upon leaving company premises was one example of a compliance lesson that the program successfully taught, Sargeant remarked. It was apparent that employees remembered this much more strongly once it had been something that characters in the filmed program reminded each other about, she noted.

The films were “so relatable,” according to Krishnan, that some viewers assumed they showed genuine Ericsson employees in an Ericsson office. The realistic production underlined employees’ recognition that they often find themselves in similar situations. The intention was “tapping into the realities of our people and trying to understand them,” she said.

The training is designed to help Ericsson’s employees “know better so that they can do better,” Sargeant stressed. The approach brings compliance home to people as “much more than something abstract,” she said. It helps employees understand how compliance is “connected to the success of the company.”

“Ethics and compliance are embedded in who we are, everything that we do,” Sargeant said, so the training program treated compliance in a “holistic” way.

A range of different compliance topics were treated in the various episodes, but viewers saw “the same actors across these different topics,” Krishnan pointed out. “That makes people realize these are just facets of life at Ericsson,” she claimed.

Using a diversity of characters increased the authenticity of the show. “One of the characters has a hearing aid,” and genders, nationalities and “all the demographics” are variously represented across the cast, Sargeant emphasized.

Watch Parties

The program has been “very successful” in engaging employees, said Sargeant. “Employees would actually look forward to this,” she noted.

It has succeeded in “shifting mandatory training from required to desired,” Krishnan affirmed. “People sometimes go back and watch it again,” she said.

Sargeant noted that “watch parties” are sometimes held, so that employees can come together in small groups and experience the training. “They gather in conference rooms with popcorn and refreshments,” she added.

Employees discussed the material among themselves, tracing connections between what they see on the screen and the work they do, Sargeant said. “It is much more than a training. It is a transformative experience for them.”

See “How Apache Uses Case Studies to Keep Its Training Pain-Free” (Oct. 16, 2019).

A Holistic Approach

The program presents various types of compliance learnings into one package, allowing for a streamlined training experience.

The program aims to engender a mentality among employees that compliance is hard to get wrong and easy to get right, Krishnan said.

Four Trainings in One

The program encompasses four different types of mandatory training, each with its own compliance expectations for employees of Ericsson. In addition to anti-bribery and corruption, the training included data privacy, occupational health and safety, and IT security.

“These are the four that everyone goes through” Krishnan explained, even though they are the responsibility of different departments.

A benefit of combining these mandatory trainings into one program is the possibility of a consistent, predictable rhythm. Before starting this training initiative, each subject area was firing independently, which meant there was no regular rhythm for training. “Sometimes people had two in a quarter, sometimes they had none,” Krishnan recalled. Now, the training programs happen at a regular quarterly rate. “It will never be more than one a quarter.”

The training films do not repeat but continue in a linear storyline with a new episode each quarter. “The same characters keep showing up,” Krishnan said. As they progress through their fictional lives, the characters deal with compliance issues related to each of the subject areas. Although the course owners each have distinct messages they want to put out, “we try to be very integrated” with the films, she explained.

The episodes do not explicitly signpost when a specific one of the four compliance areas is going to be covered, as this would not be helpful for anyone, Sargeant stressed.

Different Success Measures for Different Functions

Each episode is followed by a quiz to ensure employees have understood the content, Sargeant said.

The format of a single, continuous, short film, followed by a quiz, is consistent, Krishnan noted. “We will never make it more than 30 to 40 minutes,” she affirmed.

Expectations for employees completing the training are different according to their function in the company, Krishnan said. “It is not just how many people complete the training, but: How many people do we need to be level one in this? How many people do we need to be level two in this skill?” Setting such targets can help the company ensure it has “the right people with the right skills at the right place in the right time,” she explained.

Addressing Technical Issues

Prompt technical assistance is a hallmark of the training program, Krishnan said. In earlier training systems, employees would sometimes find the system stuck or frozen. With the new program, those who have such issues will “hear from one of us in seconds,” and will have “issues fixed in hours, or maybe days, but not weeks,” she asserted.

A Race to Completion

The next level up from successfully completing each training is doing so in short order. “Completion velocity” is a concept the program leaders have introduced, with a particular cachet attached to being “done on day one,” or at least within a week of the latest installment’s launch, Krishnan said.

“We ask leaders to model it,” Krishnan commented. In doing so, leaders are showing how committed they are to putting the compliance training ahead of other competing priorities, she argued.

“Completion velocity is where we really show what we mean by integrity,” Krishnan remarked.

New Hires Can Catch Up Quickly

Because the episodes do not repeat, a reduced viewing regime is made available to new hires who join the company without having watched the earlier training films.

“There are certain minimum requirements” for what newly joining employees must watch within the first 45 days of their hiring, Krishnan said, and they are not required to watch all of the series up till then. For new hires, the videos can become their “first impression of Ericsson.”

See “Ericsson Pleads Guilty and Faces Other Consequences for Failing to Comply With 2019 DPA” (Mar. 29, 2023).

