Similar to 2023, we are predicting that artificial intelligence will disrupt our conversations, our thinking, and our businesses in 2024.
There are surely few challenges that have had a bigger impact on our personal and working lives than artificial intelligence (AI).
AI has become ubiquitous. Whether you've enthusiastically dived in or just dipped a toe to test the water, its influence can be felt in almost all the other challenges we face in 2024.
From cybersecurity to the battle for talent and increased regulations. The AI genie is well and truly out of the bottle, and there's no going back. AI promises huge opportunities and a transformation in our working lives. But we need to learn how to exploit it safely.
Of course, we can expect increased regulations in 2024 covering AI, cryptocurrency, climate change, and corporate disclosures. By adapting and reshaping our companies, we can be more agile and ready to exploit potential opportunities, build resilience and embrace the challenges ahead.
Biggest challenges faced by compliance in 2024
- Artificial Intelligence (AI) & Generative AI
- Climate change & ESG
- Geopolitical pressure
- Financial crime
- Fraud
- Increased regulations
- Battle for talent
- Conduct risk
- Employee/employer relationships
- Cybercrime
1. Artificial Intelligence (AI) & Generative AI
Following a period of testing and experimentation of artificial intelligence through 2023, in 2024, we can expect companies to use these insights to accelerate their adoption of AI and generative AI, reshaping their companies and the world of work forever.
While the existential threat of widescale job losses still feels a long way off, we can anticipate some disruption throughout the year. Some industries are more exposed than others, namely the arts, education and marketing. However, most businesses are likely to figure out ways of exploiting AI to increase productivity, investing heavily in the technology. Obviously, there will need to be a clear business need rather than adopting it simply because everyone else is or due to a fear of missing out.
There are huge opportunities and efficiencies to be gained, which companies need to balance alongside some well-publicised risks. Not least the potential for bias and discrimination, the spreading of misinformation, security and intellectual property (IP) risks, social engineering risks, accountability and governance risks, and more.
However, far from making us extinct, predictions indicate that AI can actually highlight the unique and creative talent that humans bring to the table, making people valuable.
“There’s a whole slew of competencies that not only won’t be taken over by AI but that people are going to value more and more. In a world of ubiquitous and capable AI, interpersonal skills will likely be increasingly sought after by employers.”
- Benoît Monin, organisational behavior professor, Stanford Graduate School of Business
What are the key compliance considerations of AI?
- Introduce ground rules and develop a policy that sets out clear goals and expectations for using artificial intelligence
- Educate workers about the benefits of AI (eg the ability to analyse vast amounts of data and identify trends, behavioural analysis, and machine learning for predictive analysis, etc.)
- Make sure your team understands AI risks (e.g. the potential for bias and discrimination, misinformation, accountability and governance issues, privacy and security risks, etc.)
- Identify positive use cases that show how AI can enhance compliance functions - such as adverse media screening, anomaly detection, document analysis, virtual SMEs, etc.
- Be aware of the company's risk appetite relating to AI and work within any limits to safeguard its assets and reputation (i.e. never upload the company's IP, images or other proprietary data to AI tools, such as ChatGPT)
- Train your team to be vigilant, to question and report suspected misinformation they encounter - e.g. awareness of the use of deepfake social engineering videos or convincing voice recordings of company senior executives, automated malware generation, etc.
- Assess potential risks and implement adequate controls, with monitoring and human oversight measures on high-risk activities (such as recruitment) to combat them
- Provide transparency for workers, customers, investors and stakeholders on the company's use of AI
- Consider how the company's approach may be impacted by upcoming legislation, such as the AI Act
2. Climate change & ESG
Following record-breaking temperatures of 2023, the El Niño phenomenon will add to the impact of climate change in the first half of 2024, according to scientists.
2024 will be "warmer than 2023", says the World Meteorological Organisation's secretary-general Petteri Taalas. “Extreme events such as heatwaves, drought, wildfires, heavy rain and floods will be enhanced in some regions, with major impacts.”
