The primary U.S. anti-money laundering regulatory statute (Title 31, U.S. Code Sections 5311- 5355) enacted in 1970 and most notably amended by the USA PATRIOT Act in 2001. Among other measures, it imposes money laundering controls on financial institutions and many other businesses, including the requirement to report and to keep records of various financial transactions.  

Historically, whistleblower protections within the European Union have varied considerably. That is set to change with the implementation of the new EU Whistleblower Protection Directive. These new rules, which were formally adopted by the European Parliament on October 7, 2019, give member states two years to implement the protections into their own national laws. This change brings new opportunities as well as challenges to firms operating within the EU; while many companies may have to update or improve their internal reporting policies and procedures, they now have a single, unified standard to meet.

​

The major components of the EU Directive, which applies to all companies with 50 or more employees, revolve around the explicit protection of all whistleblowers who report a violation of EU law. One of the primary requirements of the directive is the implementation of internal reporting channels and processes, which the legislation encourages whistleblowers to use and offers access to a range of legal, financial and psychological support when doing so. The directive also extends whistleblower protections to include trainees, volunteers and self-employed workers (in addition to employees). In all, the new EU Directive takes significant steps to empower and protect reporters.

Motivated by the attacks of September 11, 2001, and the urgent need to decipher and disable mechanisms that finance terrorism, the U.S. Congress enacted the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) in October 2001 to strengthen money laundering laws and the Bank Secrecy Act (BSA) to levels unseen since the original passage of the BSA in 1970 and the Money Laundering Control Act of 1986 (Public Law 99-570), the world’s first law to criminalize money laundering.

​

In addition to the BSA and the USA Patriot Act, firms should be familiar with other important US AML/CFT regulations. These include:

​

• Money Laundering Control Act 1986

• Money Laundering Suppression Act 1994

• Money Laundering and Financial Crimes Strategy Act 1998

• Suppression of the Financing of Terrorism Convention Implementation Act 2002

• Intelligence Reform and Terrorism Prevention Act 2004

The Foreign Account Tax Compliance Act (FATCA), which was passed as part of the HIRE Act, generally requires that foreign financial Institutions and certain other non-financial foreign entities report on the foreign assets held by their U.S. account holders or be subject to withholding on withholdable payments. The HIRE Act also contained legislation requiring U.S. persons to report, depending on the value, their foreign financial accounts and foreign assets.

The European Union’s Global Data Protection Regulation (GDPR) went into enforcement in May of 2018. New GDPR requirements have created major concerns not just for data privacy officers, but also for all professionals operating in the GRC space. The 2018 EU regulation has effectively replaced the 1995 Data Protection Directive and includes a number of key changes that respond to modern data-driven environments.

The most notable change is GDPR fines associated with noncompliance. Failure to comply with GDPR requirements can result in fines of up to 4 percent of an organization’s global annual revenue, or up to €20 million, whichever is greater. Under the new territorial scope of the GDPR regulation, the law now applies to many organizations that sell goods or services within the EU, regardless of where their businesses are located. Organizations that fall under the GDPR must embed privacy-by-design concepts across the enterprise, including the entire life cycle of their products, through vendor management, and through every area of their human resources. In addition to a number of other requirements under the new GDPR definition, timely notifications of personal data breaches, specifically within 72 hours, is now required.

The U.S. Foreign Corrupt Practices Act (FCPA) aims to combat bribery and corruption. It establishes liability for corporations regarding bribery payments and third-party oversight. The U.S. Securities and Exchange Commission (SEC) and the U.S. Department of Justice (DOJ) both aggressively enforce the FCPA to encourage fair business practices on a global scale. The DOJ expects a risk-based compliance program that applies greater resources and due diligence for the areas at highest risk in your organization. In addition, senior management is expected to go beyond internal controls by creating a tone from the top that embeds a culture of FCPA compliance throughout the organization.

Fines for FCPA violations frequently are in the hundreds of millions of dollars category with the heftiest fine nearing $1 billion. The company is not the only entity at stake when violating FCPA compliance. Individual employees across all levels of the organization can be hit with civil enforcement actions that can result in significant civil penalties as well as disgorgement of profits gained from corrupt practices. Since 1977, FCPA has been one of the most prominent anti-corruption acts facing organizations and continues to remain a significant concern to ethics and compliance programs globally.

All public companies are required to comply with the Sarbanes-Oxley Act (SOX). Passed by the United States Congress in 2002, SOX is designed to protect shareholders and the general public from fraudulent accounting and business practices. Signed into law after a series of high-profile corporate financial scandals, mandatory SOX compliance is intended to enforce corporate governance and accountability through comprehensive internal checks and balances. The act demands extensive and expensive recording standards, as well as enforces steep fines for non-compliance.

Sarbanes Oxley requires all publicly traded companies to report their internal accounting controls to the Securities and Exchange Commission (SEC), even calling on the CEO and CFO to personally attest to the completion and accuracy of their records. Failure to comply with SOX compliance can lead to significant personal fines for senior executives and even jail time. To ensure measures for transparency, Sarbanes Oxley enhances whistleblower protections to encourage the reporting of illegal activities that may not be exposed readily or through a SOX audit. In addition, the act gives the U.S. Department of Justice authority to criminally charge employers who retaliate against whistleblowers, effectively raising the bar for organizations to create environments with zero tolerance for retaliation.

The GDPR is a comprehensive regulation that unifies data protection in all EU countries. It will directly apply in all EU member states from 25 May 2018; businesses have less than 6 months to prepare. It’s time to act now. The GDPR has a very broad territorial scope and will apply to any organization that manages the personal data of individuals who are based in the EU, regardless where the organization is registered. Non-compliance leads to severe consequences. Fines may amount to a maximum of EUR 20 million, or 4% of global annual turnover.

The GDPR requires organizations to implement reasonable data protection measures to protect the personal data of consumers and employees against data loss or exposure. To achieve that goal, the law regulates all areas related to data management and processing, from obtaining user consent to setting up company-wide data protection practices and handling data breach incidents. This overview helps you to explore why the GDPR highlights encryption as an important technology measure to safeguard data. It also details how encryption, especially end-to-end encryption, helps your business manage data in the cloud in a GDPR compliant way.