Efficiency and Efficacy

Ericsson’s initiative has not been as costly as might be expected, and plans are afoot to lower costs as the program moves ahead into the future.

Costs Considered Worthwhile

Companies do not “need a Hollywood budget” to do something like this, Krishnan stressed. The amount of money spent on Ericsson’s compliance program in this format has been about $1 per employee, per minute of film, per quarter, she said, noting that Ericsson has 100,000 employees.

It has been “worth every penny, and worth new content every single time,” Krishnan asserted. While the investment exceeds what the company previously spent on compliance training, “any kind of ethical violation” can be much more costly, she said.

Ericsson would rather make that “proactive investment” than deal with the fallout from violations, which can be “painful and expensive and reputationally damaging,” Krishnan commented.

So far, the program has been funded through money coming out of each of the different course owners’ budgets, but efforts are under way to find a different model to pool funding, Krishnan said.

AI Offers New Possibilities

Ericsson has been piloting the use of generative AI to create episodes. “We are going to be using it a lot more,” Krishnan remarked. This makes it possible to spend less money on creating the films “but not compromise on quality,” she maintained.

Using AI makes it possible to generate scenes and voices. “If you can imagine it and you can type it, you can build the experience,” Sargeant said.

Employee Writers Will Contribute

Starting from 2025, Ericsson will also save money by inviting its own employees to get involved in writing the episodes. People within the company with relevant skills have been “coming out of woodwork” as the training films continue, Krishnan observed.

“Employees can create their own ethical dilemmas that are relevant to them,” Sargeant explained, adding that content created in this way can be “more engaging” for colleagues.

App Adds to Interactivity

Ericsson has also introduced an app associated with the training program “to enhance the experience even more,” Sargeant pointed out. With this system, employees can line up to view the films in an auditorium, with their badges being checked upon entry.

“They receive an email with the link to the quiz,” which they can then take, “within moments of watching,” Sargeant explained. When an employee has checked in, the app “knows” that person watched it and will send an email nudging them to complete the quiz.

The app “was built by two high school interns,” Krishnan noted. “Not everything that looks expensive is expensive.”

Fulfilling Objectives So Far

The success of the program can be measured in different ways.

One measure of the program’s efficacy is that it has led to “unprecedented completion” and to employees having discussions and debates with each other, Krishnan said.

Rather than a reduction in the number of cases, the targeted results for the training program have been “a reduction in the severity of cases” and for the worst incidents to happen less frequently, according to Krishnan.

The training program has become a “vehicle of culture and transformation,” Krishnan observed. Promoting “integrity and ethical behavior” has been “the biggest transformation and the one that we want the most,” she said.

See “Lessons From Telecom Giant Ericsson’s Billion-Dollar Record-Setting Deal” (Jan. 8, 2020).

Although the new Trump administration is widely expected to favor business interests and ease regulatory burdens, the SEC is sure to continue its work rooting out misconduct in the financial markets. At this year’s Securities Enforcement Forum New York, a panel of present and former SEC attorneys discussed the critical stages of an investigation by the SEC Division of Enforcement (Division). They offered guidance on preparing for initial contact with SEC staff; avoiding friction during the course of an investigation; preparing for interviews and on-the-record testimony; obtaining reverse proffers by the SEC; and managing the Wells process, negotiations and settlements. This article distills the key takeaways from the program.

See “SEC Enforcement Director Grewal Emphasizes Benefits of Cooperation” (Sep. 25, 2024).

Developing a Defense Strategy

Firms should start developing a defense strategy promptly after the first contact from SEC staff, said moderator Lara Shalov Mehraban, partner at Sidley Austin and former Director of the SEC’s New York Regional Office and Associate Regional Director of the Division.

“I think you’ve got to start thinking about strategy before your first conversation with staff,” concurred Zachary S. Brez, partner at Kirkland & Ellis and former staff attorney in the Division. The days of a client's handing off an SEC subpoena to outside counsel and asking them to handle it are long gone. Clients now generally want to be involved in strategic decisions before their counsel’s first call with SEC staff, he added. Key considerations for outside counsel at the commencement of an SEC inquiry include:

• whether the client already knows about the issue and whether it has already been investigated;
• how urgently the client wants the matter resolved;
• whether the DOJ or another federal or state agency is also involved; and
• whether the client is the target of the investigation or the SEC is seeking information about a different firm.

See “BIT Mining’s Inability to Pay Nets a $10M Settlement Over Allegations of Bribery in Japan” (Jan. 15, 2025).

Preparing for Initial Contact With SEC Staff

Although counsel must always be guided by the client’s objectives and instructions, several principles generally apply to any initial interaction with SEC staff, the speakers explained.

Establish Credibility

“You want to make sure the staff knows they can rely on you and establish credibility with the staff,” said Lorin L. Reisner, partner at Paul Weiss and former Deputy Director of the Division and Chief of the Criminal Division of the U.S. Attorney’s Office for the Southern District of New York. Demonstrate early on that you want to respond to requests promptly and thoroughly. Avoid seeking to narrow requests on the first call – counsel should establish credibility before seeking any compromise from staff, he advised.

