From March 2026, AUSTRAC will begin rolling out new regulatory requirements and a fundamentally different way of engaging with the sectors it supervises. The launch of its redesigned website on 30 March, timed with the opening of enrolment for newly regulated entities, may look like a routine update. In reality, it marks the beginning of a much more hands-on, expectation-driven phase of enforcement.

For the first time, large parts of the professional services economy, including notably the legal sector, are being formally brought into Australia’s anti-money laundering (AML) and counter-terrorism financing (CTF) regime. 

From trusted adviser to regulated gatekeeper

In a recent address to the Law Society of New South Wales, Brendan Thomas framed the reforms by noting that the legal profession is now part of the frontline in preventing financial crime.

For decades, lawyers have occupied a unique position in Australia. They facilitate property transactions, establish companies and trusts, and often manage client funds. These services are essential to the functioning of the economy but they also provide exactly the kind of access and legitimacy that sophisticated criminal networks seek.

That reality has not gone unnoticed. Regulators and international bodies have long pointed to professional services as a weak link in the system, particularly in jurisdictions where lawyers were not subject to the same obligations as banks. Tranche 2 closes that gap.

This is a redefinition of professional responsibility. Legal practitioners who were once outside the AML framework must now actively participate in identifying and managing financial crime risk. The consequences for failing to do so are significant, with penalties for systemic non-compliance reaching into the millions.

How criminal money moves and why it matters

At the heart of these reforms is a better understanding of how money laundering actually works in practice.

Illicit funds don’t usually enter the legitimate economy in a single step. Instead, they are moved, disguised, and reintroduced through a sequence of transactions designed to obscure their origin. It is in these later stages, when money is layered through complex structures or integrated into real assets, that professional services become valuable.

A property purchase through a corporate vehicle, the creation of a trust, or the temporary movement of funds through a client account can all appear entirely legitimate in isolation. But taken together, these activities can form part of a carefully constructed mechanism to conceal ownership, move value across borders, and ultimately legitimise criminal proceeds.

As Brendan Thomas emphasised, this is not incidental misuse. It is a deliberate business model used by organised crime. And its impact extends far beyond individual transactions. It distorts markets, inflates asset prices, and channels billions of dollars into illegal activities.

A broader net 

While the legal profession is the most visible addition to the regime, it is far from the only one. The reforms reflect a broader shift toward regulating the “gatekeeper” professions or those who sit at key entry points to the financial system.

Real estate professionals, accountants, and company service providers are all part of this expanded landscape. What unites them is not their title, but the fact that they facilitate transactions, structures, and asset movements that can be exploited if left unchecked.

For businesses operating in these sectors, if your services can be used to move or legitimise value, you are part of the risk environment and now, part of the regulatory response.

Why AUSTRAC’s website overhaul matters

Against this backdrop, AUSTRAC’s upcoming website changes take on greater significance.

The redesigned platform promises a more intuitive structure, improved search functionality, and clearer guidance tailored to different types of users. For newly regulated entities, it will offer a more guided onboarding experience, helping businesses determine whether they are in scope, understand their obligations, and navigate the enrolment process.

This reflects a deliberate effort to remove ambiguity at a critical moment. As the regime expands, the regulator is making it easier for businesses to access the information they need and also harder to justify inaction. The tools for compliance are becoming more accessible at the same time as expectations are rising.

What will actually change

For many firms, the real challenge will be in translating the reforms into effective, day-to-day practice.

The shift requires embedding structured processes into everyday work such as verifying who clients really are, understanding the purpose behind transactions, and recognising when something does not quite add up. It means documenting decisions, monitoring relationships over time, and knowing when to escalate concerns.

It also means contributing to a broader intelligence framework. Suspicious matter reports submitted by reporting entities form part of a national picture, enabling regulators and law enforcement to detect patterns that would otherwise remain invisible.

Importantly, the regulator has been careful to set expectations at a realistic level. Businesses are not being asked to investigate crimes or halt legitimate activity unnecessarily. They are being asked to apply professional judgement, supported by clear processes, and to act when risks cannot be reasonably explained.

Progress, not perfection

One of the more pragmatic elements of AUSTRAC’s messaging has been its emphasis on progress over perfection.

The expectation is not that every firm will have a flawless system in place from day one. But businesses must demonstrate that they understand their risks, have identified gaps, and are taking credible steps to address them. Senior leadership involvement is not optional. It is a critical indication of accountability.

At the same time, the regulator has been equally clear about the limits of this flexibility. Where risks are left unmanaged, or where firms fail to engage meaningfully with their obligations, enforcement action will follow.

This balance between support and scrutiny is likely to define the early phase of implementation.

Preparing for a different professional environment

As March and July 2026 approach, the immediate priority for businesses is to move from awareness to readiness.

That begins with understanding whether their services fall within scope, but it quickly extends into more fundamental questions about how work is done. Many firms will find that elements of compliance already exist in informal or fragmented ways like identity checks, internal discussions about risk or controls around client funds. The task now is to bring those elements together into a coherent, documented framework that can withstand regulatory scrutiny.

Equally important is the human dimension. These reforms will only be effective if the people within organisations understand what to look for and feel confident in acting on it. That requires training, clarity, and a culture that treats financial crime prevention as part of professional responsibility rather than an administrative burden.

More than compliance

It is a mistake to see Tranche 2 as another layer of regulation that is complex, technical, and time-consuming. This is about protecting the integrity of the systems that underpin the economy. Every instance of money laundering represents not just a regulatory failure, but a real-world harm, whether through fraud, exploitation, or organised crime.

By bringing lawyers and other professional service providers into the regime, Australia is closing a critical gap. The success of that effort will depend not just on rules and enforcement, but on how those professions respond.

Our guide on Tranche 2 reforms to Australia’s AML/CTF regime, outlines when the reforms take effect, which services and entities are newly captured, and what those businesses must do, from enrolling with the regulator to developing an AML/CTF programme to conducting customer due diligence, reporting, and record-keeping. Get it here.

The post AUSTRAC’s big reset: What the Tranche 2 AML reforms mean for your business appeared first on VinciWorks.

This is no longer about showing you have policies, frameworks and good intentions on paper. It is about whether the board can stand up and say, publicly and with confidence, that the company’s material controls were effective at the balance sheet date, and explain how that conclusion was reached across the year.

Under the 2024 UK Corporate Governance Code, that requirement now applies to financial years beginning on or after January 1, 2026.

 That changes the standard. It is no longer enough to show a policy exists, or that a process has been documented. Boards need credible evidence that material controls actually operated in practice.

As our partner and LMS, VinciWorks puts it; “The challenge is not designing controls. The difficulty lies in demonstrating that those controls actually operated throughout the reporting period.”

That is why Provision 29 matters so much. On paper, it looks like a reporting change. In reality, it is forcing organizations to confront whether their control environment is truly visible, testable, and defensible.

At CoreStream GRC, we believe that there is the real opportunity here. Provision 29 can be treated as a compliance exercise. Or it can be used to make GRC more useful and valuable to the business.

What is Provision 29?

Provision 29 of the revised UK Corporate Governance Code requires the board to monitor the company’s risk management and internal control framework and, at least annually, review its effectiveness.

As the Financial Reporting Council explains: “Under the 2024 Corporate Governance Code, the revised Provision 29 introduces an additional requirement for the board to provide a declaration of the effectiveness of the company’s material controls. Reporting on material controls should be proportionate, consider the risk appetite of the individual organization, and avoid unnecessary duplication and disclosure of immaterial information” Financial Reporting Commission

The timing matters. The 2024 Code has applied since January 1, 2025, but Provision 29 itself applies from January 1, 2026. That means many companies are now in the first real declaration cycle.

The big shift is this: boards are moving from “we have controls” to “we can show those controls operated effectively, based on evidence.”

That declaration needs to be backed up. The annual report should explain how the board monitored and reviewed the framework over the reporting period, whether material controls were effective at the balance sheet date, and what happened where controls did not operate effectively.

“Provision 29 effectively asks boards to move from describing governance to proving it.” VinciWorks

That is a much higher bar.

The scope is broader than many teams first assume. This is not only about financial controls. The FRC has made clear that the review covers all material controls, including financial, operational, reporting, and compliance controls.

There is another important wrinkle. The FRC does not provide a standard list of “material controls.” Boards have to decide what is material based on the organization’s own principal risks, operating model, complexity, and risk appetite.

In other words, the judgement is yours, which means the logic and the evidence behind it have to be defensible.

As Paul Cadwallader, GRC Strategy Director at CoreStream GRC, puts it, Provision 29 should be viewed as a catalyst for a more value-based approach to governance, risk, and compliance: “Traditional GRC focuses on the mechanics of compliance and reporting, whereas, introducing the value dimension brings GRC back to the performance goal.”