There were record temperatures of 41.9 degrees Celsius this month in Rio de Janeiro, while Kenya, Somalia and Dubai experienced severe flooding.
“The only hope to have a consistent robust cooling of global temperatures is by reducing greenhouse gases. There’s no mystery or other way about it,”
- Walter Baethgen, scientist, Columbia University’s International Research Institute for Climate and Society
While climate change may well push up demand for products in some industries (particularly renewables and electric vehicles), hit production of coffee and cocoa, and increase prices in others (e.g. rice in Asia), there will be pressure on all businesses to cut carbon emissions. Companies may need to adapt (for example, by installing air conditioning). The EIU believes that some sectors (such as insurance) may struggle to price in the increased risks due to climate events and could even withdraw from risky areas where high payouts are anticipated.
The cost of managing climate change is likely to become ever more burdensome through 2024, too, according to the EIU's report. Not just for sectors that are directly affected by climate (eg airlines and food production), but many others (e.g. governments) as they struggle to reach ambitious targets.
Further, businesses in the scope of the Corporate Sustainability Reporting Directive (CSRD) will need to meet the EU's new ESG/sustainability disclosure requirements, which come into effect in January 2024. Under the new European Sustainability Reporting Standards (ESRS), companies need to provide enhanced environmental disclosures (covering their entire supply chain) in annual reports from 2024.
What are key climate & ESG compliance requirements?
- Assess upcoming costs of climate change and impacts of climate change on existing supply chains, and plan how to mitigate any risks (e.g. growing the supplier base)
- Provide clear, comprehensive and accessible information to consumers and stakeholders
- Explain ESG and sustainability information fully and include disclosures so all relevant information is immediately accessible
- Ensure that fund holdings are consistent with a fund's ESG or sustainability objectives, and you can explain how these investments meet stated goals
- Ensure products are consistently aligned with ESG and sustainability goals, even if they are referenced in their name
- Identify risks of consumer harm stemming from the design, delivery and disclosure of funds
- Be sure to understand stewardship requirements and how these link to fund objectives.
3. Geopolitical pressure
As tensions increase between the US and China, the ongoing Russia/Ukraine war, and the escalating situation in the Middle East between Israel and Hamas, more and more companies are seeking geopolitical advice.
This seems likely to continue into 2024 as companies battle the potential reputational risks and try to manage the volatility posed by these high-risk jurisdictions.
Lazard's CEO Peter Orszag explains, "It's pretty simple - you can't make a big business decision today without a geopolitical perspective." Lazard launched its Geopolitical Advisory unit in 2022, "around six months after Russia started its invasion of Ukraine". Now, other investment banks are doing the same thing.
“More front of mind now are the tensions between the U.S. and China, with business leaders now understanding how geopolitical dynamics are driving the market environment. For many, it’s a new muscle in terms of understanding and monitoring how the geopolitical dynamics are as relevant as other risks to their business,”
- Teddy Bunzel, Head of Geopolitical Advisory, Lazard
The risks are significant.
Companies such as Unilever have faced ongoing criticism for a year now over its decision to continue operating in Russia. Named as an 'international sponsor of war', Ukraine's National Agency on Corruption Prevention said:
“After Russia’s full scale invasion of Ukraine, the company promised to suspend all imports and exports of its products to and from Russia, as well as halt all media and advertising spending. However, a year later, Unilever Russia's profits doubled from 4.8bn rubles (US$80m) in 2021 to more than 9.2bn rubles ($153m) last year. In addition, thanks to the significant amount of profit obtained... [Unilever Russia] managed to increase the capital to 34.5bn rubles in 2022 from 25.3bn rubles in 2021.”
Unilever's new CEO, Hein Schumacher, has pledged to review its Russian operations. However, the FMCG giant is not alone. L'Oréal, P&G and many others have continued operating in Russia, whilst big names like McDonalds, Carlsberg and Coca-Cola have pulled out.
Geopolitical tension can also impact companies' abilities to tackle climate change and cause supply chain problems, especially where tensions impact the global supply of those minerals that are critical for transitioning to a net-zero future or the shift to electric vehicles.
