1 April 2024 17 minute read

2023 compliance year in review and what to watch in 2024: Priorities highlighted by US regulators

Written by:Brian Benjet Emily Margolis Matthew Larson

Contributors:Katie Lee Kristy Balsanek Christian Ford David Stier Matt Danaher

2023 brought an increased focus on corporate offenses and activities that will continue to have implications on corporate compliance programs into 2024, particularly in the global corruption and domestic national security spheres. Last year saw additional guidance from the Department of Justice (DOJ) regarding the evaluation of corporate compliance programs, an increased focus on voluntary self-disclosures including a safe harbor for misconduct discovered in connection with mergers and acquisitions, and a continued practice of coordination by regulators with international law enforcement. We also saw heightened disclosure requirements regarding material risks based on economic, social, and political developments including risks related to cybersecurity threats, climate change, artificial intelligence, political instability, and much more.

Based on developments during 2023, we can expect continued emphasis by regulators on well-resourced, risk-based compliance programs that are continuously tested for effectiveness. This is already playing out in early 2024 with DOJ reiterating its key priorities and announcing a new DOJ-run whistleblower rewards program and amendments to the Criminal Division’s guidance on Evaluation of Corporate Compliance Programs (ECCP) to include assessment of the risks associated with disruptive technology risks, including artificial intelligence (AI).

Companies should be proactive in continuing to customize their compliance policies and controls to address everything from the new requirements from DOJ regarding preservation of ephemeral messaging platforms, leveraging data, and instituting compliance-linked compensation structures, to addressing broader areas of interest including anti-money laundering, sanctions, cybersecurity, privacy, and the ever-expanding ESG.

Below, we review major themes from 2023 and highlight what to expect in 2024 in the US in areas of privacy, cybersecurity, anti-bribery and anti-corruption, sanctions and anti-money laundering, and ESG.

Privacy

Numerous states across the US enacted comprehensive privacy laws in 2023, including Delaware, Florida, Indiana, Iowa, Oregon, Montana, Tennessee, and Texas. New Jersey and New Hampshire joined the pack in early 2024. Generally, these laws require companies to ensure that consumers can access, delete, and correct their personal information and opt out of certain activities deemed to be “sales” of their personal information or targeted advertising. These states join California, Connecticut, Colorado, Virginia, and Utah, whose comprehensive state privacy laws have already gone into effect. State attorneys general have enforcement authority under effective state privacy laws and are expected to begin or continue enforcement in 2024. In California, an appellate court in February 2024 reversed an order from last year pausing the enforcement of the latest set of regulations to the California Consumer Privacy Act (CCPA) promulgated by the California Privacy Protection Agency (CPPA), effectively beginning enforcement of the new regulations immediately. Companies operating in California therefore should ensure they are in compliance right away. Other states, including Oregon, Texas, and Montana, will have new privacy laws go live in 2024, while proposals are currently on the table in states including New York, Massachusetts, Hawaii, Maine, and Wisconsin that could see movement this year. In Washington and Nevada, laws focusing specifically on the protection of consumer health data – an important area of increasing focus throughout the US – go into effect in 2024.[1]

This flurry of activity at the state level stands in stark contrast to slow-moving developments at the federal level, but 2023 did see some federal movement. Bipartisan support for children’s privacy led to the Senate Commerce Committee advancing the Kids Online Safety Act (KOSA), an online safety bill that would expand protections for minors, in July 2023. Amendments to the legislation were recently proposed in February 2024.[2] Also in July 2023, the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) unanimously passed the Senate Commerce, Science, and Transportation Committee and an updated version of the Act gained new sponsors in February 2024.[3] Children’s privacy was a state-level interest as well. Litigation involving children’s privacy laws in California and Arkansas, which limit kids’ social media access, is currently pending, and these cases focus on the question of the constitutionality of age verification and estimation requirements in the states’ laws.[4]