That matters because the strongest Provision 29 programs will not just produce a declaration. They will create a clearer, more connected view of how controls support performance, accountability, and decision-making across the business.

The real challenge: people-based controls are often real, but not provable

One of the most useful insights from VinciWorks’ Provision 29 analysis is: “The most difficult controls to evidence are often the ones that depend on human behavior.” – VinciWorks’ Provision 29 analysis

That should ring alarm bells for a lot of organizations, because many important controls fall into exactly that category.

Think about:

• mandatory compliance training
• policy attestations
• conflict of interest disclosures
• approval workflows
• whistleblowing awareness
• regulatory certifications
• sign-offs and periodic acknowledgements

These are often treated like routine admin. But in reality, they function as genuine controls over conduct, compliance, operational discipline, and risk exposure. “Training, disclosures, attestations and approvals therefore function as genuine risk controls.” -VinciWorks

That is the issue many organizations are now running into. These controls may be real, important, and widely used, but the evidence behind them is often fragmented across spreadsheets, inboxes, shared drives, separate systems, and manual follow-up.

That becomes a problem the moment the board asks basic questions such as:

• Who was required to complete the control?
• Did they complete it on time?
• Was the full population covered?
• Were exceptions identified?
• What remediation took place?
• Can we show this consistently across the whole reporting period?

If the business cannot answer those questions clearly, then the board may struggle to provide credible assurance. This is where Provision 29 is exposing a gap that has existed for years. Organizations often have the control in theory. What they do not always have is a defensible evidence chain.

How Provision 29 can help your business  

Provision 29 introduces a formal requirement for boards to declare whether material controls were effective in the annual report. On the surface, that sounds like more pressure. In reality, it can force the kind of clarity most organizations need anyway.

“Everyone agrees Provision 29 could drive genuine improvement—but only if organizations embrace it as an opportunity rather than a checkbox.” Michael Rasmussen, Pundit and GRC 20/20 founder

That is exactly the dividing line. Once the board has to stand behind a declaration, vague language stops working. Teams need to define what each control is, what it is meant to achieve, what evidence demonstrates operation, and what happens when it fails. That improves much more than year-end reporting.

First, it improves clarity. A control environment cannot be relied on if nobody can clearly explain what is being controlled, how it is monitored, and what counts as failure.

Second, it improves accountability. Provision 29 is not just asking whether the framework exists. It pushes companies to explain what did not operate effectively and what was done about it. That creates a stronger line of sight between control ownership, issues, remediation, and board reporting.

Third, it strengthens assurance. Boards need enough confidence to sign the declaration. That means assurance structures have to be strong enough to support a real conclusion, not a hopeful one. The FRC has been clear that the board’s reporting should reflect how it monitored and reviewed effectiveness, and whether material controls operated effectively at the balance sheet date.

“Provision 29 is more than a reporting requirement. It is a catalyst.” Michael Rasmussen, Pundit and GRC 20/20 founder

This is where the case for value-based GRC gets more interesting. When controls are tied to outcomes, GRC stops looking like overhead and starts acting like an operating advantage. Better control clarity can mean fewer delays, cleaner escalation, faster approvals, and better management confidence.

The value case usually lands in 3 buckets.

1. Business outcomes. Better-defined controls reduce friction and support faster decisions. One CoreStream GRC client reduced headcount approval time from six months to one week by improving transparency and decision confidence.
2. Transparency and accountability. Provision 29 gives boards and executives a clearer picture of what is working, what is not, and where remediation is stalling.
3. Cost effectiveness. When evidence is captured through the workflow instead of reconstructed through email chains, screenshots, and manual chasing, teams spend less time proving work after the fact.

That is the bigger point. Provision 29 can feel laborious at first because it demands precision. But that precision is useful. If you build for the declaration properly, you usually end up running the business better too.

“GRC is not only about avoiding the downside. It should actively drive value.” – Paul Cadwallader, GRC Strategy Director, CoreStream GRC

How to optimize your existing program to be more strategic  

This section is about one thing: making sure the board can sign the Provision 29 declaration without hand-waving. That means you need a clear scope, a repeatable evaluation method, and evidence that stands up at year end.

3.1 Start with what the board must declare, then work backwards from the annual report wording

Begin with what the board will actually need to say in the annual report. Under Provision 29, boards are expected to describe how they monitored and reviewed the effectiveness of the framework, declare whether material controls were effective at the balance sheet date, and explain any material controls that did not operate effectively and what action was taken or proposed. From there, work backwards.

Define your material controls population in a way that clearly links to principal risks. Then agree what evidence the board will accept. System records, workflow history, attestation logs, testing results, and audit trails are defensible. General statements, scattered emails, or screenshots from shared drives are much harder to rely on. The FRC’s position is clear: the board’s conclusion needs to be grounded in monitoring, review, and evidence.

3.2 Pick 2–3 priority control areas to industrialize first (where Provision 29 risk is highest)

You do not need to perfect every control at once. You need to make sure the highest-risk areas can be evidenced and evaluated repeatably before the board has to declare on them.

The timing pressure is real. Institute of Chartered Accountants in England and Wales (ICAEW) has been blunt that the revised requirements apply to 2026 financial years and that work needs to start soon.

Start where failures are common and evidence is messy.

People-dependent controls are often the first weak spot. Training completion, policy attestations, conflicts disclosures, approvals, and sign-offs are frequently treated as routine admin. Under Provision 29, they become much harder to wave through if they cannot be evidenced properly.

Cross-functional controls are another risk area. Third-party onboarding and renewals, access reviews, incident response, and regulatory reporting often break down because ownership is split across teams.

Then there are controls with a known exceptions profile, the places where you already see recurring failures, slippage, or late completion. Those are the areas most likely to create discomfort at board level.

The goal is to turn each priority area into a repeatable pattern: named control owners, known evidence sources, a clear testing method, an exception workflow, and a board reporting view. That is how you avoid year-end theatre. Evidence should be captured in the workflow itself, not rebuilt from memory after the fact.

3.3 Decide on metrics that prove operation and remediation, not just activity for the sake of it

Provision 29 is not asking “how many GRC things did you do?” or “how much time did your sink on your reporting?”. It is asking whether material controls were effective, and if not, what changed.

Use the disclosure requirement as your metric checklist: you may need to explain what did not operate effectively and what action was taken.

Metrics that map directly to the declaration

• Operation and coverage: did the control run when required, for the full population, with timeliness.
• Effectiveness signals: testing pass rates, exception rates, repeat exceptions, severity, time-to-remediate.
• Closure quality: remediation completed, validated, and re-tested where needed (not just “marked done”).
• Board-readiness: can you produce a single view showing control status, evidence, exceptions, and remediation without manual stitching.

“These forms of measurement… shouldn’t be seen as adding bureaucracy… If they are seen as adding to bureaucracy, you’ve made the process too complex!” Paul Cadwallader, GRC Strategy Director, CoreStream GRC.

4. Embedding into wider value based GRC concept 

4.1 What “value-based GRC” actually means in this context

Value-based GRC is not just a slogan. In this context, it means connecting governance, risk, and compliance to the outcomes the organization is actually trying to achieve. Paul Cadwallader, GRC strategy director, CoreStream GRC defines it clearly: “Value-based GRC aligns governance, risk and compliance with what matters most, the organization’s strategic goals and objectives.”

That matters for Provision 29 because the declaration becomes much easier to support when controls, risks, issues, ownership, and outcomes are already connected.

If control ownership sits in one place, testing in another, people evidence in a third, and board reporting in a fourth, the business ends up stitching together a story instead of managing the control environment properly. Provision 29 makes that fragmentation harder to hide.

4.2. The people-controls gap

A large share of real controls depends on human behavior. Training, attestations, disclosures, approvals, and certifications are often critical to managing risk. But they are rarely captured in a way that is genuinely board-ready. That creates a gap between operational activity and board assurance.

VinciWorks addresses the behavioral evidence side by generating structured, defensible records of compliance adoption, including training completion, policy attestations, and disclosures. CoreStream GRC connects that evidence into the wider internal control framework, linking it to ownership, testing, exception handling, remediation, and board reporting.

Provision 29 does not ask for isolated evidence points. It asks for a defensible control story. As VinciWorks puts it, “When those processes are treated as formal controls rather than administrative tasks, the gap between operational activity and board assurance begins to close.”

4.3 Why disconnected tooling fails Provision 29

Provision 29 is unlikely to fail because boards do not care. It is more likely to fail because organizations are trying to evidence critical controls through email trails, one-off exports, local trackers, and tools that do not reflect how the business actually works.

That creates familiar problems: incomplete coverage, inconsistent reporting, weak exception handling, and lots of manual reconstruction at year end. Provision 29 exposes that weakness fast. Where evidence is not captured in a connected, repeatable way, boards are left with fragmented assurance instead of a reliable view of control effectiveness.