Gather Information

Obtain as much information as possible from SEC staff, continued Reisner. However, open-ended questions about what the investigation entails are unlikely to bear fruit. It may be more productive to focus on the SEC’s requests: “I see you requested this. Can you tell me a little bit more about your concerns in that area or about those documents?” he suggested asking. Of course, that approach may still turn out to be a dead end.

Present the Client’s Position

Be ready to present the client’s affirmative position, if known, as early as possible, added Reisner. It is best to plant such seeds early, even if they must include some caveats, such as, “We’re still investigating and have more work to do.”

Consider Cooperation

Counsel must consider whether the client wants to “go down the road of cooperation,” noted Junaid A. Zubairi, shareholder at Vedder Price and former senior attorney in the Division. If so, the client should “demonstrate by doing and not [just] saying.” To that end, the client should conduct a thorough review of the facts and an internal investigation and present its findings in early meetings with SEC staff. Doing so helps structure the investigation and create a roadmap for how the SEC will view the facts. It will also make the investigation more efficient by identifying which people hold relevant information. Additionally, it may keep staff from “meandering and going into areas where you don’t necessarily want them to go,” Zubairi advised. White papers can also be effective but are probably more appropriate later, once facts and legal issues have been more clearly identified, he added.

See “Moog’s $1.7M SEC Deal Spotlights Subsidiary Liability, Third-Party Risk and Self-Reporting” (Nov. 20, 2024).

Avoiding Friction With the Staff

“I don’t like to give advice to the defense bar,” said Sheldon Pollock, an Associate Director of the Division in its New York Regional Office, who noted that the views he expressed were his own, not those of the SEC or any of its commissioners or staff. Still, “open, effective and productive dialog between the government and defense counsel is crucial for both sides in handling a complex securities matter,” he said. Early communications can help SEC staff focus on key issues. They may also provide a better understanding of complicated financial products and business processes with which staff may be unfamiliar.

Although the SEC expects defense counsel to be zealous advocates, friction can arise when the SEC does not have all the operative facts at key points during the process, including settlement discussions, evidence reviews and Wells meetings. SEC staff do not want to be surprised with new facts after they have taken testimony, especially facts central to the case. The concern is not over an inadvertent failure to produce a document. Rather, it is about new facts that delay the process and undermine trust, Pollock stressed. To minimize such potential friction, counsel should:

• ensure good communication with SEC staff;
• commit to a production timeline for documents;
• help staff identify documents that are important to the case; and
• avoid surprising staff with a new facts or explanations the staff did not have a chance to investigate.

Navigating Testimony

Interviews and On-the-Record Testimony

How counsel approach interviews and testimony will depend on several factors, said Brez. Although some matters will always be on the record, when possible, counsel should push for off-the-record interviews, especially if they believe a person will not be a good on-the-record witness. Key considerations include:

• the nature of the matter and the witness’ role in it;
• whether the testimony could reveal misconduct or other problematic matters; and
• whether the witness’ expected demeanor is likely to raise concerns among SEC staff.

When SEC staff seek testimony from someone, defense counsel may not know whether there is a parallel criminal investigation, noted Zubairi. If counsel believes the inquiry poses a substantial risk to the client, it is better to push for early meetings or an attorney proffer, rather than on-the-record testimony.

A staff attorney will never reveal whether there is a parallel criminal investigation, continued Zubairi. Still, if an attorney has a good rapport with staff, the attorney might be able to defuse a potentially serious situation. For example, in one matter, a good employee used terrible judgment, forging documents and submitting them to exam staff, he recounted. Counsel investigated, reported it to the SEC staff and had a candid conversation about whether the matter would be referred to the DOJ. Staff responded, without assurances, that they were not interested in making the matter any more serious. In such fraught interactions, “it comes down to communication and credibility,” noted Mehraban.

Testimony Preparation

One of the most important tasks in preparing for testimony is ensuring the witness is comfortable with the documents the witness is likely to be asked about, said Reisner. SEC testimony differs from a deposition in certain important respects. “Evasiveness is never going to work for a witness who’s testifying in an SEC proceeding,” he observed. “Nothing good is ever going to come out of that.” Additionally, a witness should never spar with the questioner, no matter how difficult or ridiculous a question may seem. “Don’t spar. Don’t fight. Just answer the question truthfully and to the best of your ability. That’s going to score you more points than any other approach,” he stressed.

Counsel should also be wary of “master of the universe” witnesses, who can be particularly challenging, according to Brez. They may ignore their counsel’s preparations and advice and believe they can charm the staff. This is sometimes known as “CEO disease,” observed Reisner. The toughest response a senior executive may have to give is, “I don’t know,” or “I don’t recall,” even though it may be the truthful answer. “There are some people that, no matter what you do, there’s nothing you can do,” he said. For example, some witnesses ignore advice, even saying, “Counsel told me not to volunteer information, but . . .,” he recounted.