What are the key geopolitical compliance considerations?
- Regularly review company risk appetite and exposure to keep aware of emerging risks and potential volatility in different regions, especially any that may undermine the company's climate efforts or supply chains
- Use the 4Ts model (Tolerate, Treat, Transfer, Terminate) of risk management to help make the right decisions on how to manage risk
- Strengthen resilience and adapt the company's supply chains and corporate strategy if necessary to limit the company's exposure and reputational damage
- Use tools to assess the reputational and legal risks of continued business in risky territories. For example, the Yale List, which tracks whether companies have left or chosen to stay in Russia
- Conduct rigorous due diligence to identify whether individuals, entities or countries are subject to sanctions - implement controls and don't do business with anyone subject to sanctions
- Screen all customers and entities using automated screening tools – such as OFSI's free platform
- Be clear about your responsibilities if you identify a designated individual or entity – including asset freezes, terminating payments, restricting sales, etc.
- Think about the optics and ethics of current situations - "Just because you can [still do business in risky territories] doesn't mean you should"
4. Financial crime
More than $800 billion is laundered every year, according to Kroll. Here are some of the findings from its 2023 Fraud and Financial Crime report:
- 68% of global executives and risk professionals expect financial crime to increase over the next 12 months, with cybersecurity and data breaches being the biggest drivers.
- Over half (56%) of respondents felt that evolving technology was one of the biggest challenges in fighting financial crime.
But there's a silver lining. While technology can increase financial crime risks, the very same intelligent technology that utilises AI, machine learning and biometric verification can also help us detect and prevent fraud and other financial crimes.
For example, machine learning algorithms can predict potential money laundering with greater accuracy and automated due diligence can ensure checks are thorough and reduce the potential for human error. It's, therefore, unsurprising that two-thirds of respondents also plan to invest in technology to combat the risks.
Governments are also beefing up measures against financial crime. In the UK, anti-money laundering powers have been strengthened with the new Economic Crime and Corporate Transparency Bill.
What are key corporate compliance considerations?
- Train your team with regular refreshers to help them spot red flags of money laundering and financial crime
- Conduct risk-based due diligence at the start of the business relationship and on an ongoing basis
- Explore how AI AML tools can support and enhance your role in combating money laundering and other financial crime
- Review controls and ensure they are proportionate to the risks we face
- Remember, this also links to ESG – as we have a moral duty to rid society of drugs, gun crime, trafficking, organised crime, etc. which fuel money laundering and terrorist financing
- Avoid tipping off anyone suspected of money laundering or terrorist financing - there's a two-year penalty if you break the rules.
5. Fraud
It's likely that fraud and investment scams will continue to cause misery for consumers into 2024 as ongoing financial pressures and rising costs (due to inflation and the cost-of-living crisis) may force people to take more risks.
According to the latest figures from UK Finance:
- Over £1.2 billion was stolen by criminals through authorised and unauthorised fraud in 2022, equivalent to over £2,300 every minute
- A further £580 million was stolen by criminals in the first half of 2023
- 77% of Authorised Push Payment (APP) fraud cases start online, and 17% start via telecommunications
- Banks and the finance industry prevented £651 million of unauthorised fraud in the first half of 2023
- Losses due to unauthorised transactions across payment cards, remote banking and cheques were £340.7 million
- Remote purchase fraud or card not present accounted for £173.8 million of losses in the first half of 2023, the lowest since 2015, attributed to stronger measures, e.g. customer authentication and one-time passcodes (OTPs)
- Criminals continue to exploit online platforms to commit fraud, with investment scams, romance scams, and purchase scams on social media and auction websites
What are key fraud compliance considerations?
- Train your team to spot fraud red flags - e.g. those living beyond their means, suspected debt or gambling problems, etc.
- Be vigilant - watch out for more sophisticated AI-powered fraud attacks. Remember that the CEO's or a supplier's voice request to update their payment details may not, in fact, be genuine. What other measures (e.g. extra authentication systems and controls) should be implemented to combat the threat?