Final thought from CoreStream GRC and VinciWorks

Provision 29 raises the bar for boards, but it also creates an opportunity. Organizations that treat it as a year-end reporting exercise will feel the pressure. Organizations that use it to improve control clarity, evidence, and accountability will get more than compliance in return.

The real test is whether the business can show, with confidence, that its material controls operated effectively and that issues were identified, managed, and remediated in a way the board can stand behind. Better proof. Better oversight. A control environment the board can actually use.

Want to make Provision 29 reporting more defensible and more useful?

The post Provision 29 compliance, explained: how boards can turn internal controls into a business advantage appeared first on VinciWorks.

The overall money laundering risk remains rated Medium High, unchanged from 2020. The assessment makes clear that this reflects a balance between improved controls and a more complex threat environment.

Main changes in the 2026 assessment

The 2026 NRA is more comprehensive than previous versions. It draws on a wider dataset, including supervisory returns, financial flow data, SAR intelligence, law enforcement casework and structured engagement with industry.

There is also a stronger emphasis on integration across the financial crime framework. The NRA is designed to feed directly into Business Risk Assessments, Customer Risk Assessments and Technology Risk Assessments across firms.

From a structural perspective, there has been a clear increase in supervisory and enforcement capability since 2020. This includes expansion within the Financial Services Authority, improvements in FIU analytical capacity, and the creation of multi-agency investigation and coordination functions.

The assessment also reflects a more developed understanding of sectoral risk, supported by separate risk assessments covering areas such as virtual assets, non-profits and legal structures.

Main AML risk areas

The NRA confirms that the Isle of Man’s risk profile is primarily shaped by its role as an international finance centre. Cross-border exposure remains the central risk driver. Financial flows are heavily concentrated around the UK, US and Germany, with growing exposure to regions including Asia and South America.

Non-resident customers, complex corporate structures and layered ownership arrangements continue to increase the risk of money laundering.

Foreign predicate offending is the dominant source of risk. Cyber-enabled fraud, investment scams and large-scale international fraud schemes are identified as the main drivers of laundering activity.

Transnational organised crime has become more prominent, particularly in areas such as online gambling, immigration systems and virtual assets. Domestic threats are assessed as lower, though drug trafficking and associated cash laundering remain relevant.

The assessment also highlights the growing impact of technology. Virtual assets, alternative payment methods and AI-enabled identity manipulation are increasingly used to facilitate layering and obscure beneficial ownership.

Highest-risk sectors

The sectors with the highest residual money laundering risk remain:

• Banking
• Online gambling
• Trust and corporate service providers (TCSPs)

These sectors combine high transaction volumes, international exposure and complex ownership structures.

Banking remains central due to the scale of cross-border flows and the use of complex corporate arrangements.

Online gambling presents specific risks linked to global customer bases, rapid payment flows and exposure to organised crime groups, particularly in Asia.

TCSPs remain high risk due to their role in forming and managing legal structures that can obscure beneficial ownership.

Other sectors, including life insurance, MVTS, professional services and virtual asset service providers, present more targeted or emerging risks, often linked to cross-border activity or specific typologies.

Main findings of the Manx NRA

The key finding is that the threat environment has intensified while controls have improved. The Isle of Man has strengthened its AML/CFT framework since 2020 through enhanced supervision, improved intelligence capabilities and greater multi-agency coordination.

At the same time, the nature of money laundering has evolved. Criminal activity is more international, more technology-enabled and more reliant on complex financial structures.

The national vulnerability rating remains Medium. This reflects strong controls in areas such as beneficial ownership, supervision and enforcement, alongside ongoing weaknesses.

Key vulnerabilities include gaps in data outside the banking sector, particularly in non-bank financial flows, and limited visibility over certain emerging typologies. There are also risks linked to immigration systems, cross-border movement within the Common Travel Area and the increasing use of alternative payment channels.

Changes from the 2020 NRA

The overall risk rating has not changed, though the underlying picture has. There has been a clear increase in supervisory capability, intelligence capacity and enforcement coordination. The system is more structured and more data-driven than in 2020.

Beneficial ownership controls have been strengthened, with greater emphasis on verification and data integrity. Border controls, immigration oversight and financial crime investigation capacity have also been expanded.

At the same time, the threat landscape has shifted towards more complex, global and technology-enabled activity. This includes increased use of virtual assets, AI-driven fraud techniques and cross-border fraud schemes. The result is a broadly stable risk rating, despite a more challenging operating environment.

What this means for AML compliance teams

The NRA is intended to be operational. Firms are expected to reflect its findings in their risk frameworks and controls. Business Risk Assessments should account for cross-border exposure, customer base composition and sector-specific risks in a more detailed way.

Customer due diligence processes need to address complex ownership structures, higher-risk jurisdictions and the use of intermediaries.

Transaction monitoring should be aligned with current typologies, particularly those involving fraud proceeds, rapid fund movement and alternative payment methods.

There is also a clear expectation that firms address technology-related risks, including the impact of virtual assets and AI-enabled identity manipulation.

Data quality is a recurring theme. Firms are expected to improve the completeness and usability of customer and transaction data, particularly where this affects risk assessment and monitoring.

The NRA reinforces the importance of aligning firm-level controls with national risk priorities. Regulators are likely to expect clear evidence that the findings of the NRA are understood and applied in practice.

The post Isle of Man National Risk Assessment 2026: key changes, risks and implications for AML teams appeared first on VinciWorks.

When the first Trump administration activated Title III of the Helms-Burton Act in 2019, it dramatically expanded the legal exposure for foreign companies operating in Cuba. Businesses that used property nationalised during the revolution could suddenly face lawsuits in US courts, even if their activities were entirely lawful in their home jurisdictions.

This extraterritorial reach created immediate tension with US allies. Canada, for example, relies on the Foreign Extraterritorial Measures Act (FEMA) to counter US sanctions enforcement related to Cuba. The law prohibits Canadian companies from complying with certain US measures and allows businesses targeted under US judgments to recover damages in Canadian courts.

The result is a classic conflict-of-laws problem. A Canadian or European firm trading with Cuba might face lawsuits in the United States for continuing its operations. Attempting to comply with US sanctions, however, could expose the same company to penalties at home for violating blocking legislation designed to protect domestic trade with Cuba.

For compliance teams, this type of legal collision is one of the most difficult sanctions environments to manage.

The Venezuela-Iran-Cuba axis

The sanctions picture may become even more complicated in the coming months. Washington has already applied escalating pressure on governments in Iran and Venezuela through sanctions, economic restrictions and legal action. The Trump administration’s intervention in Venezuela and the removal of Nicolás Maduro has reinforced the message that the US is prepared to use economic tools aggressively in the region.

President Trump is making it clear that Cuba will become the next focus of the Administration’s interventionist foreign policy. Washington has already begun tightening pressure. Measures targeting energy supplies have sharply reduced Cuba’s access to Venezuelan oil, contributing to electricity shortages and deepening economic instability on the island. At the same time, US officials have signalled that additional sanctions and legal actions against Cuban officials are under consideration.

Public rhetoric from the administration has also intensified, with warnings that Cuba must negotiate with the United States or face severe consequences. When the current conflict with Iran begins to wind down, Washington’s geopolitical attention will inevitably pivot quickly toward Havana.

The importance of international coordination

For businesses and compliance teams, the central risk is divergence between jurisdictions. The Helms-Burton framework shows how quickly this can happen. A company operating hotels, shipping routes or logistics infrastructure in Cuba could face lawsuits in the United States for “trafficking” in confiscated property. At the same time, the same activity may remain legal in Canada, the UK or the European Union.

Blocking statutes in those jurisdictions may even prohibit companies from complying with US sanctions. Without coordinated policy between the US, Canada and Europe, firms can face exposure on several fronts simultaneously. They could face civil litigation risk in US courts, regulatory enforcement risk in their home jurisdiction and reputational exposure linked to sanctions compliance decisions Several enforcement cases over the past decade illustrate how easily businesses can fall foul of Cuban sanctions rules.

Real enforcement cases: how companies have been caught by Cuba sanctions

Expedia – travel services to Cuba

In 2019 the US Treasury’s Office of Foreign Assets Control (OFAC) fined the travel platform Expedia $325,406 after subsidiaries provided travel services related to Cuba for more than 2,200 individuals in violation of US sanctions regulations.

According to OFAC, the violations occurred because foreign subsidiaries lacked a clear understanding of US sanctions rules. Employees processed travel bookings involving Cuba without recognising the compliance risk.

Although the company voluntarily disclosed the issue and cooperated with investigators, the case highlights a common sanctions failure: decentralised global business units operating without adequate sanctions controls.

