Looking Around the Corner:
Regulatory Change &
Your Compliance Risk
April 23, 2021
What do you foresee your company experiencing throughout 2021? After vaccines suddenly release your workforce and customers from over a year in solitary confinement, what are you expecting? How do you see that relating to Q2, Q3 and beyond, with people’s needs and behaviors changing over time? Do you know how to protect your organization from emerging risk and benefit from the New Normal? Can you anticipate the future?
Yes you can. History has demonstrated that we can see the future, and that we can anticipate the right decisions to make if we look carefully for patterns and tune out the day-to-day noise with Enterprise Risk Management.
Starting today, I would like to introduce a new series of blog posts I’ll be publishing over the course of the next few weeks and months: my predictions for 2021-2024. From short-term predictions surrounding the New Normal, to the inevitable looming debt crisis, to cybersecurity risk and everything in between, I intend to use this space to deliver in-depth insights on major trends I foresee playing out over the coming months and years. I hope you’ll follow along as we bring new information live each week on our website and other media platforms.
This first post in my series of predictions for 2021-2024 explores how drastic federal regulatory changes and enforcement will impact your business, and more specifically how it should impact your risk management practices.
Risk Management is not just about predicting outcomes from a danger and opportunity perspective; it’s equally important to see things from a compliance perspective. That’s why over the past year, I’ve been focused on seeing around the corner of the drastic changes in how your organization plans and responds to new interpretations of existing regulatory requirements and new legislation and executive orders brought on by the new U.S. administration.
Every new president brings dramatic changes in priorities. This is not a political statement – it is a factual statement. And while we may not all share the same political views, all organizations share the same mission of surviving and thriving under whatever new agenda is brought forward.
“Le roi est mort, vive le roi!”
“Le roi est mort, vive le roi!” is a phrase that for centuries has been an important rallying cry for people and businesses alike to essentially, “get over the past and get going with this new environment we find ourselves in.” I think that it’s important for any organization looking to survive and thrive over the next presidential term to embody this mindset.
So what will this new presidency bring to the table? With a deadlocked Congress and partisan politics, one might believe nothing will change. But that’s far from the truth. The previous administration was unable to change any laws, and instead focused on rendering the major institutions of compliance incapacitated to the point where existing regulations could not be enforced. Whether it was due to lack of staff, budget or loose interpretations, this prevented effective enforcement actions.
The Biden-Harris administration has made it clear that they will focus their first year on reversing those actions – at a minimum. This will result in a dramatic change in regulatory compliance enforcement that impacts every organization; not only in the United States, but in Europe and Asia as well. Whether we like it or not, deep international interdependencies mean there is an 80% correlation between economic activity in the U.S. and Europe and a 50% correlation between business in the U.S. and Asia – and vice versa.
The EU privacy law, GDPR, governs individual privacy and was recently expanded to govern corporate information rights and obligations towards other corporations, as well as government agencies. The GDPR specifically avoids having a geographic boundary by defining EU data as “belonging to any Citizen or Organization” – meaning that any organization anywhere in the world that has EU citizen’s data or organization’s data is liable under GDPR regardless if it intentionally operates in the EU.
We witnessed the catastrophic consequences of the pandemic playout that devastated world economies who were mostly unprepared, or who reacted slowly and poorly due to their inability to execute (which stems from not being prepared). Action will be swift and deep on regulatory change, and we can expect enforcement in the following areas:
Short-term return-to-work regulations
New and sudden legal requirements have been appearing at the state level, and will most likely be updated after vaccinations have been completed. Companies will need to capture these 3 main types of information and retain these records as evidence of compliance:
- Requiring workers to log in and out when visiting the office (date, time, etc.).
- Requiring workers to attest (possibly daily) that they do not have symptoms of COVID-19, and that they have not come into contact with anyone who has tested positive for COVID-19.
- Requiring evidence of cleaning 2x a day for common areas (kitchen, conference rooms, etc.)
