Legal and compliance professionals across the globe should anticipate a new era which has the potential to broaden the mandate of their teams. The advent of ESG as a compliance issue, the fragmentation of the terrorist financing landscape, and the deterioration of the cyber threat landscape will all impact the issues that come across the legal and compliance desk in 2022 and beyond.
Across the themes in RiskMap 2022, there is a transition risk inherent in this moment, but legal and compliance teams should give special focus to the risks in these three areas. At the same time, there is uncertainty around the ‘end state’ for ESG, in relation to where the dust will settle on AML exposure and cyber threat.
Moving targets: sustainability becomes a compliance issue
In the year ahead, the rush of new regulations around sustainability and ESG will create an impetus for legal & compliance teams to play a role in managing disclosures and reporting. The risks of missteps in how ESG issues are handled are our main reputational risk for 2022. Teams will need to field questions from investors, their own investor relations teams, and boards on managing these issues and where assurance is provided on compliance with ESG obligations.
Third-party risk, which has been the most significant risk exposure point for most companies, will remain but change shape. Supply chains are under the microscope for environmental impact reporting, so are risks related to modern slavery and human rights. The reputational risks of association with human rights abuses and modern slavery are incendiary. Due diligence will be revisited to include these frontline issues. Companies will also move fast to weave environmental impact exposure alongside the more traditional supply chain due diligence focus on issues such as financial crime. The supply chain management burden of these new issues will rise up the agenda in 2022 and remain a hot topic for years to come. In many cases, much of the anticipated regulation is a moving target.
In a world that has seemed overwhelmingly chaotic at times, some shifts in regulation indicate that clarity is coming on regulatory expectations. With that comes scrutiny and inevitably, sanctions. New regulations from the European Union but also the United States - including from the SEC - on due diligence and ESG disclosure will harden obligations on companies to produce clear compliance and performance reports around each of the E, S and G pillars. The SEC’s pursuance of misstatements by investors regarding their sustainability claims in public filings signals a need for compliance programmes to be underpinned by strong assurance processes.
To succeed, corporate culture will be crucial; compliance teams already know from their work in the anti-bribery and corruption space that organisational good governance begins within its culture. Social and governance issues must be woven into the everyday processes of organisations. This will require investment and oversight, both areas which can be in short supply.
Changing terrorism threats: new challenges in combatting terrorist financing and AML
The Taliban takeover of Afghanistan in summer 2021 was one of the year’s more harrowing news stories, in a media cycle that continued to be dominated by the pandemic. Both these issues feature as principal drivers of change in our forecast of terrorism risk in 2022.
Combatting terrorist financing (CFT) has long been a core component of financial service institutions’ compliance programmes. These controls will need to be re-examined in 2022, a year which brings with it an evolving terrorist threat landscape. Afghanistan now offers a possible haven for international terrorist groups. Traditional banking and financial services firms will seek to ensure their CFT controls are adequate to meet this challenge, while corporations across sectors will need to re-examine their response to sanctions and to prevent the use of their products and services by terrorist organisations.
The enforcement of AML-CFT regulations will continue to be an important weapon, alongside sanctions, in the efforts by governments to fight terrorism. Financial services providers - both traditional and non-traditional - should anticipate robust enforcement combined with the enactment of new laws and regulations to aid those enforcement efforts. Earlier this year, the US, which has made AML-CFT regulation enforcement a central tool in its anti-terrorism efforts since 9/11, passed The Anti-Money Laundering Act of 2020. That law, which establishes new beneficial ownership requirements, enhances US law enforcement’s ability to subpoena information from foreign banks, and provides for increased cross-border sharing of AML-CFT-related information, is indicative of the direction that the US is taking in this area.
Further complicating this area, of course, is the emergence of digital currencies. Those assets, which are specifically designed to provide a certain level of anonymity to transactions, will undoubtedly be top of mind for financial regulators as they seek to develop rules designed to reduce the risks created by the increasing use and acceptance of these payment alternatives. The regulatory initiatives arising out of this process will create significant challenges for legal and compliance professionals who will need to be nimble in the assessment of risk and adoption of processes for monitoring them.
Deterioration of the cyber threat landscape increases data management risk
The cyber threat landscape is expected to deteriorate in 2022. As we highlight in our forecast of cyber risk Despite cyber attacks often threatening national security, governments still expect companies to protect themselves, in a landscape where deterrence has so far proved ineffective. The increasing trend of collaboration between cybercriminals and hostile states means sanctions against threat actors may continue; for example, in April 2021 the US Treasury issued targeted sanctions against Russian technology companies that it believed had worked with the Russian state to conduct cyber attacks in the US.
Governments will compete for digital sovereignty, with regulation, surveillance, online repression and disruption all in their toolkit if needed. Cyber diplomacy will impact how companies operate, and how our internet is governed. While many organisations have bolstered their internal cyber teams, all these issues could nonetheless find themselves landing on a compliance team’s desk. The cyber exposure of third parties will become increasingly important to consider in the due diligence process. These teams will already be grappling with the seemingly unstoppable proliferation of data, and the continued acceleration of governmental regulation of data and technology. The digital transformation of compliance programmes has helped some firms create efficiencies in monitoring third parties and conducting internal investigations. Yet new ways of working breed risk, and in this fast-paced world it can sometimes be hard to keep up.
Keep a sharp eye on the grand geopolitical repositioning
We live in an increasingly politicised, and politically turbulent, world. For decades, the US has dominated the world order. This is changing, and the transition breeds uncertainty for legal and compliance teams. This will be most pronounced from a regulation and enforcement angle, where the US has been the driving force. For now, this regulatory dominance continues, but forward-looking teams will need to begin to consider who might fill that gap, which for now is uncertain. What is clear is that in a new global geopolitical order, legal and compliance teams will be forced to grapple across borders with regulatory requirements that are ambiguous or conflicting.
2022 continues a sobering trend of dysfunctional, fragile and vulnerable states. A long list of potential external shocks – ranging from extreme weather events to inflation, from volatile energy markets to migration and demographic challenges – exposes governments to myriad risks which they may not be equipped to manage amid their societal and institutional weaknesses. States pressured financially by the external shocks described above, may pursue rent-seeking in the form of regulatory enforcement and fines to deal with fiscal deficit.
This is compliance, now
Compliance has evolved from the anti-bribery and corruption (ABC) tenets on which it was founded. ABC remains a central pillar in most organisations’ compliance programmes, but the most effective teams now work across an ever widening range of issues and increasingly depend on expertise outside their functions. These teams will be forward-thinking and collaborative across business functions and units. They will consider geopolitical factors that might impact strategy and risk, such as sanctions or regulatory scrutiny. They will factor ESG issues into their due diligence. They will have digitised compliance programmes adequate to handle the pace of technological change we live in. They will recognise that their roles are less about process, and more about protecting their business from the array of risks that 2022 will throw at them. But they will be ready.