If there’s one thing we’re familiar with here at Ethena, it’s gray areas. (Have you seen our flagship Sexual Harassment Training? Tricky, hard-to-categorize situations are pretty much our bread and butter.) But one gray area we haven’t historically talked much about is the gap between when a new law is announced and when it kicks in.
Once the proposed legislation takes effect, you’ll see it in our content (when relevant), hear about it in our emails, and we’ll highlight some key information to help you determine how it might impact your organization — and how we can help.
But here’s what’s new: starting today, on a quarterly basis, we’ll also provide you with insight into what’s on the legal and compliance horizon. These updates come courtesy of Susan Divers, Ethics and Compliance industry veteran.
So without further ado, here’s what you might’ve missed this summer.
The DOJ updates its Evaluation of Corporate Compliance Program (ECCP) criteria with emphasis on AI risk
Since 2017, DOJ has given guidance in the form of instructions to federal prosecutors on how to evaluate a corporate compliance program and on September 23rd, issued a new set of updates. The ECCP is important as it plays a key role in determining fines and penalties for misconduct and has become the gold standard for E&C programs. The update focuses particularly on the risks posed by AI (and any other “disruptive” technologies), consistent with Deputy Attorney General Monaco’s statements in February that DOJ would seek “sentencing enhancements” (i.e. bigger fines) where offenses were made more harmful by the misuse of AI. The bottom line is any company using AI must manage AI risks and procurement comprehensively and proactively and should review the new guidance in detail to ensure compliance.
Other changes include continuous emphasis on incentivizing employee reporting and preventing retaliation, using meaningful data analytics, the importance of lessons learned as part of an organization’s training and risk management, and using compliance training that is tailored specifically to the “particular needs, interests, and values of relevant employees,” including taking into account the relevant industry and geographical region.
Ethena tip: Any company using AI needs to review the ECCP guidance and ensure that its controls and governance are up to the standards set out. Checking that other E&C program areas such as speaking out, measuring effectiveness and training meet the standards is prudent.
New UK law imposes duty on employers to prevent sexual harassment
The UK Worker Protection Act, which received royal assent last year, takes effect on October 26, 2024. The law requires that employers take “reasonable steps” to prevent sexual harassment of their employees. It also gives Employment Tribunals the power to increase sexual harassment compensation by up to 25 percent if an employer is found to have breached this new duty.
According to the Equality and Human Rights Commission (EHRC) guidance published in June, employers have an affirmative obligation to assess the risk of sexual harassment in their workplace and mitigate it. Like other risk factors, what’s “reasonable” in terms of mitigation depends on the size and nature of the business and workforce, past incidents and risks posed by third parties among other factors.
The EHRC has been given wide enforcement powers, including the ability to investigate employers without a specific complaint or claim.
Ethena tip: Compliance with the new Act requires proactive steps by employers. Some to consider include:
- Assessing the risk in the workplace, taking into account the nature of the business, past incidents and other relevant factors.
- Reviewing and updating sexual harassment policies as needed.
- Launching training and/or reminders aimed at preventing sexual harassment.
- Taking allegations of harassment seriously, investigating and disciplining anyone in breach of company policies.
Encrypted communications apps trigger global enforcement actions
August was a busy month for regulators. On August 26, 2024, French authorities arrested Pavel Durov, the CEO of Telegram, for “complicity in managing an online platform to allow illicit transactions by an organized group….” Telegram, along with Signal, WhatsApp and other encrypted apps, allows users a high degree of privacy and anonymity. It’s possible Pavel will also be prosecuted under the European Union’s Digital Services Act (DSA) which came into force in November 2022, and obligates online platforms to remove illegal content, protect children, tackle disinformation and other online harms.
In another action involving these apps, on August 14, 2024 the U.S. Securities and Exchange Commission (SEC) announced charges against 26 financial companies including well-known firms such as Morgan Stanley, Goldman Sachs, BNP Paribas, Barclays, Credit Suisse and others for their employees’ use of encrypted and off-channel communications to conduct business. The August actions follow on a series of previous SEC enforcement cases in this area.
Under SEC rules, financial firms are required to preserve and monitor their employees’ written communications to create a paper trail for regulators to monitor and enforce compliance. In practice, this means restricting employees’ use of their own devices and/or apps like Telegram or WhatsApp to conduct business. As of August 2024, the amount of SEC fines for off-channel communications had topped $3.4 billion.
Importantly, the problems with off-channel communications in the U.S. are not limited to financial firms. To quote the most recent version of the Department of Justice’s Evaluation of Corporate Compliance Programs, “corporate policies should ensure that to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company” and that “Bring Your Own Device” policies do not exempt business transactions or messages from corporate regulatory and record- keeping requirements.