Consequently, counsel should seek to develop credibility and trust with witnesses to ensure they take advice to heart, recommended Reisner. A war story about how testimony went horribly wrong can be effective. Additionally, counsel should prepare witnesses using multiple questioners, noted Mehraban. Causing a client to become uncomfortable during a practice session can illustrate how things could go wrong.

SEC testimony is typically taken by the assigned SEC staff member, along with the person’s manager, an assistant director and, if the case may be headed toward litigation, trial counsel, explained Pollock. It is rare for him to attend testimony. He may learn of testimony in quarterly meetings with assistant directors or by asking about the testimony of a crucial witness in a matter.

Obtaining Reverse Proffers

Toward the end of some investigations, SEC staff may meet with defense counsel; share key findings and proposed charges; and seek a resolution, said Pollock. So-called “reverse proffers” show that staff is prepared and determined to move forward with litigation if a settlement is not reached. A reverse proffer requires the staff to review evidence and consider how they would present their case. It can expedite settlement and make the process more efficient. However, because reverse proffers take a significant amount of effort, they are not used in every matter. Additionally, there will never be a reverse proffer in a matter involving an undercover criminal investigation or if key evidence is known to both sides and the proffer is unlikely to move the needle toward settlement, he added.

Although SEC proffers can provide valuable insight into the staff’s thinking, they may also cause staff to “get locked into positions as a result of that investment of resources and fall more deeply in love with their case,” Reisner cautioned. Rather than waiting for a reverse proffer, he prefers to try to approach SEC staff on core factual and legal issues during the investigative process.

Managing the Wells Process

In the Wells process, the Division notifies a firm that it intends to recommend enforcement action and offers the firm an opportunity to make a submission regarding the proposed action. By the time defense counsel have to decide whether to make a Wells submission, they may already have submitted a white paper or made other presentations to staff, noted Zubairi. If there is a legal or factual issue on which defense counsel and SEC staff are unlikely ever to see eye to eye, or if litigation is inevitable, it may not be advisable to make a Wells submission with which counsel will be stuck.

Although the Wells process has been in use for more than 50 years, it has become much less common over the last decade, continued Zubairi. The process can be very beneficial when defense counsel has access to all documents produced, can review relevant transcripts and make a fulsome presentation. Unfortunately, defense counsel have had less access to evidence, making it harder to prepare compelling Wells submissions.

Many interactions with SEC staff now occur long before a Wells notice, according to Reisner. Although it can be important to meet with SEC enforcement leaders, “your most important constituency in an investigation is going to be the staff attorney” and, at times, that attorney’s supervisor, he noted. When meeting with SEC personnel, counsel should be prepared with strong written submissions and “tight presentations, not 50‑page PowerPoints,” he advised.

There have been indications that the SEC under the Trump administration will be receptive to using the Wells process in a more traditional way, said Zubairi. Counsel should continue to push for opportunities to meet with staff and advocate for their clients. Of course, “I’ve never walked into a meeting with a staff attorney who said, ‘Tell us why we’re wrong and we’re going to close this,’” he remarked. When meeting with staff, counsel should be credible, focus on the evidence, highlight the legal or factual flaws in the SEC’s case and make arguments in a nonemotional way. That approach will not change under the new administration.

Counsel should not try to put every issue into a presentation, Pollock added. Wells meetings usually last about an hour, so counsel should focus on key points of disagreement. Defense counsel’s use of a meeting for the sole purpose of threatening to go to trial is rarely productive. If the SEC issues a Wells notice, it has already determined it has a strong case and can prevail. Of course, defense counsel should not hesitate to discuss litigation risks with SEC staff. For example, savvy defense counsel might preview how they would try the case, including trial themes, witnesses and other evidence.

Advising Clients About Attendance at Meetings

“In general, I try to talk clients out of coming to any meeting with the government,” but they often insist, said Brez. Counsel should always advise clients of the risks of attending a meeting. For example, if counsel knows the SEC is going to ask a question with a problematic answer, counsel may point out that:

• a direct answer will be problematic;
• responding “I don’t know” will look bad if the person should know; and
• being evasive will also look bad.

When an individual is the target, it is almost never advisable to bring the individual to any meeting with SEC staff, added Zubairi. If the target is an organization, it is usually not advisable. On the other hand, in some matters, including highly contested ones, bringing the respondent’s GC can show how serious the respondent is about litigating. Similarly, in a case involving financial issues, bringing a new CFO can help show the respondent has sought to remediate the issue.

Strategizing for Negotiations, Settlements and Litigation

Although there will be changes at the SEC under the Trump administration, those changes will probably not warrant significant alterations in strategy for interacting with SEC staff, according to Reisner. The “holy grail” will always be to persuade SEC staff early on to discontinue their investigation.

The SEC under the Trump administration is likely to be hostile to so-called regulation by enforcement, noted Reisner. Consequently, there may be some opportunity to push back in areas where regulations and/or SEC policy are not clear, he opined. Additionally, in recent years, SEC staff were unlikely to be persuaded by outcomes in comparable matters or precedents. The incoming staff may be more respectful of comparable situations and precedents, especially as to corporate penalties. “I think that there will be opportunities to argue no actual harm to investors and no financial benefit to the corporation in order to have potentially constructive conversations around appropriate corporate penalties,” he added.