EFG International – banking transactions linked to Cuba

In another example, Swiss private bank EFG International agreed to pay approximately $3.7 million to settle allegations that it processed hundreds of securities transactions linked to sanctioned jurisdictions, including Cuba.

The transactions were conducted through omnibus accounts, which obscured the identities of underlying clients and allowed Cuban-linked transactions to pass through US financial markets.

Regulators concluded that inadequate visibility into underlying clients and weak sanctions screening controls allowed the activity to occur.

Key Holding – logistics shipments to Cuba

More recently, in 2025 OFAC announced a $608,825 settlement with logistics company Key Holding for apparent violations of the Cuban Assets Control Regulations. The breaches occurred when a Colombian subsidiary arranged freight shipments connected to Cuba.

The case illustrates another frequent sanctions risk: overseas subsidiaries engaging in Cuba-related activity without understanding the reach of US sanctions laws.

How firms can manage Cuba sanctions risk

In previous geopolitical crises, including the early stages of US military pressure on Iran, analysts observed large volumes of digital assets leaving the country as individuals attempted to move wealth beyond the reach of sanctions.

A similar pattern could emerge in Cuba if financial restrictions tighten rapidly. Crypto flows, informal remittances and offshore financial networks often expand quickly when sanctions risk increases. For financial institutions and payment providers, that creates additional monitoring challenges.

For organisations with exposure to Latin America, tourism, logistics, finance or shipping, the shifting sanctions environment around Cuba requires careful monitoring. Several practical compliance steps can help mitigate the risk.

Conduct a Cuba exposure assessment

Companies should identify whether any part of their operations touches Cuba directly or indirectly. This includes:

• Supply chains involving Cuban goods
• Tourism or travel services
• Logistics or freight operations
• Financial transactions linked to Cuban individuals or entities

Indirect exposure through subsidiaries or partners is often where risks emerge.

Review subsidiary and partner activities

Many sanctions breaches occur through overseas subsidiaries or joint ventures that operate under different legal regimes. Compliance teams should ensure that subsidiaries understand US sanctions exposure even when operating outside the United States.

Screen property and infrastructure risks

Under the Helms-Burton Act, companies can face lawsuits for using property confiscated after the Cuban revolution. Businesses involved in tourism, infrastructure or real estate should assess whether any assets they use in Cuba are subject to potential ownership claims.

Strengthen sanctions screening and transaction monitoring

Banks and financial institutions should review controls around:

• Omnibus accounts
• Beneficial ownership visibility
• Transaction screening involving Cuban entities

These controls were central to several enforcement actions.

Monitor geopolitical developments closely

Sanctions policy can change quickly. Firms should monitor signals from Washington and allied governments regarding potential new measures against Cuba. Early awareness allows companies to adjust operations before enforcement actions begin.

Looking for more support? Try our sanctions training today.

The post Cuba sanctions: Why the next geopolitical crisis could create serious compliance risks for global firms appeared first on VinciWorks.

A major enforcement action tied to Iran sanctions has now been resolved through a compliance-driven settlement rather than a trial or headline-grabbing fine, but that should not be read as a softening of sanctions risk. If anything, it reinforces how seriously regulators view the need for effective sanctions and anti-money laundering controls, especially where Iran exposure is involved.

A long-running Iran sanctions case

The case against Halkbank dates back to 2019. US prosecutors alleged that the bank played a central role in a scheme that allowed Iran to access roughly $20 billion in restricted funds, partly by disguising transactions and using fraudulent documentation linked to supposed food shipments. The case was connected to earlier prosecutions involving gold trader Reza Zarrab and former Halkbank executive Mehmet Hakan Atilla, and it became a major point of tension in US-Turkey relations.

Now, rather than pressing ahead with a criminal trial, the Justice Department has agreed to pause the case for 90 days while Halkbank demonstrates compliance with the deferred prosecution agreement. Halkbank has hired EY to carry out the required sanctions and anti-money laundering compliance review.

Why this matters for compliance

This outcome highlights three key risks for organisations.

First, sanctions risk does not disappear just because a case ends in a settlement. The alleged conduct in the Halkbank matter was not a technical reporting failure or an isolated screening gap. Prosecutors said the bank helped facilitate access to restricted Iranian funds through complex structures designed to conceal the real nature and purpose of transactions. That is exactly the sort of conduct sanctions controls are supposed to detect and prevent.

Second, the absence of a fine should not be mistaken for the absence of consequences. Halkbank has still been pulled into years of litigation, global scrutiny, reputational damage, and now a formal compliance remediation process overseen by an external reviewer. The cost of weak controls is not limited to penalties. It can include intrusive monitoring, restrictions on future business, management distraction and long-term regulatory exposure.

Third, this case is another reminder that geopolitical risk and compliance risk are inseparable. Iran-related sanctions exposure does not only arise through obvious direct dealings with sanctioned parties. It often appears through correspondent relationships, trade finance structures, layered intermediaries, front companies and documentation that looks routine until it is examined in context. The wider compliance picture around Iran has only become more complex in 2026 as conflict, sanctions enforcement and financial pressure continue to reshape the risk environment.

The real lesson: controls have to work in practice

The key issue for firms is not whether they are a Turkish state bank or directly exposed to Iran. Most organisations are not. The real question is whether their sanctions and AML frameworks are robust enough to identify hidden exposure before regulators do.

That means asking practical questions:

• Are sanctions screening tools configured to detect indirect Iran links and not just exact-name matches?

• Do transaction monitoring scenarios pick up unusual payment routes, inconsistent trade documentation, or counterparties in known transit jurisdictions?

• Are teams trained to escalate red flags where commercial activity appears lawful on the surface but inconsistent underneath?

• Can the organisation evidence that its sanctions controls are more than policy documents, and actually work in live decision-making?

These are not new questions, but the Halkbank deal shows why they remain so important. A compliance framework is only credible if it can deal with the messy reality of sanctions evasion, where risk is often layered, cross-border and deliberately disguised.

A warning for firms relying on geopolitical assumptions

One of the more striking features of the Halkbank resolution is its timing. The deal arrives amid improving US-Turkey relations and a shifting regional political picture. That creates a temptation to read enforcement outcomes as political signals, but compliance teams should be careful about doing that.

Political context may shape how cases are resolved, but it does not reduce the underlying need for strong controls. Iran remains one of the clearest examples of how sanctions, financial crime risk and geopolitics intersect. Firms that treat these risks as temporary or purely diplomatic are missing the operational compliance lesson.

Iran-related risk is no longer limited to direct business with Iranian counterparties. It is more likely to appear through third countries, layered intermediaries, unusual payment routes and transaction structures designed to hide the real source or destination of funds. In the current environment, conflict, sanctions pressure and regional instability have made that risk harder to identify and more likely to surface indirectly. The Halkbank case is a reminder that Iran exposure often sits behind what first appears to be routine commercial activity.

What firms should do now

The practical takeaway is simple. Use the Halkbank case as a prompt to revisit your own sanctions controls.

Review how your business identifies indirect exposure to Iran and other high-risk jurisdictions.

Test escalation routes for suspicious payments, counterparties and trade anomalies.

Check whether compliance monitoring is capable of spotting red flags across correspondent banking, trade finance, third-party intermediaries and complex corporate structures.

Most importantly, make sure your teams understand that sanctions evasion risk rarely presents itself clearly. It usually appears as something that almost looks normal.

That is what makes cases like Halkbank so valuable from a compliance perspective. They are not just enforcement stories. They are reminders that sanctions controls need to stand up to sophisticated, determined efforts to hide risk in plain sight.

VinciWorks’ online sanctions compliance courses give your staff the tools they need to understand and comply with sanctions requirements in these volatile times.

Try them now.

The post Halkbank settlement shines spotlight on Iran sanctions risk appeared first on VinciWorks.

The nearly £2 million fine against insurance company Utmost Worldwide Limited illustrates how long-standing weaknesses in risk assessment, client monitoring and governance can accumulate into serious regulatory breaches. At the same time, Guernsey has, over the last few years, introduced sweeping “failure to prevent” offences that increase the legal exposure of companies and their senior managers.

Taken together, these developments highlight a growing compliance risk landscape for organisations operating in the Bailiwick.

Record £1.96 million fine over systemic AML failures

In March 2026, the GFSC imposed a financial penalty of £1,960,000 on Utmost Worldwide Limited, the largest fine ever issued by the regulator. The investigation concluded that the company had serious and systemic failings spanning a significant period.

Two senior employees were also fined:

• Chief Executive Officer Leon Steyn (£35,000)
• Deputy Money Laundering Reporting Officer James Watchorn (£10,500)

Watchorn was additionally banned from holding MLRO or MLCO roles for one year and five months. The regulator’s central finding was that the company fundamentally underestimated the financial crime risks inherent in its life insurance business.