Cybersecurity

Cybersecurity was also a subject of major focus in 2023 and will continue as such in the year ahead as it directly impacts national security concerns. Among other developments, the Securities and Exchange Commission (SEC) finalized new cybersecurity rules in 2023 following President Joe Biden’s call in March 2023 for a more aggressive response to hacking threats.[5] These rules require registrants that are subject to the reporting requirements of the Securities Exchange Act of 1934 to make public disclosures of cybersecurity incidents within four business days of making a materiality determination, and to disclose on an annual basis information regarding their risk management, strategy, and governance related to cybersecurity threats. These new rules are intended to ensure the disclosure of information regarding whether and how companies manage their cybersecurity risk. While the rules concern disclosure requirements, in effect, they require registrants to develop cyber governance as part of their overall compliance strategies. The SEC is expected to enact additional rules in the near future requiring enhanced cybersecurity disclosures for broker-dealers, clearing agencies, and investment advisors.

The SEC has also signaled that it will continue to seek to bring enforcement actions for fraud based on statements alleged to mislead investors about the company’s cybersecurity practices and risks. By contrast, the SEC has historically brought cybersecurity enforcement actions based on negligence-based disclosure violations and internal controls violations. Individuals, including chief information security officers (CISOs), who knowingly make false public statements about the company’s cybersecurity practices and risks while omitting contrary information may also be subject to enforcement actions. In 2023, DOJ sentenced one company’s former Chief Security Officer to three years’ probation following his 2022 conviction regarding misrepresentations related to a cyberattack. This focus on individual liability coupled with the new disclosure obligations regarding risk management, strategy, and governance related to cybersecurity threats mirrors the DOJ’s approach to individual accountability and will require a careful review of cyber governance as part of compliance programs and public statements compared to real time events. A detailed look at these new SEC cyber rules is available here.

As registrants prepare their annual reports in 2024, they must consider recent economic, social, and political developments that affect their material risks, which must include risks related to increasing cybersecurity threats. Specifically, SEC registrants must include cybersecurity disclosures in their annual 10-K (or 20-F for foreign private issuers) filings going forward. See our recommendations on updating cybersecurity, and other risk factors, for Annual Reports on Form 10-K here and here.

Likewise, the Federal Trade Commission (FTC) signaled an increased focus on cybersecurity in 2023 by amending its Safeguards Rule to require reporting of certain data breaches by non-bank financial institutions. The FTC’s 2023 rulemaking also addressed the security of health data, financial data, and children’s data. The updated National Cybersecurity Strategy released in March calls for federal agencies to regulate cybersecurity, and in its wake, the FTC proposed updates to its Health Breach Notification Rule and updated its Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. Learn more about this and other similar enhanced information security requirements for financial services companies, and how they might affect yours, here.

Sanctions, export controls, and forced labor restrictions

In light of increased national security concerns, there have been some notable actions and policy announcements by the US government that interested parties should be aware of relating to US sanctions, export controls, and forced labor restrictions.

The US has continued its aggressive approach to sanctioning Russia-related parties since the invasion of Ukraine in 2022. In late December 2023, President Biden issued a new Executive Order that gave the US Treasury Department’s Office of Foreign Assets Control (OFAC) the authority to place primary and secondary sanctions on foreign financial institutions that facilitate or conduct significant transactions for certain parties supporting Russia’s military-industrial base.[6] Further, in February, the US Treasury Department announced over 500 new designations of individuals and entities connected to Russia’s war effort or sanctions evasion tactics, and has been otherwise aggressive in adding new parties to the Specially Designated Nationals and Blocked Persons (SDN) List.[7] More details can be found here. Additionally, the US government, along with international partners, published a new compliance and enforcement alert in February on the implementation of the price cap on Russian oil.[8] There have also been additional sanctions and restrictions enacted under the terrorism program[9] and the cyber program.[10]