When seeking to negotiate a settlement or persuade the SEC to downgrade charges, defense counsel generally should lead with their most important points and their clients’ “must haves,” advised Pollock. They should not send a heavily redlined document without any explanation nor should they expect to change stock language the SEC has used in settlement orders for decades.

Once a matter is in litigation, it proceeds in a manner similar to other standard civil litigation, according to Reisner. Defense counsel can portray itself as the more reasonable party, pointing out places where staff may have overreached in a complaint or where evidence may not support the allegations. “But, you know, once you’re in litigation, you’re in litigation,” he said.

See our two-part series on Raytheon’s 950‑Million settlement: “Does It Count As a Win?” (Dec. 4, 2024), and “Raytheon’s $950‑Million Settlement: Unlocking the Compliance Opportunities in Multiple Monitorships” (Dec. 18, 2024).

The European Data Protection Board (EDPB) opinion 28/2024 (Opinion) on the processing of personal data in the context of artificial intelligence (AI) models conveys a clear message that entities developing and deploying these models need to take a proactive, risk-based approach to data protection. Companies subject to the E.U. General Data Protection Regulation (GDPR) as well as emerging regulations in various U.S. jurisdictions face challenges in complying with seemingly ever complex layers of legal requirements.

This second article in a two-part series covering the Opinion offers best practices for controllers when processing personal data in the context of AI development and deployment, suggests strategies for navigating the regulatory landscape, and examines the Opinion’s impact in the broader AI and privacy legal arena. Part one discussed significant elements of the Opinion and its implications for entities subject to the GDPR.

See “CJEU Decision Adds Antitrust Regulators as New GDPR Concern for Companies” (Aug. 16, 2023).

Opinion’s Key Points

In the Opinion, adopted on December 17, 2024, and issued in response to a request from the Irish Data Protection Commission (Irish DPC), the EDPB “provides guidelines regarding the protection of personal data in the context of the development and operation of AI models,” explained Lorraine Maisnier-Boché, counsel in the Paris office of McDermott Will & Emery.

The Opinion, focusing on anonymization, legitimate interest as a legal basis and the impact of unlawfully processed data, sets a high threshold for AI model anonymity. For an AI model to be deemed anonymous, an organization must be able to show that personal data from training the model cannot be extracted from the model. The Opinion also emphasizes that legitimate interest assessments must address lawfulness, necessity and a balancing of interests.

Pursuant to the Opinion, although unlawfulness of initial processing does not automatically make the subsequent operation of the model unlawful, controllers still need to assess whether an AI model was developed by unlawfully processing personal data.

The Irish DPC’s request defined an AI model more narrowly than it is defined in the E.U. AI Act (AI Act). “This is probably because AI models are not explicitly defined in the AI Act,” explained Catharina Glugla, a partner in the Dusseldorf office of A&O Shearman.

See “Irish Data Protection Commissioner Helen Dixon on Thorny GDPR Issues and a Potential U.S. Privacy Law” (Jun. 26, 2019).

Best Practices for Controllers

Given the high bar the EDPB has set – even though the Opinion is just guidance – controllers can take steps to mitigate risks and demonstrate accountability related to the processing of personal data in the context of AI development and deployment.

Ensure Transparency Throughout the AI Lifecycle

The EDPB Opinion notes that, when using personal data, “companies may reduce the risk of non-compliance by making their AI models anonymous and by establishing a consistently high level of transparency throughout the AI value chain, which includes providing as much information to data subjects and other interacting users as possible,” Glugla said. The transparency guidance applies to “all stages in the development of an AI model in which personal data is processed – collection of training data, AI training itself, process optimization and ongoing use of an AI model,” she clarified.

Tackle Anonymization Challenges

“The EDPB has set a very high bar” for an AI model to be considered anonymous, Anne-Gabrielle Haie, a partner in Steptoe’s Brussels office, told the Anti-Corruption Report. The Opinion clearly states, she continued, that “an AI model will be considered anonymous only if the controller can provide extensive evidence demonstrating that personal data from the training set cannot be extracted from the model or obtained through interaction with it, considering all means reasonably likely to be used by the controller or any other person to identify individuals.”

Assess

According to the EDPB, “the likelihood of extracting or obtaining personal data from the model should be insignificant,” Haie noted. “Achieving this level of anonymity will require AI model developers to conduct a thorough assessment and take measures at both the development and deployment stages to reduce the likelihood of obtaining personal data,” she said.

Limit Collection of Personal Data

Developers should select training data sources carefully to avoid or limit the collection of personal data and incorporate privacy-preserving techniques to lower the likelihood of obtaining personal data from model queries, Haie advised. “These efforts should be supported by documented evidence confirming the effectiveness of their anonymization measures,” she added.