- Use Cressey's fraud triangle to assess risks - who has the pressure or motivation, the opportunity, and rationalisation to commit fraud?
- Implement strong proactive and reactive controls which are designed to both detect and prevent fraud by customers - e.g. stronger customer authentication, use of biometrics, etc.
6. Increased regulations
Predictably, increased regulation and enforcement are also 'hot topics' for 2024.
64% of respondents in Kroll's recent study expect increased ABC enforcement action.
There are new regulations on the horizon, increasing the burden for most industries. For example:
- The EU's new sustainability disclosure requirements from January 2024. Under the new European Sustainability Reporting Standards (ESRS), companies need to provide enhanced environmental disclosures (covering their entire supply chain) in annual reports from 2024
- The Network and Information Security (NIS2) Directive, effective from October 2024, with disclosure and reporting rules relating to cybersecurity and higher fines of up to €20m or 4% of company turnover
- The EU's Digital Markets Act (DMA) and Digital Services Act (DSA) - which are designed to address competition concerns and regulate online platforms, social networks, app stores, etc., respectively - are also fully enforceable, and we can expect lawsuits from 2024
- There's the introduction of the global minimum tax rate of 15% by the OECD
- Several EU countries (e.g. Austria, Finland, Germany, Ireland and Italy) are introducing mandatory whistleblowing channels for companies with over 50 employees from mid-December
- Several countries are introducing single-use plastics levies, e.g. Germany from 2024
- New capital requirements - the so-called ‘Basel III endgame’ rules - are expected for US banks
Closer to home, in the UK:
- From 2024, businesses using casual workers will need to comply with the Workers (Predictable Terms and Conditions) Bill, giving them more certainty over their hours and income
- From April 2024, UK firms must comply with the Product Security and Telecommunications Act. This sets minimum security requirements that networked products must adhere to (such as not being shipped with default passwords)
- The UK government is also consulting on new Short Selling Regulations as part of its efforts to replace EU law and deliver a Smarter Regulatory Framework for financial services and is expected to finalise its rules on fund labelling and sustainability disclosure requirements
- New D&I rules are being introduced to boost diversity and inclusion in financial services
- The Digital Markets, Competition and Consumers Bill and Online Safety Bill will also address issues relating to online content. Specifically, service providers will be subject to 'duties of care' obligations and must take proportionate steps to mitigate risks of harm to users arising from content on their platforms. If they don't, companies can face fines of up to 10% of worldwide revenue, and senior managers may face criminal action.
Regulations targeting artificial intelligence are also widely expected in the EU, US and UK, with draft proposals and consultations already underway. With the conviction of Sam Bankman-Fried and subsequent money laundering charges against Binance's Changpeng Zhao, cryptocurrency regulations are surely only a matter of time.
“In just the past month, the Justice Department has successfully prosecuted the CEOs of two of the world’s largest cryptocurrency exchanges in two separate criminal cases. The message here should be clear: using new technology to break the law does not make you a disruptor, it makes you a criminal.”
- Merrick B. Garland, Attorney General, US Department of Justice
What are the key compliance considerations for regulations?
- Review and update policies and practices to reflect the latest legal or regulatory changes
- Use the EU's pyramid of risk to assess the level of AI risk - note that the planned AI Act bans harmful AI practices where there is a clear threat to people's safety, livelihoods, and rights due to the 'unacceptable risks' they create. We must not use AI systems that deploy harmful manipulative subliminal techniques that exploit vulnerable groups (e.g. mental disability) or use AI systems for social scoring purposes.
- Provide information and training so employees understand their regulatory obligations
- Arrange regular, bite-sized learning on any new rules to get workers up to speed on their priorities
7. Battle for talent
To help meet the many challenges that are on the horizon for 2024, firms will need top talent across all functions. People with the creativity, drive, vision and tenacity to deliver and exploit the many opportunities arising from artificial intelligence, ESG and beyond.
In a survey by Ashurst, almost half of executives said that securing the necessary talent and developing skills for the future was one of their biggest challenges.