A high-risk client base treated as low risk

The company’s business model created significant exposure to money laundering risk. Historically, Utmost had distributed insurance products through brokers operating in developing markets across South and Central America, some of which had weaker financial crime controls. The company was originally incorporated in Guernsey in 1993 as Generali Worldwide Insurance Company Limited before being acquired by Utmost Group in 2019.

At its peak the company had approximately 22,500 high-risk clients. Despite this, fewer than 3.5% of those clients were subject to annual review.

Most high-risk clients were only reviewed when a “trigger event” occurred, such as a policy surrender or premium change. This meant that many clients went years without any meaningful review of their risk profile.

The regulator found examples where clients were not reassessed for over a decade. In one case a customer became a politically exposed person (PEP) in 2008, which the company did not detect until 2021.

Weak customer due diligence and monitoring

The GFSC identified widespread weaknesses in customer due diligence across the company’s operations. In a sample of 72 high-risk client files, 71 contained deficiencies relating to source of wealth or source of funds information.

Even when reviews did occur, they were often ineffective. Key information was missing or outdated, adverse media screening failed to detect relevant risks, and remediation of deficiencies was frequently postponed. As a result the company was unable to demonstrate an up-to-date understanding of the financial crime risks posed by its clients.

One of the most striking findings involved a third-party broker operating in Central and South America. In 2014 the company discovered that employees of the broker had fraudulently altered proof-of-address documents for approximately 1,900 client accounts. This created an obvious money laundering risk.

The firm initially suspended business with the broker and promised to remediate the affected client files. Yet a decade later around 200 of those accounts still had unresolved documentation issues.

The regulator concluded that the firm had failed to act with the level of prudence and professional skill required of a regulated financial services business.

Poor handling of money laundering red flags

The investigation also found repeated failures to respond appropriately to suspicious activity. Eight unsolicited payments totalling approximately $250,000 were sent to the firm within a month. When asked for source of funds documentation they refused. They then requested that the money be returned to a different bank account. These are classic money laundering indicators. Yet the concerns were dismissed internally as “poor administration by the client”.

In another case a client from a high-risk jurisdiction paid premiums of $20,000 per month despite the company being unable to verify the source of their wealth. The GFSC concluded that the company’s reporting and monitoring procedures were inadequate and that red flags were not consistently escalated.

The regulator determined that senior management failed to ensure the firm had effective AML policies and oversight.

Key governance failures included:

• inadequate oversight of brokers and intermediaries
• ineffective suspicious activity reporting procedures
• failure to comply with regulatory deadlines under the updated 2019 AML Handbook
• reliance on outdated screening systems that failed to identify PEPs and adverse media
  

Although the company began a remediation programme in 2023 and cooperated fully with the investigation, the GFSC concluded that the scale and duration of the failures justified the record fine.

Guernsey’s 2024 “failure to prevent” offences

Alongside a tougher enforcement environment, Guernsey has introduced a major expansion of corporate liability for financial crime through a set of new “failure to prevent” offences. These measures came fully into force on 26 April 2024, marking one of the most significant developments in the Bailiwick’s financial crime framework in recent years.

The new regime covers four areas:

• corruption
• tax evasion
• money laundering
• terrorist financing

Together they create a powerful legal tool that allows prosecutors to hold organisations criminally liable when financial crime is committed by employees, agents or other associated persons acting on their behalf.

The new bribery offence

The centrepiece of the reform is the corporate offence of failure to prevent bribery, introduced under the Prevention of Corruption (Bailiwick of Guernsey) (Amendment) Law, 2023, which entered into force on 26 April 2024.

The offence applies to any “relevant commercial organisation”, meaning a company or partnership incorporated in Guernsey, as well as overseas organisations carrying on business in the Bailiwick.

Under the legislation, a company commits an offence if a person associated with it bribes another person intending to obtain or retain business or a business advantage for the organisation. The only defence is that the organisation had adequate procedures in place to prevent bribery.

Guidance issued by the States of Guernsey Committee for Home Affairs in April 2024 makes clear that the courts will ultimately decide whether prevention procedures are adequate. Organisations therefore need to demonstrate that anti-bribery controls are genuinely implemented and effective, rather than existing only on paper.
 

Corporate liability for tax evasion

Guernsey has also introduced corporate offences for failure to prevent the facilitation of tax evasion through the Criminal Justice (Miscellaneous Amendments – Preventative Offences) (Bailiwick of Guernsey) Ordinance, 2023, also effective from 26 April 2024.

These provisions mirror the UK model created by the Criminal Finances Act 2017. The legislation creates two separate offences:

• failure to prevent the facilitation of Guernsey tax evasion
• failure to prevent the facilitation of foreign tax evasion

A company can be liable where an employee, agent or service provider facilitates tax evasion while acting for the organisation. As with the bribery offence, the defence is that the company had reasonable prevention procedures in place, or that it was reasonable in the circumstances not to have such procedures.

Failure to prevent money laundering and terrorist financing

The reforms also introduced corporate offences for failing to prevent money laundering and terrorist financing. These offences were inserted into existing legislation:

• section 48MA of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999
• section 74A of the Terrorism and Crime (Bailiwick of Guernsey) Law, 2002
  

Unlike the bribery and tax evasion provisions, these offences apply primarily to regulated financial services and other Schedule 3 businesses. If an associated person commits money laundering or terrorist financing while acting for the organisation, the company may be liable unless it can show that appropriate prevention procedures were in place.

To support the new offences, the Guernsey Financial Services Commission (GFSC) updated its Handbook on Countering Financial Crime and Terrorist Financing on 25 April 2024, setting out how regulated firms should design and implement prevention procedures.

Moving beyond the “directing mind and will”

A key purpose of the new framework is to overcome the limitations of the traditional corporate liability test known as the “identification doctrine.”

Under this doctrine, prosecutors historically had to prove that the individual who committed the offence represented the “directing mind and will” of the organisation. In practice this often made corporate prosecutions difficult, particularly in large or decentralised businesses.

The new failure-to-prevent model removes that barrier. Instead of focusing on which individual committed the offence, the legal question becomes whether the organisation had adequate prevention procedures in place.

This approach mirrors the structure of the UK Bribery Act 2010 and the UK Criminal Finances Act 2017, which introduced similar corporate offences for bribery and tax evasion.

Personal liability for senior managers

The legislation also carries a clear warning for company leadership. If a failure-to-prevent offence is committed by an organisation and it is shown to have occurred with the consent, connivance or neglect of a senior officer, that individual can also be prosecuted.

The law specifically references directors, managers, secretaries, partners and similar officers as potentially liable where their oversight failures contributed to the offence.

What could the Utmost case have looked like under Guernsey’s new legal framework?

The Utmost case was not pursued under Guernsey’s new failure to prevent offences, which only came into force on 26 April 2024. The GFSC instead relied on its existing regulatory enforcement powers under the Financial Services Business (Enforcement Powers) (Bailiwick of Guernsey) Law, 2020, alongside breaches of the Bailiwick’s AML and financial crime framework. Had the same conduct been assessed under the newer regime, the legal exposure might have looked very different. 

Failure to prevent offences are criminal in nature and allow prosecutors to pursue corporate liability where an associated person commits bribery, tax evasion facilitation, money laundering or terrorist financing while acting for the organisation, unless the company can demonstrate adequate prevention procedures. 

Given the GFSC’s findings of systemic weaknesses in client monitoring, source-of-funds checks and the handling of money laundering red flags, the case could theoretically have opened the door to criminal proceedings against the company itself, rather than a regulatory penalty alone. The framework also allows for personal liability for senior officers where an offence occurs with their consent, connivance or neglect. In a scenario where investigators concluded that the compliance failures enabled money laundering to occur, senior figures responsible for oversight, such as the CEO or the nominated officer responsible for suspicious activity reporting, might have faced potential criminal prosecution alongside regulatory sanctions. While that did not happen in this case, the introduction of failure-to-prevent offences means future enforcement actions in Guernsey could carry significantly more serious consequences.

Key takeaways for Guernsey firms

The Utmost enforcement action and the introduction of failure-to-prevent offences together underline a tightening compliance environment for firms operating in Guernsey’s financial services sector.

Regulators are willing to impose major penalties.
The £1.96 million fine issued by the GFSC is the largest in its history and reflects a willingness to pursue systemic AML failures over long periods.

High-risk clients require genuine monitoring.
Classifying clients as high risk is not sufficient on its own. Regulators expect meaningful periodic reviews, updated source-of-wealth checks and active monitoring throughout the client lifecycle.

Third-party brokers and intermediaries remain a major risk.
The Utmost case showed how poorly supervised intermediaries can introduce large volumes of defective or fraudulent documentation.

Red flags must be investigated and escalated.
Unusual payments, inconsistent client information or missing source-of-funds documentation are classic money laundering indicators. Failing to follow up on them can lead directly to regulatory action.