Monetary inflation & the debt crisis
In every significant change or crisis, there are winners and there are losers. Although many claim that our future is completely uncertain, the reality is that the answers are already known with near certainty 6 months or more in advance. Good risk management helps the winners plan and execute reliability into the future.
This is an important consideration heading into the remainder of this year and 2022, as we will soon experience a historic debt crisis and monetary inflation. The pandemic has forced Europe and the United States to print money with an unsustainable debt to GDP ratio of over 100%: levels not seen since WWII. Much of Asia has avoided this debt liability. However, the AMER, EMEA and APAC regional economies are highly correlated, and so long as interest rates stay low, servicing this debt is viable. Interest rates remaining at current levels are unsustainable, and there are many triggers of higher inflation which would create a world-wide economic crisis of potential cycles of hyper-inflation – which will provoke a debt crisis.
Environmental protection regulations
Climate change may sound vague – like “world peace.” However, many real, incremental steps are impacting organizations in 2021 and beyond. This not only includes familiar enforcements by the Environment Protection Agency, but also new regulations on real estate. These pertain to:
- Building codes and land use
- Financial services with asset reviews for lending and investments
- The energy industry, for modeling future needs and protecting assets from extreme weather
- Community impact reviews on new projects
- Consumer goods packaging
Consumer and investor pressure of the See-Through Economy related to Environmental, Social and Corporate Governance (ESG) scrutiny and negative publicity from nongovernmental organizations (NGOs), supervisory and regulatory actions for reporting and disclosure liabilities in Europe and Asia
The list goes on and on. It’s important to understand how these regulations will impact your organization, as this is both a risk and an opportunity.
Consumer financial protection
A half-million consumer complaints were made in 2020, representing a 54% year-over-year increase in the CFPB. However, under former Director Kathy Kraninger, a Trump appointee, the CFPB enforced approximately only $1.5 billion in consumer redress over her term. The CFPB under Richard Cordray, an Obama appointee, had more than $12 billion enforcement actions.
The new Biden-Harris administration nominated Rohit Chopra as head of the CFPB. Chopra has a reputation of being an aggressive enforcer as the commissioner of the Federal Trade Commission, and has publicly committed to reviving enforcement at the CFPB.
Requirements for SOC II audits will soon increase, along with IT Governance due diligence requirements across the entire software industry. This can largely be attributed to the SolarWinds’ Orion network management software breach and the unrelated but similar Accellion software breach.
Due to the dramatic surge of ransomware attacks, cyber insurance prices are rising by 30%. Furthermore, insurers are reducing their cyber exposure by shifting cyber risk to standalone policies or introducing cyber exclusions in traditional policies. This is due to vulnerabilities related to supply chains and third-party vendors.
From a regulatory standpoint, a new privacy enforcement can be expected; Vice President Harris has a strong track record in privacy enforcement, and the administration has welcomed back multiple Obama staffers who contributed to the former president’s Consumer Privacy Bill of Rights and the formation of the Federal Privacy Council. So what might this look like? One executive order might be that software vendors must notify their customers whenever the company suffers a cybersecurity breach.
Supply Chain/Vendor Management
Third party risk is on the rise. Ongoing monitoring is necessary to ensure compliance and to prevent potentially costly breaches, supply chain outages and regulatory violations. The supply chain attacks of SolarWinds and Accellion are a prime example of this type of failure; the hackers were able to compromise the law firms’ sensitive client data. We can also expect requirements surrounding due diligence over security practices, as well as SOC II certifications and privacy.
Companies should work to deliver value to customers, invest in employees, deal fairly with suppliers and support their communities. But they should also be generating long-term shareholder value.