The US government has also positioned itself to take a more active posture toward sanctions and export control enforcement. In February 2023, DOJ and the Commerce Department announced a new Disruptive Technology Strike Force aimed at prosecuting evasion of US export controls on critical technologies such as semiconductors and artificial intelligence,[11] and Task Force KleptoCapture has remained active in its prosecution of Russian oligarchs and their facilitation networks.[12] Further, DOJ and the US Departments of Commerce and Treasury published a “Tri-Seal Note” reminding non-US companies that there are certain situations where US sanctions and export control laws apply to their transactions.[13] Additional details can be found here. The US Treasury Department’s first published enforcement action for 2024 toward EFG International AG, a group based in Switzerland, shows the potential compliance risks for non-US companies that “cause” violations by US persons.[14]

The US government has also ramped up enforcement of US forced labor prohibitions. In FY 2024, US Customs and Border Protection has detained 2016 shipments valued at approximately $1 billion that were suspected of being tainted by forced labor and invoking the Uyghur Forced Labor Prevention Act. Of those shipments, 626 have been released, 392 have been denied entry to the US, and the remaining 998 are still pending review. In addition, officials at DHS have announced an effort to enhance enforcement beyond a shipment-by-shipment approach by expanding the UFLPA Entity List which would cast a broad net by barring products that contain components from a party on the Entity List. Consequently, DHS is putting the business community on notice of the need to conduct enhanced due diligence of their supply chains.

Anti-money laundering

2023 also saw the development of regulations surrounding the implementation of the Corporate Transparency Act (CTA), which took effect on January 1, 2024. Under the CTA, certain domestic and foreign companies are required to disclose information regarding their beneficial owners and individuals who file corporate paperwork on the companies’ behalf with the US Department of Treasury’s Financial Crimes Enforcement Network (FinCEN). Companies subject to the CTA will be required to file disclosures regarding beneficial owners and company applicants on a cloud-based secured system. The beneficial ownership information will be made available to the following groups: (a) federal, state, local, and Tribal officials, and foreign officials who request access for activities related to national security, intelligence, and law enforcement; (b) financial institutions in certain circumstances with the consent of the reporting company; and (c) regulators, when they supervise those financial institutions. Additional detail regarding the CTA and its requirements may be found here.

While there are still additional regulations surrounding access to beneficial ownership information and customer due diligence under the CTA pending – and challenges to the constitutionality of the CTA already being brought (see here for more details) – it is clear that companies who are potentially subject to the CTA’s requirements will need to closely monitor the changing landscape surrounding beneficial ownership in the US throughout 2024.

ESG/supply chain

On the ESG front, 2024 presents a pivotal moment in the regulatory landscape around the globe.[15] In the US, the SEC adopted final rules on March 6, 2024 to require registrants to disclose climate-related risks. The SEC’s rules are facing litigation challenges across a number of lawsuits and the Fifth Circuit has issued an emergency stay on the rule’s effect. The SEC continues to focus on evaluating disclosures and statements made by funds and ETFs promoting ESG investments to ensure their accuracy. In addition, rules regarding disclosures about board diversity continue to develop after Nasdaq’s rules were approved by the SEC and challenges to the SEC’s approval failed. Further, companies that made climate-related pledges that are due in 2025 or even 2030 must analyze their upcoming target deadlines and all organizations should stay up to date on the rise in mandatory regulatory requirements. For example, California enacted a new suite of sweeping climate-disclosure bills, the first of which, AB 1305 (marketing related claims) went into effect in January 2024. These codify trends calling for increased transparency regarding emissions and overall climate strategy, meaning that prudent organizations will review their climate strategy and policies to proactively prepare to make required disclosures. You can read more about these sweeping new bills here.

Separately, governments and businesses have acknowledged the prevalence of modern-day slavery and the fact that forced labor exploitation has made its way into the supply chain. Compliance officers have long understood that the problem fits under the “S” of ESG, but the “E” is also implicated due to the environmental impact of modern slavery. In addition to California’s Transparency in Supply Chains Act, similar laws regarding supply chain transparency have been passed or are pending in multiple jurisdictions outside the US. Around the world, governments continue to pass legislation to combat the spread of forced labor and modern slavery within the global economy.[16]

Anti-corruption

In addition to FCPA enforcement remaining active in 2023, President Biden signed the Foreign Extortion Prevention Act (FEPA) into law in December 2023. The FEPA criminalizes bribe demands by foreign officials upon US citizens, companies, or issuers, when made to obtain or retain business. The law fills a prior gap in the federal anti-bribery regime, which previously only criminalized offers of bribes to foreign officials made by US citizens and companies. The statute will be implemented in 2024 thus expanding DOJ’s authority to pursue foreign officials beginning this year. Read more about the FEPA and our guidance for in-house compliance teams’ response to it, particularly in light of DOJ’s increasing interest in voluntary self-disclosure, here. This law falls squarely within the trend of policy developments focused on corporate conduct that could impact national security.