Corporate criminal liability for financial crime has expanded.
Guernsey’s new failure-to-prevent offences mean companies can face criminal liability if employees, agents or service providers commit bribery, tax evasion facilitation, money laundering or terrorist financing.

Senior managers face personal exposure.
Directors and senior officers may be personally liable if compliance failures occur with their consent, connivance or neglect.

Compliance programmes must be demonstrably effective.
Under the new regime, the key defence is proving that adequate prevention procedures were in place. Firms will need clear risk assessments, strong due diligence processes, regular monitoring and effective training to demonstrate this.

Looking for more support? Speak to VinciWorks today about our AML training options for Guernsey and offshore jurisdictions.

The post Guernsey firms face serious compliance risks with new fines and new laws appeared first on VinciWorks.

In Woodall v Google UK Ltd, the London Central Employment Tribunal rejected claims that a senior employee suffered retaliation after reporting sexual harassment and raising concerns about a wider “boys’ club” culture. The case turned on both the evidential hurdles faced by whistleblowers and the importance of clear documentation when organisations investigate complaints.

The ruling also arrives just weeks before the 6 April 2026 reforms to whistleblowing law under the Employment Rights Act, which will expand protection for disclosures related to sexual harassment. Would the outcome of this case have been different if the case occurred under the new regime?

Allegations of sexual harassment and a workplace culture dispute

Victoria Woodall worked for Google UK as a Senior Industry Head in the UK Sales and Agencies team, a senior role she had held since 2014. The dispute began in August 2022 when a female client reported inappropriate behaviour by a Google manager, referred to in the judgment as Mr O.

According to the complaint relayed to Woodall:

• Mr O made explicit sexual comments during a business lunch
• He allegedly boasted about sexual encounters with Black women
• The behaviour took place in front of his own line manager
• No one intervened during the incident

Woodall reported the incident to her manager, Matt Bush, the managing director of the UK Sales and Agencies team. This report was accepted by Google and the tribunal as a protected disclosure, meaning it qualified as whistleblowing under the existing whistleblowing law.

An internal employee relations investigation followed. The investigation uncovered additional allegations, including inappropriate comments and behaviour toward other women. Ultimately, the manager at the centre of the allegations was dismissed for gross misconduct. In isolation, this part of the story reflects the whistleblowing process functioning as intended. The difficulty arose afterwards.

The claimant’s case: retaliation and a discriminatory culture

Woodall alleged that after reporting the incident she was subjected to retaliation by her line manager.

The alleged retaliatory actions included:

• Having a successful client account reassigned
• Being demoted in relation to an internal project
• Being subjected to performance criticism
• Having her performance rating downgraded
• Facing increasing scrutiny from management

She also argued that her disclosure had broader implications beyond a single individual. In her claim she said the behaviour was symptomatic of a wider sexist culture in the team, describing what she believed was a “boys’ club” environment.

Woodall therefore brought three claims:

1. Whistleblowing detriment under the Employment Rights Act
2. Victimisation under the Equality Act
3. Disability discrimination linked to her ADHD and related conditions

The central argument was that once she raised concerns about sexual harassment and team culture, senior leadership began treating her unfavourably. She also alleged that the investigation into the wider team culture failed to properly acknowledge systemic issues.

Google’s position: legitimate management decisions and restructuring

Google strongly denied the allegations of retaliation. The company argued that the events Woodall relied on had legitimate explanations unrelated to her disclosure. These included:

• Normal client account allocation decisions
• Performance discussions unrelated to whistleblowing
• Organisational restructuring affecting multiple employees

The tribunal heard that approximately 26 employees in the same division were made redundant as part of restructuring, including Woodall’s own manager and other senior figures in the team. Google also pointed to several internal processes that had addressed Woodall’s concerns:

• The employee relations investigation, which led to Mr O’s dismissal
• A culture review examining claims of a discriminatory team culture
• A grievance investigation into her allegations of retaliation

The culture review acknowledged that the team had previously had a more “laddish” social culture several years earlier. However, investigators concluded that the team was generally experienced as “inclusive, friendly and supportive”, although improvements could still be made. Woodall’s grievance alleging retaliation was ultimately rejected internally.

What was the tribunal’s judgment?

The tribunal dismissed all of Woodall’s claims. The tribunal accepted that her report could amount to a protected disclosure, however, she had not proven that later actions by the company were caused by that disclosure

In whistleblowing cases, the key legal question is causation. The claimant must show that the alleged detriment occurred because of the protected disclosure. The tribunal concluded that Woodall had not met that burden.

In particular, the judges found insufficient evidence that management decisions were influenced by her disclosures. Crucially, Google could provide credible documentary evidence supporting their explanations, including evidence that certain decisions had been planned before the disclosure was made

The tribunal also found the scope of Woodall’s initial disclosure was narrower than she argued. There was limited evidence that she had raised concerns about a broader discriminatory culture during her initial report.

As the judgment noted, there was an alternative narrative: a single employee had been accused of sexual harassment, investigated and dismissed. The tribunal found no persuasive evidence that Woodall herself had been targeted because she raised the issue. Her claims for whistleblowing detriment, victimisation and disability discrimination were therefore dismissed.

Whistleblowing tribunal claims face a high evidential bar. The claimant must demonstrate that the protected disclosure materially influenced the employer’s decision. Even when wrongdoing is proven, the whistleblower must still prove retaliation.

This distinction often surprises employees. A whistleblower can be correct about misconduct, and yet still lose a whistleblowing claim if the tribunal accepts the employer’s explanation for subsequent actions.

The ERA 2025 reform: protected disclosures for sexual harassment

The legal landscape will change from 6 April 2026. Under the Employment Rights Act 2025, disclosures relating to sexual harassment will explicitly qualify for whistleblowing protection, even where the concern arises in a personal workplace dispute.

Historically, whistleblowing law required the disclosure to be made in the public interest. That requirement has often created difficulties in harassment cases, since complaints may appear primarily personal.

The forthcoming reform effectively removes that ambiguity by clarifying that reporting sexual harassment can be treated as a protected disclosure. The ERA adds sexual harassment to the list of wrongdoing that can qualify as a protected disclosure. Workers will no longer need to rely on broader categories such as breach of legal obligation to obtain whistleblowing protection. This change is intended to close the gap between harassment law and whistleblowing protections. In practice, many harassment complaints are reported internally before escalating to legal claims.

Would the outcome have been different after April 2026?

Probably not. The key issue in Woodall v Google was not whether the initial report qualified as a protected disclosure. Google already accepted that point and the tribunal agreed. The decisive issue was causation.

The tribunal concluded that the alleged detriments were not caused by the disclosure. Instead, they were explained by performance management and a restructuring affecting many employees. The new law would not change that analysis.

Even under the expanded whistleblowing regime, claimants will still need to prove:

• A protected disclosure was made
• They suffered a detriment
• The detriment occurred because of that disclosure

The tribunal’s reasoning in Woodall focused heavily on evidence that decisions were planned independently of her complaint. That analysis would remain unchanged under the 2026 reforms.

Where the reforms may matter is in other cases where employers attempt to argue that harassment complaints are purely personal grievances rather than whistleblowing disclosures as that line of defence will become harder to sustain.

Compliance lessons for employers from Woodall v Google

For compliance teams and HR leaders, the decision reinforces several practical points.

First, documentation of decision making is incredibly important. The tribunal repeatedly relied on internal notes, investigation records and timeline evidence to determine whether management actions were linked to the disclosure.

Second, investigations into harassment should be clearly separated from management decisions affecting the whistleblower. Independent reviews and documented reasoning help demonstrate that later actions were unrelated.

Third, culture reviews must be credible and transparent. Even though the tribunal accepted Google’s conclusions in this case, allegations of “boys’ club” cultures remain a common feature of harassment disputes.

Finally, organisations should prepare now for the April 2026 whistleblowing reforms. Sexual harassment reports will increasingly fall within whistleblowing frameworks, requiring stronger investigation processes and clearer protection against retaliation to avoid a situation spiraling into an employment tribunal.

Looking for more support? Try our whistleblowing training.

The post Woodall v Google: What the decision means for protected whistleblowing disclosures and sexual harassment  appeared first on VinciWorks.

The proposed FCPA Reinforcement Act is relatively simple. It would extend the criminal statute of limitations for the FCPA’s anti-bribery provisions from five years to ten years. The change would apply prospectively, meaning it would not revive cases already older than five years when the law takes effect. The proposal also includes a sunset provision eight years after enactment.

In practical terms, the bill is designed to give prosecutors more time to investigate complex foreign bribery schemes. Cross-border corruption cases often involve multiple jurisdictions, foreign witnesses, shell companies, and financial records that take years to obtain through mutual legal assistance requests.

