Admin Log In Let's Talk

This quarter saw ethics and compliance regulatory developments, with regulators pausing a major export control expansion in the U.S. and the EU proposing to extend the deadline for compliance with some provisions of the European Union’s Artificial Intelligence Act.  

Guidance from regulators continues. UK regulators offered indicators of how they plan to evaluate organizations’ ethics and compliance programs. FCPA enforcement is returning to its “normal cadence,” according to the Justice Department. The International Foreign Bribery Task Force (IFBTF), an alliance of law enforcement agencies in Britain, Canada, Australia, New Zealand, and the United States, published examples of red flag situations that indicate bribery risk.

It’s also been an active year so far for anti-money laundering and counter-terrorism funding enforcement, with a shift away from prosecuting banks towards crypto exchanges, money transmitters, and casinos.

Export Controls: “Affiliates Rule” suspended for one year

On November 10th, the Commerce Department’s Bureau of Industry and Security (BIS) announced that its “Affiliates Rule,” published at the end of September, would be implemented in phases and subject to review before taking effect. BIS suspended the rule and indicated it is subject to further evaluation. The activation date is now November 10, 2026.

The publication of the rule launched a significant expansion of export restrictions, giving companies 60 days to prepare. As currently drafted, the rule applies to entities with 50% or greater ownership by one or more parties on restricted lists such as the BIS Entity List, the Military Entity List, or, in some cases, the Specially Designated Nationals List. Entities falling under the BIS Affiliates Rule would be subject to the combined export control restrictions of their listed parents. The Rule would apply to both new and existing third parties.

The rule was intended to prevent diversion of sensitive U.S. technology through the conduit of companies controlled by prohibited entities. In practice, the rule would mean that companies must now undertake sanctions-like screening mechanisms that include beneficial ownership analysis in their export control diligence.

Ethena tip: Although the rule will not take effect for a year and is subject to change, now is a good time to ensure your trade controls processes include beneficial ownership due diligence and review your existing third parties as necessary.

The European Union Digital Omnibus Plan would delay and modify digital regulations

On November 19, the European Commission published its “Digital Omnibus” plan. It is meant to simplify the EU's sweeping digital regulations, including the 2024 Artificial Intelligence Act, GDPR, and the Data Act. The goal is to reduce administrative tasks and compliance obligations. Among its many provisions, the plan defers AI Act obligations up to a maximum of 24 months for high-risk AI systems or “until such later date when measures to support compliance, such as harmonized standards, common specifications, and Commission guidelines, are available.” The plan will be submitted to the European Parliament and the Council for discussion and adoption under the legislative procedure.

FCPA Enforcement: Returning to “a more traditional cadence”

In early December, Matt Galeotti, acting head of the DOJ Criminal Division, commented publicly on FCPA enforcement as “… a relatively active past six months … now [the enforcement] is probably at more of the traditional cadence.”


According to a helpful analysis by the FCPA Professor Blog, corporate FCPA enforcement in 2025 was down compared to prior years, with most of the drop attributable to a decline in SEC FCPA enforcement, as DOJ corporate FCPA enforcement in 2025 actually exceeded certain prior years, such as 2021 and 2015.


Galeotti’s remarks come on the heels of FCPA prosecutions of Liberty Mutual and Smartmatic, plus the first Deferred Prosecution Agreement (DPA) with Millicom TIGO under the new FCPA enforcement guidelines published in June 2025. (See our June 2025 compliance update for more on the FCPA guidelines.)


The Millicom DPA reflects some of the June guidelines as it involves Latin America and bribes paid out of narcotrafficking proceeds. Another point of note from the Millicom DPA is DOJ’s mention of Millicom’s “ephemeral messaging policy” as a point in the company’s favor.


As we noted in our September 2025 update, off-channel communications were a major enforcement area for the Biden Administration and may continue as an area of focus in this Administration, given the reference in the Millicom DPA.


Ethena tip: It’s important to have a clear-cut policy consistent with record-keeping obligations that addresses using personal devices for work and preserving communications.