Ethena tip: Check that your policies and code of conduct conform to DOJ guidance, applicable laws and, if relevant, SEC requirements regarding off channel communications.
Export control, sanctions, money laundering enforcement on the rise
On September 2, 2024, the U.S. seized an aircraft used by discredited Venezuelan dictator Nicolas Maduro on the grounds that it was illegally purchased and smuggled out of the U.S. in violation of U.S. sanctions and export laws. The next day, September 3, 2024, defense contractor RTX agreed to pay $200 million in penalties for violations of the U.S. export control laws by sending specifications for electronic wiring boards for aircraft, including AirForce One, to China without a license.
It’s not just aircraft or high-tech goods that trigger these laws. On the commercial side, there have been 173 enforcement actions from January 2023 to August 2024, including one against Indiana University for exporting genetically modified fruit flies without a required export license. Similarly, on the sanctions side, the Biden administration added 1,621 entities and 879 individuals, or 2,500 targets total, to its prohibited lists in 2023, up from 2,275, a dramatic increase from historic norms. That increase and an uptick in prosecutions has been driven primarily by the Ukraine war and renewed focus on Iran, plus other countries such as North Korea.
And the scope of U.S. jurisdiction in these areas is broad. In June 2024, Mondo S.P.A. an Italian animation company, paid a fine for outsourcing work to a North Korean entity by using U.S banks. Similarly, in 2023 British American Tobacco paid more than $500 million in fines for transferring funds and tobacco to its local joint venture in North Korea. This uptick in prosecutions should not be a surprise. In 2022, Lisa Monaco, the Deputy Attorney General, announced a new, aggressive strategy for enforcement of trade sanctions and export controls and assigned over 25 new prosecutors to this area.
Ethena tip: Export controls, sanctions and money-laundering are complex, non-intuitive areas that pose significant risks. Hiring or doing business with an entity or individual under prohibition can cause fines and adverse publicity. Check your policies and procedures to ensure they are clear and comprehensive and provide ongoing training to help ensure everyone stays compliant.
Training is now an essential element of employer compliance with California labor laws
July was particularly busy for California regulators who continue to point to training as an essential tool for employers to use in their compliance efforts.In July, 2024, the California’s Workplace Violence Prevention Act (WVPA) took effect. It required most California employers to implement a workplace violence prevention plan. Cal/OSHA, the agency charged with overseeing workplace safety and health, proposed draft regulations (for which the public comment period ended on September 3, 2024). The draft regulations deal with topics such as a small private workplace exception, workspace safety features, communicating about workplace violence incidents, risk factors and responding to an incident.
They also make clear that employers are obliged to provide employee training on workplace violence prevention methods and on the procedures to follow in the event of an incident or emergency:
“[t]he employer shall provide effective training to employees…. Training material appropriate in content and vocabulary to the educational level, literacy, and language of employees shall be used.”
Similarly in July, reforms to California’s Private Attorney General Act (PAGA) took effect. PAGA allows workers to bring labor law violation claims against an employer on behalf of the California Attorney General. Among other areas, the reforms significantly incentivize employers to take proactive “reasonable” steps to enhance their compliance with the California Labor Code, including “conducting training on applicable Labor Code and wage order compliance.” Taking proactive compliance measures prior to receipt of a PAGA lawsuit can reduce an employer’s potential penalties by 85%.
A third example of the importance of training to labor laws and regulations is the California Indoor Heat Illness Prevention regulations that also took effect in July.
The heat regulations require, among other things, that employers institute a written indoor heat illness prevention plan. They also require training for all employees, including supervisors, on the main elements of the plan such as factors causing heat illness and the role of water consumption among other topics.
Taken together, these requirements clearly show the critical importance of training that is accessible and understandable by employees in the workplace, particularly for entities based in California.
Ethena tip: Training is a fundamental component for effective compliance programs, not just those in California. Review your risk analysis and mitigation strategies to ensure that your training program covers the required topics consistent with regulatory requirements and guidance (i.e. “training material appropriate in content and vocabulary to the educational level, literacy, and language of employees.”)
About Ethena
Go beyond check-the-box with Ethena’s modern library of 150+ customizable course modules and a platform that does the heavy lifting for you. An employee hotline, HR case manager, and phishing simulator are all built-in, so you can identify risks and tailor your training to them.
Ethena is trusted by People and Compliance teams at Zendesk, Pinterest, Notion, BetterUp, and more.