Yet the political context matters as much as the legal change. The legislation appears aimed at countering the perception that FCPA enforcement has weakened. By proposing to double the limitations period, Senate Democrats are signalling that corporate bribery enforcement should remain a central feature of US corporate accountability, and potentially an election issue.

How the FCPA pause turned bribery into a political football

In the early days of the second Trump administration, the Department of Justice announced a pause in certain FCPA enforcement.The pause lasted roughly four months. Critics argued that the move risked signalling to companies that anti-bribery enforcement was no longer a priority.

That concern galvanised political opposition, despite a return to FCPA enforcement actions since the 2025 pause. Nevertheless, Democrats are warning companies not to interpret the pause as a long-term shift in enforcement policy. Extending the statute of limitations would ensure that conduct occurring during any temporary slowdown could still be prosecuted years later.

The bill also fits within a broader pattern seen in US regulatory politics. When enforcement priorities change between administrations, lawmakers often introduce legislation that attempts to lock in certain enforcement tools or signal how policy might change after future elections. Despite the current five year limitations periods, the majority of FCPA enforcement actions look at conduct outside of the five year limitations periods given the various legal avenues to extend the limitations period. In addition, many companies under FCPA scrutiny agree to waive or toll statute of limitations to demonstrate cooperation.

In that sense, the Senate bill can be read partly as a policy marker. If control of Congress or the White House shifts in the future, the legislation suggests Democrats may seek stronger structural support for FCPA enforcement.

Despite the rhetoric, FCPA enforcement has not disappeared

In fact, the past year has seen an unusually active period for FCPA trials involving individuals. Within a relatively short span there have been multiple trials, including one in September 2025 and another in December 2025, with additional proceedings continuing into 2026.

In September 2025 a federal jury convicted Georgia businessman Carl Alan Zaglin for orchestrating hundreds of thousands of dollars in bribes to Honduran officials to secure government contracts worth roughly $10 million. He was later sentenced to eight years in prison and ordered to forfeit more than $2 million.

Just a few months later, in December 2025, a Texas jury convicted Ramón Alexandro Rovirosa Martínez for participating in a bribery scheme involving payments to employees of Mexico’s state-owned oil company to obtain contracts worth approximately $2.5 million.

More trials are expected in the coming months. When the DOJ issued its 2025 enforcement guidance, several individual FCPA trials were already scheduled and most of them continued despite the earlier enforcement review.

This level of courtroom activity is notable because historically many FCPA cases resolve through negotiated settlements rather than full trials. The recent run of prosecutions suggests that the enforcement pipeline built over several years of investigations remains active, despite the temporary pause in 2025.

At the same time, enforcement decisions are not limited to prosecutions and settlements. Declinations and deferred prosecution agreements also form part of the DOJ’s enforcement framework. The DOJ continues to reward companies that voluntarily disclose misconduct, cooperate with investigators, and remediate compliance failures.

In the first FCPA deferred prosecution agreement of the current administration, the DOJ concluded a corporate settlement in late 2025 with TIGO Guatemala, resolving allegations that the telecommunications company paid bribes to Guatemalan legislators in exchange for favourable legislation affecting its radiofrequency licences.

The case resulted in a significant financial penalty, including a $60 million criminal fine and more than $58 million in forfeiture, underscoring that the DOJ continues to rely on traditional enforcement tools such as DPAs when resolving corporate bribery cases.

Similarly, a declination in the Liberty Mutual FCPA case shows that Timely self-disclosure, genuine cooperation, and concrete remediation remain the keys to avoiding prosecution, and they are as relevant today as they were before.

Declinations and DPAs serve a dual purpose. They encourage companies to come forward when potential bribery is discovered, and they reinforce the DOJ’s expectations around effective compliance programs.

For compliance teams, the message is clear. Strong internal reporting systems and prompt investigations remain critical. Companies that can demonstrate a genuine culture of compliance stand a far better chance of receiving favourable treatment if issues arise.

The DOJ’s evolving enforcement priorities

Recent DOJ announcements also show that enforcement priorities are evolving rather than disappearing. The department has signalled an increased focus on corporate fraud and financial crime more broadly. Enforcement authorities are increasingly targeting schemes that involve complex financial manipulation, sanctions evasion, and national security risks.

At the same time, the DOJ has outlined updated corporate enforcement priorities designed to clarify expectations for compliance programs. These priorities emphasise risk-based compliance structures, strong internal controls, and meaningful board-level oversight.

The shift reflects a broader enforcement trend. Rather than focusing solely on bribery cases in isolation, prosecutors are increasingly examining how corruption intersects with other forms of corporate misconduct. For multinational organisations, this means anti-bribery compliance cannot operate in a silo. It must be integrated into wider financial crime prevention frameworks.

What this means for compliance teams

For companies operating internationally, the debate in Washington should not change the practical approach to anti-bribery compliance. FCPA enforcement remains alive and well. Prosecutors continue to pursue cases, negotiate corporate settlements, and reward voluntary disclosures where appropriate.

At the same time, the political debate around enforcement signals that anti-corruption policy could towards an even stricter application with increased timelines and limitation statutes, if Democrats regain control of Congress. For compliance professionals, the safest assumption remains the simplest one. Foreign bribery enforcement continues to be an enforcement priority and the underlying expectations have not changed. Companies are expected to maintain strong internal controls, conduct thorough due diligence on third parties, and respond decisively when misconduct is identified. Regardless of the politics, the fundamental compliance obligations under the FCPA remain firmly in place.

Looking for more? Try our FCPA compliance training now.

The post Democrats make bribery an election issue with proposed doubling of FCPA statute of limitations appeared first on VinciWorks.

After a year-long coordinated enforcement, regulators note that compliance with this right is inconsistent, and often inadequate. The EDPB’s overall assessment is that compliance across organisations is marked by procedural gaps, unclear retention practices, and technical limitations.

For organisations processing EU personal data, the report indicates that the right to erasure is now in regulators’ enforcement sights.

A Europe-wide compliance check

The findings stem from the EDPB’s 2025 Coordinated Enforcement Framework (CEF) action, a pan-European initiative designed to align enforcement priorities among data protection authorities.

Across the EU and EEA:

• 32 supervisory authorities participated in the initiative
  
• 764 organisations were examined, ranging from SMEs to large multinationals and public bodies
  
• 9 authorities launched formal investigations, while 23 conducted fact-finding exercises

The exercise aimed to understand how organisations actually handle deletion requests under GDPR, including how they assess legal exceptions and operationalise deletion across systems. This focus reflects the fact that erasure is one of the most frequently exercised GDPR rights, and complaint numbers are rising across Europe. Regulators want to see how organisations respond.

The compliance gaps 

While the EDPB report recognises examples of good practice, especially in larger private-sector organisations, it identifies seven recurring weaknesses that cut across industries and organisation sizes.

The most striking finding is that many organisations deal with erasure requests reactively rather than systematically. Instead of building structured deletion processes into their governance frameworks and IT systems, organisations often rely on manual workarounds when requests arise.

One of the most common problems is the absence of clear internal procedures. Seventeen supervisory authorities reported organisations lacking documented workflows for handling erasure requests, or relying on informal processes that are only reviewed after problems arise. Larger organisations were more likely to maintain structured procedures, while smaller entities often lacked basic documentation altogether.

Training also remains a significant weakness. Roughly one in five organisations provides no regular refresher training on data protection. This creates practical risks. Staff may fail to recognise that a request constitutes a legal erasure request, or they may misunderstand how to apply legal exceptions. In environments where requests can arrive through customer service channels, email correspondence, or social media, inadequate staff awareness can easily result in missed deadlines or inconsistent responses.

Another issue regulators observed repeatedly is a lack of communication with individuals. Many organisations fail to clearly explain how individuals can submit deletion requests or under what conditions the right applies. Some privacy notices also omit information about what happens when a request is refused or fail to explain individuals’ rights to lodge complaints with supervisory authorities. These gaps often trigger complaints even when organisations ultimately comply with the request.

Confusion around legal exceptions

The report also highlights widespread confusion regarding the exceptions to the right to erasure. GDPR does not provide an absolute right to deletion. Organisations may retain personal data in certain circumstances, such as if retention is necessary to comply with legal obligations or to establish, exercise, or defend legal claims.

But regulators found that organisations often misapply these exceptions. In some cases, companies treated legal obligations as automatically overriding erasure requests without examining whether the specific data needed to be retained. In others, organisations relied on “legitimate interests” without carrying out the required balancing test or documenting the reasoning behind their decision.

The EDPB emphasises that such decisions must be made case by case and supported by documented assessments. Without clear documentation, organisations may struggle to justify their decisions during regulatory investigations.

Retention management is still a challenge

Another recurring issue relates to data retention governance. Many organisations struggle to define clear retention periods across different processing activities. In some cases, organisations simply apply the longest legally required retention period to all datasets, even when different categories of data should be deleted earlier.