Anti-Money Laundering, Counter Terrorism Funding, and OFAC Prosecutions Show a Shift Away from Banks

So far this year, no bank has faced a major penalty for violating U.S. AML/CFT or sanctions regulations. U.S. AML/CFT enforcement actions have focused on crypto exchanges, money transmitters, securities firms, and casinos. OFAC enforcement actions have continued to focus largely on prohibited transactions with Russia. Specifically,

  • AML/CFT penalties have totaled over $1.1 billion so far, with crypto exchanges by far being fined the most ($927,500,000), followed by money transmitters ($161,200,000), securities firms ($46,900,000), and casinos ($32,300,000). Companies such as Block Inc., Wynn Resorts, and Robinhood Financial paid fines for gaps in AML/CFT compliance.
  • Sanctions-related penalties have totaled over $238 million to date. The largest was a $216 million penalty levied against GVA Capital Ltd., a San Francisco-based venture capital firm that managed investments for a sanctioned Russian oligarch.

UK Serious Fraud Office (SFO): Updated Guidance on Evaluating Businesses’ Compliance Programs

On 26 November 2025, the UK Serious Fraud Office (SFO) published revised Guidance on Evaluating a Corporate Compliance Programme, (UK Guidance) describing how it will evaluate companies' compliance programs in the event of misconduct. The new Guidance includes the “failure to prevent fraud” offense under the Economic Crime and Corporate Transparency Act 2023 (ECCTA), which came into effect in September 2025. ECCTA makes “large” organizations potentially liable for economic crimes committed by their employees, directors, agents, etc.

Although the revised Guidance is not as detailed as the Department of Justice’s Evaluation of Corporate Compliance Programs (“DOJ Guidance”), the overall message is the same: an effective compliance program must be effective in practice, not merely on paper.

As well as focusing on practical effectiveness, the Guidance stresses the importance of being proactive, specifically requiring

  • A “genuinely proactive approach” adopted by the organisation’s management when the offending is brought to their notice, including taking remedial actions and
  • The existence of a proactive compliance programme both at the time of the offending and at the time of reporting, which failed to be effective in this instance.”

The new Guidance also reiterates the importance of the six principles in the Bribery Act Guidance and The Failure to Prevent Fraud Guidance, with new emphasis in the training area, adding that “training and maintaining training are key.”

The IFBT issues a summary of red flag situations indicative of potential bribery

The IFBT is a working group of five international law enforcement agencies that share intelligence, knowledge, skills, methodologies, and case studies. The new summary distills their collective experience prosecuting bribery cases.


The summary is helpful for E&C programs as it provides real-life examples taken from enforcement actions. These include a party that requests a high level of discretion around a particular contract, owns cryptocurrency, or has links to companies across multiple industries. Many of the indicators listed by the IFBT are not proof of bribery per se, but should be part of an organization’s due diligence review, particularly if other red flags are present.


Ethena Tip: Now is a good time to review your anti-bribery due diligence processes to ensure they encompass the full range of red flags listed in the summary.

About Ethena

Ethena combines top-rated, compliant training content with AI-assisted curation to adapt and reflect your company’s unique brand, employees, and policies. Launch in days, not months, and effortlessly get to 100% completion. Schedule a demo to learn more.

 

Articles

View All
Articles

What’s New at Ethena | February 2026

We are constantly refreshing our training and evolving our platform to ensure that the learning experience feels modern and relevant. See the Updates in Action Austin Light, our VP of...

3 min read
Articles

How to Use the DOJ’s ECCP to Build (or Fix) Your Compliance Program [2026 Updates]

When it comes to ethics and compliance programs, “good enough” is anything but. From record-breaking FCPA settlements to sweeping investigations across industries, the U.S. Department of Justice (DOJ) has made...

6 min read
Articles

Ethena Announces Record Fiscal Year 2025 Results

Enterprise Demand for Easier, More Customized Compliance Training Drives Greater Than 50%+ Revenue Growth NEW YORK, January 29, 2026 – Ethena, the AI-powered compliance training platform, announced record growth in...

3 min read
Articles

Employee “Betting” in Prediction Markets: New Risks for Insider Trading and Proprietary Information Disclosure

In the last year, prediction markets (once niche, now everywhere) have grown into a billion-dollar frontier for trading on real-world events. Platforms like Polymarket and Kalshi allow users to buy...

5 min read