- Competition is high, and there’s a need to compete with other sectors to secure the digital skills needed for the future
- Younger talent (Gen-Zs) tends to be more attracted to exciting sectors, e.g. tech companies and fintech
- More proactive reskilling and upskilling of existing workers will be needed as AI is further embedded in companies to reshape and reimagine the world of work
What are key HR & talent compliance considerations?
- Consider what other incentives and benefits might be offered (e.g. flexibility) to attract new hires, especially Gen-Zs - great places to work are much more than free fruit and bean bags
- Develop outreach programs and research other ways of attracting more diverse candidates from atypical groups (e.g. rural communities, LGBTQ+ and neurodiverse groups) - this can also help to foster a more inclusive and innovative culture
- Review existing HR strategies and policies to ensure they remain fit for purpose and are AI-‘game-ready’
- Conduct a skills analysis to investigate the skills and competencies that existing workers currently have, how they could be reskilled and redeployed across the business, and what other roles they may undertake in the future as AI is embedded
8. Conduct risk
For anyone who still hasn't got the memo, the landscape is changing. Companies are likely to pay a heavy price for misconduct. 2023 was a final wake-up call in many respects.
The obvious example here is Odey Asset Management, the hedge fund that was forced to close five months after a report published by the Financial Times and Tortoise Media after multiple allegations of sexual assault were made against its founder, Crispin Odey.
Through 2023, scarcely a month went by without the sudden departure of some executive or another for inappropriate behaviour or undisclosed relationships with employees. From BP's Bernard Looney to CBOE's Edward Tilly, Lazard's Reid Snellenbarger, CBI's Tony Dancker, stretching right back to McDonald's Steve Easterbrook at the start of the year.
And, as we end the year with the news of the boys' club partying culture at the Federal Deposit Insurance Corporation (FDIC) and allegations surface of a sexist trading culture at Citi courtesy of Ardith Lindsey's court case, the reputational damage and undermining of trust are all too apparent.
UK financial regulators have launched a consultation on the new diversity and inclusion rules. The rules are expected to be finalised in 2024, with reporting obligations starting 12 months later.
“Greater diversity and inclusion can create better outcomes for consumers and markets by supporting healthy work cultures, reducing groupthink, unlocking talent and improving understanding of diverse consumer needs.”
- The FCA
The rules will apply to firms with Part 4A FSMA permissions. There are proposals to:
- Better integrate non-financial misconduct (NFM) considerations into staff fitness and propriety assessments, Conduct Rules and the suitability criteria for firms to operate in the financial sector (Threshold Conditions).
- Remind everyone that misconduct both within and outside the workplace, can be relevant for FIT. Bullying and similar misconduct within the workplace are relevant to fitness and propriety, and serious behaviour in a person's personal or private life can also be relevant.
- Give examples of non-financial misconduct, such as sexual or racially motivated offences.
- Give other examples of conduct which breaches the rules, including (i) intimidating or violent conduct, (ii) seriously offensive, malicious or insulting conduct, (iii) unreasonable conduct causing serious alarm or distress to a colleague and (iv) abuse or misuse of powers in a way that humiliates, seriously undermines or denigrates, or significantly injures.
Firms will be required to report:
- Average number of employees on an annual basis
- Collect, report and disclose certain D&I data
- Establish, implement and maintain a D&I strategy
- Determine and set diversity targets
- Recognise a lack of D&I as a non-financial risk
By engaging, firms can accelerate and help deliver meaningful change on D&I across the sector.
What are the key D&I compliance requirements?
- Be clear about what behaviours constitute non-financial misconduct (including sexually or racially motivated offences)
- Train your team to recognise harassment, call it out and/or report it - e.g. using the 4Ds model
- Vet all prospects to ensure they reflect company values and culture while continuing to meet any laws on the rehabilitation of offenders
- Encourage psychological safety so people feel safe speaking out if they witness inappropriate behaviour or misconduct and are able to challenge dominant opinions or express disagreement without fearing negative consequences
- Find out what diversity data is currently collected and consider what else will be required to comply with the rules
- Set targets and develop strategies to address underrepresentation in the company
- Adopt voluntary initiatives, such as the Women in Finance Charter, the Parker and FTSE Women Leaders Review
9. Employee/employer relationships
Against the backdrop of creeping AI and talent shortages, employee/employer relationships have arguably come under strain in 2023. With continued friction over hybrid working and many companies enforcing stricter Return-To-Office (RTO) policies, employee/employer relationships still look fragile.