Key policy pronouncements on compliance programs

DOJ continued to emphasize the importance of corporate compliance programs in connection with receiving cooperation credit in investigations and enforcement proceedings and the agency provided additional guidance regarding its expectations for voluntary self-disclosures. This trend follows DOJ’s September 2022 “Monaco Memo”[17] and continues to emphasize significant fine reductions for full cooperation and appropriate remediation, especially in the context of voluntary disclosure.[18] Last year, DOJ announced a new standard for voluntary self-disclosure credit, which applies to all US Attorneys’ Offices (not just the FCPA unit of the Fraud Section). The policy states that the self-disclosure must be truly voluntary, reasonably prompt after the company learns of the issue, and inclusive of all relevant facts known to the company at the time of the disclosure.

DOJ updated its ECCP in March 2023, providing further guidance for enforcement proceedings. The 2023 ECCP updates look for compliance-promoting criteria in corporate compensation systems, meaning that financial incentives (including salaries and bonuses) should be tied explicitly to compliance metrics.[19] As part of its assessment of corporate compliance programs, DOJ is paying increased attention to companies’ ability to preserve employees’ personal device and ephemeral messaging data and to produce that data, where applicable, to DOJ in the context of cooperation with investigations.[20]

DOJ announced significant new incentives aimed toward promoting self-disclosure. In 2023, it announced a Mergers and Acquisitions Safe Harbor Policy to encourage disclosure of criminal misconduct (not just FCPA violations) discovered during an acquisition. The policy clarifies that DOJ will decline to prosecute companies if they disclose the misconduct within six months of closing the deal and remediate the misconduct fully within one year of closing. In a speech by Deputy Attorney General Lisa Monaco, DOJ also announced that it will be launching a DOJ Whistleblower Rewards Program during 2024, which will provide financial incentives to whistleblowers who report significant corporate or financial misconduct otherwise unknown to them.

While the imposition of corporate compliance monitors remains rare in corporate enforcements, in March 2023, DOJ’s Kenneth Polite issued a memorandum to all Criminal Division personnel revising prior guidance and stating that prosecutors should not apply presumptions for or against compliance monitors.

DOJ’s interest in compensation structures was also reflected in 2023 revisions to its guidance in connection with when to enter into deferred prosecution agreements with companies.[21] The guidance states that prosecutors should focus on management commitment, periodic risk assessment that is regular rather than only annual, independent oversight and third-party management, and remediation of misconduct, among other factors. While DOJ has historically recognized the significance of compliance, its guidance previously zeroed in on directors and senior managers, whereas recent updates look to “mid-level management” and seek a more fulsome, public culture of compliance within an organization. As such, companies presenting their compliance programs to DOJ in the context of seeking cooperation and remediation credit during an investigation or enforcement proceeding likely will benefit from highlighting meaningful commitment to compliance policies and principles at all levels of leadership.

What it means for companies

It is more important than ever for companies to know what legal and regulatory risks their businesses face, and organizations should consider conducting detailed risk assessments to understand what those risks are, what controls are in place to mitigate them, and how effective those controls are in practice. Companies may benefit from a review of existing policies and procedures to assess the effectiveness of their controls and identify potential gaps. Companies should consider training employees on practical and effective methods to spot potential issues and raise concerns, especially in light of new incentives for voluntary reporting.

Please contact AKD Partners for support in ensuring that your company’s compliance structure is ready for these dynamic trends in the modern regulatory landscape.