How Compliance Priorities Are Shifting Toward Trade, AI Governance, and Budgets

BDO’s Forensics team recently hosted a Twin Cities Chief Ethics and Compliance Officer (CECO) Network roundtable. Compliance leaders who attended said they are navigating a changing enforcement environment and overseeing AI governance, training and monitoring programs while facing increasing budget constraints.

9 Key Takeaways

1. “Trade is the new FCPA,” and self-disclosure is getting more traction.

Outside counsel shared that the firm is seeing a meaningful shift in the U.S. Department of Justice’s (DOJ’s) priorities and resource allocation under the current administration. A key implication for Chief Compliance Officers, General Counsel, and in-house legal teams: regulators appear more receptive to companies that self-disclose, demonstrate credible compliance programs, and cooperate. Counsel cited matters where DOJ has opted not to prosecute or has taken a more favorable posture during resolution when organizations came forward with strong facts and strong controls.

Faegre Drinker has also observed a similar posture toward voluntary self-disclosure at the state level, including new or refreshed approaches to corporate self-disclosure and cooperation programs in certain jurisdictions.

2. Trade, Foreign Terrorist Organizations (FTOs), and national security are DOJ enforcement focus areas—each presenting distinctive, fast-evolving risk profiles.

Counsel described a “seismic shift” in enforcement emphasis from the export process (historically led by U.S. Customs and Border Protection and other regulators) toward the import process, with a sharp rise in civil matters under the False Claims Act (FCA). The FCA’s long lookback period (10 years) and powerful remedies make trade compliance a rapidly escalating concern for compliance and legal teams.

• FCA risk can apply even without intent to defraud. Civil liability may be attached based on non-compliance alone.
• You don’t have to be the importer of record to get pulled in. Counsel noted companies may still be investigated or held liable for non-compliance connected to their goods and representations.
• Whistleblowers are a primary source of cases. Current/former employees and competitors frequently drive allegations.
• “We didn’t know” is increasingly not an acceptable defense. Counsel emphasized that not asking the right questions or failing to perform checks is becoming a primary enforcement trigger.
• Top trade-related risk areas raised:
  • False country of origin
  • Misclassification of goods
  • Undervalued goods
• Practical implication: Compliance and legal leaders may want to treat trade controls (vendor onboarding, documentation, classifications, valuation support, escalation protocols, auditing) as a first-tier risk area—alongside more traditional anti-corruption and third-party risk frameworks.

3. Third-party risk expands beyond sanctions screening. 

It can be a felony to provide economic value to entities designated Foreign Terrorist Organizations (FTOs) under a January 2025 presidential action, and counsel emphasized that actual knowledge may not be required for regulators to pursue enforcement action.

• Know your third parties—and beneficial owners: Enhanced due diligence and ongoing monitoring may need to go deeper than standard vendor screening.
• Industry sensitivity: Food/agriculture was highlighted as a particularly acute risk area although many sectors with complex supply chains can be affected.

4. National security and cyber: cyber failures are increasingly treated as compliance and enforcement issues. 

Counsel shared that data breaches can create exposure at both state and federal levels and that cyber failures are increasingly being approached through an enforcement lens. For government contractors, the FCA is a potential mechanism for pursuing matters related to cyber and data security representations.

• Self-disclosure and cooperation often improve outcomes
• Individual accountability is increasing, not just corporate liability

5. FCPA enforcement continues and foreign regulators may fill perceived gaps. 

While trade and national security issues are rising, counsel stated that FCPA enforcement remains active, with notable attention on China, Mexico, and other geopolitically sensitive regions. Foreign regulators may pursue actions when they perceive a gap in U.S. enforcement activity—adding another layer of complexity for multinational organizations.

6. Compliance and AI governance: gaining a seat at the table and needing a playbook.

CECOs discussed how organizations are evaluating the compliance department’s role in corporate AI governance, strategy, and implementation. Several companies are establishing AI governance committees, with compliance increasingly included as a core stakeholder. For compliance and legal leaders, this trend raises practical questions:

• What policies and controls define “acceptable” AI use?
• How are AI risks integrated into enterprise risk assessments and internal controls?
• Who owns model risk management, monitoring, and escalation?

7. Compliance teams are using AI today without full confidence in it. 

Roundtable participants shared that many are beginning to use AI tools for compliance-related tasks, and legal departments and law firms are using AI platforms for document drafting and review.

• Companies are actively evaluating AI tools but are “generally not excited” with current market options.
• For investigations, there is particular interest in AI tools that can accelerate and improve report writing and documentation.

8. Training programs have shorter courses and increased use of third-party platforms.

Many organizations are capping training modules at about 30 minutes, including priority topics. This reflects a broader push toward high-compliance impact with lower time burden—and underscores the value of targeted risk-based curricula and measurement of effectiveness (not just completion).

9. Budget pressures: “Do more with less” is shaping compliance operating models.

CECOs noted that compliance budget pressures are rising and tend to track broader business conditions. This reinforces the importance of prioritization (risk-based planning), scalable controls, and technology that reduces workload—not add another layer of process.