Controllers also might “consider what safeguards can be built in to reduce the risk of reidentification either through model queries or other methods of extraction – such as filtering,” suggested Izabela Kowalczuk-Pakula, a partner in the Warsaw, Poland, office of Bird & Bird.

Take Steps to Mitigate Risk Where Personal Data Is Required for Functionality

Some AI models need personal data to function effectively. “Specific types of AI models have core features that require the AI model to be trained on personal data of public persons, for example, learning ‘Who is the President of the United States’ and ‘Who wrote the Harry Potter series of books,’” Marijn Storm, a partner in the Amsterdam office of Morrison Foerster, pointed out. “The capability to competently respond to such inputs is mutually exclusive with full anonymization of training data to a GDPR standard,” he noted. If the data was fully anonymized, the model would not be able to answer basic questions about public figures.

To be able to rely on the legitimate interest test, mitigation measures should be implemented, such as “data minimization at the source, and preventing the collection of information from sources that are particularly sensitive; removing sensitive information prior to training of any model; and contextual anonymization, masking personal or sensitive information as the model is trained,” Storm advised.

Companies also must conduct due diligence on compliance of third-party AI models, Storm added. “Insufficient due diligence constitutes a violation of the GDPR’s accountability principle,” he said.

Ensure Proper Policies Are in Place

To mitigate enforcement risks, “companies that develop or modify AI models should create policies and procedures that describe how AI training data is collected and how it is cleaned prior to training,” Storm suggested. Companies that “deploy AI models should set out acceptable use policies to ensure that the AI models are used for their intended purposes, and not for purposes for which the risks were not assessed and mitigations were not put in place,” he added.

Understand and Navigate the Full Legal Landscape

Undertaking best practices in a competent way requires navigating an array of legal requirements. “AI-specific legislation like the AI Act sits within a much broader landscape of wider data and digital legislation,” Glugla explained, referencing the GDPR as well as the Data Act and the Digital Markets Act. A broad spectrum of laws applies to “different aspects of AI development and deployment, and many of these laws are evolving or the application of them in an AI context remains uncertain (such as IP, privacy, antitrust, financial and consumer protection laws),” she noted.

While both the AI Act and the GDPR apply to AI systems that process personal data, their focus differs: the GDPR addresses data protection, while the AI Act focuses on AI system risks and accountability.

The AI Act and the GDPR “are of equal value and apply in parallel if personal data is processed in the AI context,” Glugla said. Recitals 10 and 63 of the AI Act “indicate that the regulation is not intended to provide guidance on how personal data is dealt with,” she highlighted. “Instead, data protection in the context of AI applications should primarily be assessed against the standards set out by the GDPR,” which, she noted, is “technology-neutral and, in principle, provides a solid legal framework in terms of data protection for all kinds of new technologies.”

The EDPB has “emphasized the importance of the E.U. digital legislation being consistent with the GDPR in several statements,” Glugla said, mentioning a statement adopted in December 2024 aimed at fostering cross-regulatory uniformity and cooperation and a letter to the AI Office in which the EDPB pointed out the “strong entanglement” between the AI Act and data protection law. “Since the concretization of this complex interplay is not a task that can be completed immediately, the EDPB is pursuing this as a long-term target as part of its ‘Strategy 2024‑2027,’” she highlighted.

One area of potential conflict between the AI Act and the GDPR concerns automated decision-making. “The use of AI opens up broad possibilities for making human decisions obsolete,” Glugla remarked. “However, according to the GDPR, fully automated decision-making that affects people is subject to very strict requirements,” she observed. The extent to which AI-driven decisions comply with the GDPR may be an issue in the not-too-distant future.

Scale Compliance Strategies

Despite uncertainties around the interactions between the AI Act and the GDPR and the nonbinding nature of the Opinion, it still serves as a viable indicator of how data protection authorities will approach AI-related data protection. Given the EDPB’s role in fostering consistent application of the GDPR in the European Economic Area, multinational corporations managing AI models across various jurisdictions with differing privacy laws should nevertheless be concerned about scalability in adapting their strategies for complying with differing data protection requirements.

While data privacy laws around the world are hardly identical, “most are based on similar principles such as minimizing data processing and reducing the impact on individuals to the minimum required to achieve the relevant purpose, Storm pointed out.

“The obligations identified in the Opinion can be scalable for multinational corporations,” Haie maintained, but these organizations will probably have to use E.U. standards as a baseline “even in jurisdictions with more flexible regulations,” she said.

Adhering to E.U. standards as a compliance baseline “may result in higher operational costs and necessitate more comprehensive training and awareness programs for employees,” Haie cautioned. Additionally, corporations taking this approach will need to “continuously monitor and adapt to changes in both E.U. regulations and the data protection laws of other countries to ensure ongoing compliance,” she said.

Align With Industry Best Practices

The Opinion provides a narrow but detailed perspective on AI compliance, contrasting with broader AI governance frameworks like the National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF 1.0) and the ISO/IEC 42001:2023 Information technology – AI Management System standard developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which “aim to address all risks that can materialize throughout the AI lifecycle,” Storm explained. The Opinion “zooms in on a small part of the AI lifecycle and provides much more specific guidance on this small part,” he observed. The distinction highlights the need for organizations to align their AI governance strategies with both industry best practices and regulatory requirements.