The See-Through Economy will soon hit critical mass. Whether it be called “Environmental, Social and Corporate Governance” (ESG), the “Corporate Transparency Act,” “corporate tax fairness,” or “Workplace Equality and Protection,” awareness will be heightened by COVID-19 and various other social issues. It all comes down to making sure that organizations have the right systems in place to prevent mistakes; corporations are being held accountable by their customers and employees at new levels of enforcement by their customers.
Join Our Free Webinar
Join us for a live webinar to continue exploring these topics with Steve, along with our VP of Product Development Brendand Colliton! This webinar is completely free to attend and will be approximately 30 minutes long, followed by a live Q&A. We hope you join us on Wednesday, April 28th @ 10am EST, 3pm GMT. Register now here!
Manufacturing and “Return to Work”
Employers owe a duty of care to ensure the health, safety and welfare of their employees at work – so far as is reasonably practicable. They are also required to conduct their business in a manner that does not expose third parties (including workers, contractors and visitors to premises) to risks compromising their health and safety. This will soon be enforced at the federal level.
The rise of Bitcoin and Non-Fungible Tokens (NFT): most ardent proponents see this as a modern-day story of value and inflation hedge, while others fear a speculative bubble is building. However, from a governance, risk and compliance view, future regulation is more likely to be around Anti-Money Laundering (AML) and combating the financing of terrorism (CFT) regulations. What is certain is the need to provide evidence that solid and effective internal controls and risk assessment processes, systems and procedures are in place.
The key to success will be to generate new, non-interest income. This will rest on crypto-asset service providers’ ability to keep records of all transactions, orders and services related to crypto-assets that they provide, while ensuring the systems are in place to detect potential market abuse committed by clients.
The Power Struggle: Global economy vs. federal vs. state authority
COVID exposed and amplified the weakness of central federal governments to execute effectively over state or country regulatory powers. Whether it is Brexit threatening the EU or the explosion of regulatory initiatives of individual states, this ongoing power struggle will result in increasing regulation and operating risks for organizations.
For example, while the U.K. now has its own Darwinian version of GDPR, the EU has moved to expand GDPR to cover corporate data. Likewise, a new generation of consumer-oriented privacy laws are coming from the individual states in the U.S., increasing the likelihood of a new patchwork of enforcement actions at the state level at odds with a coordinated central authority.
Expect many new fault lines to appear in the energy and financial services sectors. There will be increased pressure to pay for the pandemic-generated debt, as well as the potential massive relocation of employees empowered by remote work flexibility; there will be a battle of states to maintain their taxation incomes, with enforcement actions to the organizations that employ them. How will your systems keep up? How will your HR policies evolve to mitigate your organization’s new operating complexity? How will you mitigate the risk of providing this new flexibility increasingly being required by your workforce? How will security and data privacy risks be managed across so many new regulatory boundaries?
Evaluating your compliance readiness
All of these regulations will be felt on a global scale. Germany will soon be forcing companies to screen their suppliers for environmental violations and human rights abuses (such as illegal mining and child labor). Similar regulatory changes in enforcement, new regulation and updated interpretations of existing regulations is spreading fast across Europe and Asia. This is a direct consequence of the horrors we’ve witnessed in the past year – from the pandemic lockdown, to social justice reckonings, political unrest and everything in between.
How ready is your organization to adapt to new compliance regulations? Whether you think you have a long way to go, or feel equipped to handle anything that’s thrown your way, it’s impossible to be overprepared.
So where do you start? Taking a risk-based approach to ensuring your organization is compliant starts with identifying your risks, assessing the impacts of those risks, implementing mitigation processes to ensure compliance is met, and continued monitoring of and reporting on your program.
Every company and situation is different. Luckily, LogicManager is built on a flexible taxonomy infrastructure and empowered by robust artificial intelligence. Our powerful software, paired with our ability to execute and passion to serve our customers, we enable risk management programs that work.
About the Author: Steven Minksy
Steven Minsky is a recognized thought leader in risk management, CEO and Founder of LogicManager. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts and published action plans to help organizations prepare.