A Gartner report found:
- Flexibility controversy - Only a quarter (26%) of organisations report that their employees fully comply with on-site attendance requirements
- Productivity anxiety - Nearly 50% of employees view their current performance as unsustainable
- Mutual mistrust - Only 50% of employees trust their organisation
Clearly, this climate undermines the fundamental bond between a company and its workers. Through 2024, savvy firms will need to work on rebuilding trust and resetting that relationship if they are truly going to retain top talent, boost engagement and productivity, and secure long-term growth.
What are key HR compliance requirements?
- Design appealing and adaptable work settings to attract workers back to the office by focusing on the overall workplace experience and emphasising collaboration, fun and innovation
- Address negative behaviours, heavy workloads and toxic environments which create stressful environments - make the office a place that workers genuinely want to return to
- Provide opportunities for forging connections, socialising and giving back - such as yoga, break-out areas, volunteer days, etc. - which are known to boost engagement and improve wellbeing
- Develop learning journeys and pathways so there is a clear progression and career path for workers
- Develop initiatives to share knowledge and know-how and also foster cohesion - by learning from those around you
- Engage regularly with your team (especially with remote workers) to establish an emotional bond and reinforce corporate culture
- Watch out for anyone under pressure, resetting role expectations and ensure there is transparency
By creating a kinder and more supportive environment, we make people feel valued. In turn, this can boost engagement and productivity, energise the team, improve retention, and lead to long-term growth.
10. Cybercrime
By the end of 2025, the cost of cybercrime is expected to hit $10.5 trillion.
Once again, we can expect artificial intelligence to have a transformative effect on both attack and defence capabilities in 2024.
- There’s likely to be a surge in AI-enabled or sophisticated next-level phishing attacks. For example, the use of deepfake social engineering phishing attacks or convincing voice recordings of senior executives or suppliers, automated malware generation, and more.
- AI-powered tools (e.g. ChatGPT and other large learning models, or LLMs) and newer AI-powered phishing bots (e.g. WormGPT and FraudGPT) may be used to create plausible emails and trick users into clicking on links, as the Europol alert cautioned earlier this year. The safety features built into existing AI-powered models are relatively easy to circumvent.
However, on the plus side, we can use AI to fight AI. Machine learning algorithms, anomaly detection and real-time monitoring can flag suspicious communications, with AI systems trained to classify and quarantine malicious URLs faster than any human intervention. Zero-trust models will continue to play a vital role.
What are key cybercrime compliance requirements?
- Educate your team so they can spot tell-tale signs of phishing and malicious communications and improve company's cybersecurity culture
- Retrain or upskill existing workers to help bolster cybersecurity capabilities across the company
- Make cybersecurity a strategic priority and, if you haven't already, appoint at least one board member with relevant expertise. This can help the company to move beyond reactive risk management and exploit opportunities as a result of greater preparedness.
- Invest in training to ensure better preparedness to identify risks - including phishing, ransomware, DDoS, etc. - and combat the threat
- Be vigilant and look for patterns and trends to help determine the risk level - e.g. geopolitical tensions (which may increase state-sponsored cybercrime), forthcoming elections in the US, UK and India (fuelling surges in cyberattacks to disrupt democracy), anomalies, etc.
- Consider moving to a zero-trust model, which goes beyond the perimeter of the company to embrace remote workers, third parties and the Internet of Things devices, with continuous AI-enabled monitoring and authentication on every digital interaction
- Prioritise cyber and digital resilience in readiness for the new mandatory security requirements of the EU's Network and Information Security (NIS2) Directive, due to be implemented by October 2024, and the Digital Operational Resilience Act (DORA), which is coming in January 2025.
Looking for more compliance insights?
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.