See our three-part series on AI for anti-corruption compliance: “Foundations” (Oct. 28, 2020); “Building a Model” (Dec. 2, 2020); and “Five Workarounds for Asymmetric Data Sets” (Feb. 3, 2021).

Due Diligence Burden on Controllers

The burden is on controllers to verify the legality of AI models before they are used. Thus, AI vendors and data sources will need to be vetted. “In its Opinion, the EDPB clearly reiterates that the accountability principle under the GDPR entails an obligation for controllers to ensure the lawfulness of their processing activities,” Haie highlighted. In practice, “this means that organizations are expected to conduct thorough due diligence before deciding to use a given AI model,” she cautioned. It will be difficult for a company to claim that it is unknowingly using an AI system that is not compliant with the GDPR “unless such thorough due diligence has been conducted and the vendor has willfully” been misleading in the process, she added.

The Opinion “clarifies that not knowing about the noncompliance of an AI model is no defense under GDPR,” Storm contributed. Controllers have “an independent obligation to conduct due diligence on AI models to comply with the GDPR’s accountability requirements,” he likewise noted. Lacking proper due diligence on the AI models that are used can result in fines. “In addition, the Opinion confirms that DPAs have the power to order the deletion of an AI model that is unlawfully trained, provided that this constitutes a proportional measure,” he cautioned.

The potential consequences for violating the GDPR by using an AI model that is not compliant with the law could lead to corrective measures, such as administrative fines of up to €20 million or 4 percent of a company’s global annual turnover, depending on the infringement, Haie noted. Organizations may also be “ordered to remediate the infringement or to partially or fully erase datasets,” she said. Beyond these legal repercussions, she warned, “non-compliance could result in reputational damage, leading to a loss of trust from customers and partners.”

The bottom line is, although “AI is very promising and attractive, careful consideration is required before deploying it,” Haie cautioned.

See “DOJ’s 2024 Edits to the ECCP: Some History and AI Expectations” (Nov. 6, 2024).

Opinion’s Impact on AI Development and Regulation

Will Not Encourage or Stifle Innovation

The Opinion on its own is unlikely to “significantly encourage or stifle AI development or deployment, as it merely provides guidance on how GDPR principles should be applied in a given context,” Haie opined. However, the broader E.U. legal framework, including the GDPR and the AI Act, may present challenges given the obligations it imposes. This legal framework is “particularly cumbersome for smaller players, who are likely struggling to find the resources, whether human or financial, to comply while continuing to innovate,” she observed.

Clear Guidelines Requiring Tech Expertise From Regulators

At the same time, though, the Opinion “provides clear guidelines on very challenging and novel legal issues,” Haie observed. “Collaborating and reflecting on how to approach data protection in the context of AI model development and deployment has certainly been a very informative exercise for regulators,” she continued. The Opinion’s application presents regulators with some difficulties given the technical expertise necessary to assess compliance. “Not all E.U. Supervisory Authorities have sufficient human resources and technical expertise to assess compliance with GDPR in light of the standards set by the EDPB,” she noted.

Distinguished From Commission Guidelines

The recently issued Annex to the Commission Guidelines on the definition of an AI system under the AI Act “does not directly impact the EDPB Opinion,” Glugla explained. “The Annex provides guidelines on the definition of an AI system whereas the EDPB opinion focuses on AI models,” she said. The Opinion references Recital 97 of the AI Act, which states that AI models are not AI systems on their own but typically are integrated into larger AI systems, Glugla observed.

Opinion’s Place in Protecting Data Privacy

Limited Scope

The scope of the Opinion is limited by the specific GDPR mechanism under which it was issued, Storm explained. Since the Opinion was developed in response to questions raised by the Irish DPC, it only addresses those specific issues. As a result, broader topics, such as the use of web scraping to collect the information required to train an AI model still require further clarification, he noted.

Areas That Require Further Clarification

While the Opinion sets high standards for data privacy, its practical implementation “is an open question,” Haie said. Some aspects of development and deployment of AI models are not fully addressed. “Further guidance and clarification will be necessary to build a robust, practical, and innovation-friendly data protection framework in this respect,” she opined.

Topics Excluded

The Opinion “specifically excludes special category data, automated decision making, profiling, compatibility of purposes, [data protection impact statements] and the principle of data protection by design,” Glugla said. By doing so, it highlights those as key areas that still require further clarification, particularly regarding the intersection of the AI Act and the GDPR, she noted.

Differences in Interpretation

The EDPB aims to “ensure consistent application and enforcement of data protection law throughout the European Union,” observed Glugla. Although the EDPB has authority to issue decisions for all supervisory authorities, this Opinion remains nonbinding, she noted. Differences in interpretation of the GDPR – particularly in the AI context – persist across E.U. member states, Glugla continued.