This often stems from legacy IT systems or fragmented data management practices. But from a regulatory perspective, the approach directly conflicts with the GDPR principles of data minimisation and storage limitation. Also, organisations frequently fail to communicate retention periods clearly in their privacy notices, leaving individuals uncertain about how long their data will be stored.

The technical challenge of deleting data in backups

Perhaps the most technically complex issue identified by regulators concerns data stored in backups. Half of the participating supervisory authorities reported that organisations lack clear procedures for deleting personal data from backup systems. In some cases, deleted data can be unintentionally restored when systems are recovered, effectively reversing earlier erasure decisions.

This issue is particularly significant because many organisations treat backup environments as outside the scope of their deletion obligations. Regulators are increasingly rejecting that assumption.

Supervisory authorities have now asked the EDPB to issue additional guidance on backup deletion, an indication that this area is likely to become an enforcement priority.

Anonymisation is an emerging compliance risk

Some organisations attempt to address erasure requests by anonymising personal data instead of deleting it. While this approach can be valid under certain circumstances, the EDPB report highlights that many organisations rely on techniques that do not truly anonymise the data.

In practice, the methods used often amount to pseudonymisation, meaning that individuals could still potentially be re-identified. This issue has gained further attention following the decision in EDPS v SRB before the Court of Justice of the EU. The ruling has prompted regulators to examine more closely what constitutes genuine anonymisation.

The EDPB is now developing new guidance on anonymisation, which is expected to clarify the legal standard organisations must meet when using anonymisation as an alternative to deletion.

Do organisations know where their data is?

Beyond the seven operational issues, regulators highlighted two structural weaknesses that frequently undermine erasure compliance. First, many organisations lack systematic data classification. Without accurate data inventories and mapping, organisations may not know where personal data resides across their systems. This makes it difficult to ensure that deletion requests are carried out completely.

Second, many organisations lack automated deletion mechanisms within their IT infrastructure. Instead of using automated retention schedules and deletion labels, organisations often rely on manual processes. As data volumes grow, this approach becomes increasingly unsustainable.

These structural problems create a situation where organisations can respond to individual requests but struggle to maintain consistent deletion practices across the organisation.

Enforcement pressure is increasing

The EDPB report signals where enforcement is heading. Several supervisory authorities have already indicated that the findings will inform sector-specific inspections and supervisory activities in 2026. Formal investigations launched during the coordinated action remain ongoing in multiple countries, including Ireland, France, Portugal, Slovenia, and Germany. This creates a clear risk environment for organisations of increasing complaints from individuals combined with more proactive regulatory scrutiny.

What should organisations do now?

Organisations should treat erasure compliance as a strategic governance issue rather than a narrow legal requirement. Several practical steps can help strengthen compliance:

• Conduct a GDPR Article 17 gap analysis. Review existing procedures, technical deletion capabilities, and documentation practices.
  
• Establish documented workflows. Define clear internal processes for intake, verification, decision-making, and response.
  
• Strengthen staff training. Ensure frontline teams can recognise erasure requests and escalate them appropriately.
  
• Review retention schedules. Align retention periods with legal requirements and ensure they are clearly communicated in privacy notices.
  
• Assess technical deletion capabilities. Work with IT teams to ensure data can be deleted across systems including backup environments.
  
• Validate anonymisation methods. Ensure any anonymisation techniques genuinely eliminate re-identification risks.

A proactive review now can significantly reduce the risk of complaints, investigations, and enforcement actions later.

More scrutiny of data subject rights

The right to erasure enforcement action is part of a broader regulatory strategy. The EDPB has already confirmed that the 2026 Coordinated Enforcement Framework action will focus on transparency and information obligations under the GDPR.

Taken together with previous coordinated actions on cloud services, data protection officers, and the right of access, it’s clear that European regulators are examining how organisations implement data subject rights in practice. It’s also evident that compliance cannot rely on policies alone. It requires operational processes, trained staff, and technical systems that enable rights to be exercised effectively.

Vinciworks’ new conversational learning course on data protection’s rights and responsibilities puts you at the heart of data protection, turning policy into practical action. Guided by AI-powered experts, it explores how personal data should be handled, shared and stored through realistic workplace scenarios. Try it here.

The post Why Europe’s regulators are turning up the heat on “right to be forgotten” compliance appeared first on VinciWorks.

For compliance teams, the significance is not limited to California. The rules apply to companies headquartered anywhere in the world if they meet revenue thresholds and conduct business in the state. In practice this potentially brings thousands of US and international firms into scope.

The California ESG laws behind the climate disclosure regime

California’s new ESG framework rests on two statutes. The Climate Corporate Data Accountability Act (SB 253) requires large companies to publicly disclose their greenhouse gas emissions. Any company with more than $1 billion in annual revenue that does business in California must report emissions annually under the rules overseen by the California Air Resources Board (CARB).

Reporting begins from 10 August 2026, initially covering Scope 1 and Scope 2 emissions. These include emissions from direct operations such as fuel use and industrial processes, as well as emissions associated with purchased energy. Scope 3 supply-chain emissions are expected to be added from 2027, which will extend the reporting obligation across corporate value chains.

The companion statute, the Climate-Related Financial Risk Act (SB 261), addresses a different question. It requires companies with more than $500 million in revenue doing business in California to publish biennial reports on climate-related financial risks, including the measures they are taking to mitigate those risks.

These disclosures are typically expected to follow frameworks similar to the Task Force on Climate-related Financial Disclosures (TCFD) or comparable international standards.

Who is affected?

One of the striking features of the legislation is its extraterritorial reach. The laws do not apply only to companies headquartered in California. Instead they apply to entities that “do business in California.” This concept is interpreted broadly and can include companies generating substantial revenue from the state even if they have no headquarters or primary operations there.

Estimates suggest that roughly 2,600 companies may fall within the emissions disclosure regime under SB 253, while more than 4,000 could be subject to the climate-risk reporting requirements under SB 261.

The rules apply to both public and private organisations and cover corporations, partnerships and limited liability companies that meet the revenue thresholds. For multinational firms, this means that a state-level regulation can create global reporting obligations. Scope 3 disclosures alone may require data collection across suppliers, logistics networks and downstream product use.

Key compliance milestones

The first deadlines are already approaching. CARB has set 10 August 2026 as the deadline for the first emissions disclosures under SB 253. Those reports will initially cover Scope 1 and Scope 2 emissions for the relevant reporting year.

Over time the regime is expected to expand in two ways:

• Scope 3 reporting from 2027, extending emissions disclosure to supply chains and product lifecycle impacts.
• Third-party assurance requirements for emissions data in future reporting cycles.

The climate-risk reporting regime under SB 261 is less certain. A federal appeals court has temporarily paused enforcement of mandatory reporting while litigation proceeds. Companies can still publish reports voluntarily, and many organisations are preparing for eventual enforcement on the assumption that the rule will ultimately take effect.

What compliance teams should be doing now

Even with litigation ongoing, the practical work of compliance has already begun for many organisations. The most immediate challenge is data governance. Companies that have never produced emissions inventories will need to build systems capable of measuring and documenting operational emissions. For groups with complex supply chains, preparing for Scope 3 reporting may require supplier engagement programmes and new data-collection frameworks.

The second challenge concerns internal ownership. Climate disclosure touches finance, sustainability, procurement and risk management functions simultaneously. In practice many organisations are creating governance structures that resemble financial reporting controls.

A third priority is alignment with recognised reporting frameworks. While California does not prescribe a single methodology for climate-risk disclosures, regulators expect companies to follow established standards such as TCFD or similar frameworks used in global sustainability reporting.

How this fits into the wider ESG reporting landscape

California’s rules have emerged during a period of fragmentation in climate disclosure regulation. At the federal level in the United States, proposed Securities and Exchange Commission climate disclosure rules have faced political opposition and legal uncertainty. Several have been scaled back or delayed. At the same time, courts are increasingly shaping the trajectory of climate reporting through litigation.

Meanwhile, outside the US the regulatory direction is moving toward more comprehensive disclosure regimes despite the cutting back of some elements through the EU’s ESG Omnibus. The Corporate Sustainability Reporting Directive (CSRD) and the IFRS Sustainability Disclosure Standards are expanding climate-related reporting obligations for large companies and financial institutions.

California’s framework sits somewhere between these models. It resembles the European approach in its emphasis on emissions transparency and risk disclosure. Yet it operates as a state-level rule applied within a federal system that remains divided over ESG regulation.

The practical result is that global companies may face overlapping disclosure expectations. A firm operating in Europe, the United States and Asia may need to reconcile California’s requirements with EU sustainability reporting rules, voluntary frameworks such as TCFD and emerging international standards.

The post California’s new climate disclosure regime: What compliance teams need to know appeared first on VinciWorks.