Web Scraping

The Opinion takes a nuanced stance on web scraping. Unlike previous statements, such as in the ChatGPT Interim Report, the Opinion “no longer implies that social media data is an impermissible source,” according to Kowalczuk-Pakula.

The permissibility of web scraping, especially of social media sites, “is still a case-by-case decision and depends on the specific circumstances and the extent to which data is processed,” Glugla said. Since web scraping is a data processing operation, it is subject to the GDPR, meaning a valid legal basis must be established for its use. GDPR Article 6(1)(f) (processing for legitimate purposes) may apply, but controllers must conduct a detailed balancing of interest test to determine whether scraping is justified, she added.

See our AI Compliance Playbook: “Traditional Risk Controls for Cutting-Edge Algorithms” (Jun. 23, 2021), “Seven Questions to Ask Before Regulators or Reporters Do” (Jul. 21, 2021), and “Adapting the Three Lines Framework for AI Innovations” (Aug. 4, 2021).

Nicole Argentieri has joined Cravath, Swaine & Moore’s New York office as a partner and member of the firm’s investigations and regulatory enforcement practice. Argentieri most recently served as the DOJ’s Acting Assistant AG for the Criminal Division.

Argentieri advises corporate and individual clients on civil and criminal matters, drawing upon decades of experience as both a federal prosecutor and a defense lawyer in private practice. In her senior roles at the top of the Criminal Division, she supervised investigations and enforcement matters, including those involving transnational and organized crime, cybersecurity, public corruption, money laundering, securities and healthcare fraud, sanctions and intellectual property theft. Earlier in her career, Argentieri was a prosecutor in the U.S. Attorney’s Office for the Eastern District of New York, rising to the rank of Chief of the Public Integrity Section.

Argentieri began her career as an associate at Skadden and, between her stints at the DOJ, spent four years as a partner at O’Melveny & Myers.

For commentary from Argentieri, see our three-part series on the DOJ’s 2024 edits to the ECCP: “Some History and AI Expectations” (Nov. 6, 2024), “Data Analytics to Find Risks and Measure Effectiveness” (Nov. 20, 2024), and “Speaking Up, Compliance Resources and Lessons Learned” (Dec. 4, 2024).

Gibson Dunn has announced the addition of Matthew Axelrod to its Washington, D.C., office as a partner. Axelrod will sit in the firm’s white collar defense and investigations practice group and serve as co-chair of its new sanctions and export enforcement practice group. He joins from the Department of Commerce’s Bureau of Industry and Security (BIS), where he was Assistant Secretary for Export Enforcement.

Axelrod’s practice focuses on white-collar criminal defense, internal investigations, and compliance counseling for U.S. and foreign institutions and executives. He has extensive experience with criminal, export control and national security enforcement.

In his previous role at the BIS, his team prevented the export of sensitive goods and technologies that could be used by nation-state adversaries to modernize their militaries or commit human rights abuses, ensured that U.S. persons did not participate in unsanctioned foreign boycotts, and brought a record number of criminal and administrative enforcement actions. He also co-led the Disruptive Technology Strike Force, an interagency law enforcement initiative that targeted illicit actors, protected supply chains and prevented critical technology from being acquired by authoritarian regimes and hostile nation-states.

Prior to his time at the BIS, Axelrod spent over thirteen years at the DOJ, including as Principal Associate Deputy AG, where he advised the Deputy AG and AG on the DOJ’s most sensitive matters, including its most consequential criminal and national security corporate enforcement matters. Earlier in his career, he held roles as Assistant U.S. Attorney in the Southern District of Florida, where he conducted 19 felony jury trials and handled some of the office’s most high-profile cases, and Special Counsel in the White House Counsel’s Office, where he advised on national security and domestic issues.

Axelrod also previously practiced for four years as a partner at Linklaters, where he represented companies and individuals in internal investigations and government enforcement matters.

For commentary from Axelrod, see “Are Recent Export Controls Enforcement Actions Low-Hanging Fruit or a New Wave of Prosecutorial Zeal?” (Sep. 25, 2024).

Holland & Knight has announced the addition of Peter Hardy as a partner in its litigation practice in Philadelphia.

Hardy advises corporations and individuals across a range of industries against allegations of financial fraud, including money laundering, tax fraud, mortgage fraud and lending law violations, securities fraud, public corruption, FCPA violations and other financial fraud. He also counsels financial institutions and businesses on their anti-money laundering (AML) obligations under the Bank Secrecy Act and other compliance requirements, including issues involving anti-corruption, sanctions law, countering the financing of terrorism, digital assets and cryptocurrency.

Prior to joining Holland & Knight, Hardy was a partner at Ballard Spahr, where he co-led and founded the firm’s AML and tax controversy teams. Before entering private practice, he spent more than a decade as a federal prosecutor. He served as an Assistant U.S. Attorney in Philadelphia, where he focused on fraud and financial crime cases. He also served as a trial attorney for the DOJ’s Tax Division.

For commentary from Hardy, see “Navigating the Intersection of Digital Assets and AML” (Jul. 20, 2022).