Trending Now Q2'26: The Hottest Topics in E&C and HR

What do a global consulting firm, a German manufacturing giant, and an AI pricing algorithm have in common? Each became a cautionary tale in a quarter that exposed how thinly most organizations are resourced against the risks they actually face.

This quarterly session walked compliance and ethics professionals through the most consequential enforcement actions and emerging risks of the past three months. The conversation centered on a surge in sanctions and export-control enforcement, where two sophisticated companies—FTI Consulting and Bosch—were penalized not for malicious intent but for failing to build the capability to comply. From there, the panel pivoted to "algorithmic antitrust," a fast-emerging area where companies using shared AI pricing tools may be colluding without ever speaking to a competitor. The discussion also covered new Treasury guidance on uncovering hidden beneficial owners, the aggressive new whistleblower posture at the DOJ's Antitrust Division, and a budgetary surprise reshaping every program: the sudden, very real cost of AI tokens. Throughout, the recurring theme was resourcing—and the argument that compliance leaders must actively make the case for their own value before the next failure proves it for them.

Key Takeaways

Regulators Are Penalizing Capability Gaps, Not Just Bad Intent

• Both headline sanctions cases this quarter involved sophisticated, well-resourced companies that failed not because they set out to break the law but because they lacked the internal expertise to recognize the violation in front of them.

• The panel drew a direct parallel to FCPA enforcement around 2012, when companies understood the law existed but had not yet built the processes to comply, arguing that sanctions and export controls now occupy that same dangerous maturity gap.

• The practical lesson is that "we didn't know" is no longer a defense for large organizations, and regulators increasingly expect a baseline of trade and sanctions competence proportional to a company's size and complexity.

"Indirectly" Means Exactly What It Says in Sanctions Law

• FTI Consulting was fined $1.05 million after structuring a deal to invoice a law firm rather than the sanctioned Russian bank VTB directly, an arrangement OFAC rejected outright with the principle that what you cannot do directly, you also cannot do indirectly.

• The violation deepened when VTB failed to pay its invoices on time, converting an overdue payment into an extension of credit to a sanctioned party—a secondary violation layered on top of the original scheme.

• The panel emphasized that regulators care about economic logic and who ultimately benefits from a transaction, not the procedural cleverness of a "man-in-the-middle" or shell arrangement designed to obscure that benefit.

Penalties Are Now Being Aggravated to Send a Message

• OFAC doubled FTI's base penalty from $525,000 to $1.05 million and stated explicitly in its settlement order that it was elevating the fine to deter all other parties contemplating similar conduct.

• The panel noted how unusual it is for a regulator to openly declare that it is escalating a penalty purely for deterrence value, treating the enforcement action as a public warning rather than a private resolution.

• For compliance leaders, this signals that published settlements should be read as forward-looking guidance about what regulators intend to scrutinize next, not merely as records of past misconduct.

The Foreign Direct Product Rule Reaches Far Beyond U.S. Borders

• Bosch was fined $36 million for shipping micro-electromechanical sensors to the sanctioned Chinese telecom Huawei, even though it was a foreign company using foreign-sourced components in foreign factories selling to a foreign customer.

• The jurisdictional hook was that Bosch's manufacturing relied on U.S.-origin technology, making the finished goods a "direct product" of that technology and therefore subject to U.S. export controls regardless of where assembly occurred.

• The panel flagged a critical technical error in Bosch's analysis: the company improperly applied a 25% de minimis threshold that simply does not exist under the Foreign Direct Product Rule when a component is controlled for national security reasons.

Under-Resourcing a Critical Function Costs Far More at the Back End

• Bosch reportedly staffed its export-control compliance with roughly two people—one full-time and one part-time assistant—in an organization of approximately 80,000 employees, and then expanded to 66 trade compliance professionals only after enforcement hit.

• The panel framed compliance investment through an analogy to airbags and seatbelts: it is easy to underestimate the value of a second line of defense precisely because nothing bad has happened yet.

• With higher borrowing costs and leadership pressure to cut spending across the economy, the panel warned that compliance teams vulnerable to downsizing create downstream organizational risk, making proactive advocacy for the function's value essential.

Red Flags Are Worthless If They Never Reach the Right People

• Over roughly four years, five separate companies warned Bosch and asked it to certify that it was not violating the Foreign Direct Product Rule, yet the German trade compliance team that had reached the wrong conclusion dismissed every supplier as mistaken.

• The panel characterized this as fundamentally an information and communications failure, raising the question of whether Bosch would have corrected course years earlier had those inquiries ever reached decision-makers with the authority and knowledge to act.

• The takeaway for every program is to ask whether the right internal controls exist to route external warning signals to the right people and whether the organization can correctly interpret those signals when they arrive.

Algorithmic Antitrust Is the Newest Frontier of Collusion Risk

• The DOJ's top criminal antitrust official, Daniel Glad, warned that when several competitors feed pricing data into the same AI tool and then defer to its output, the conduct can constitute criminal collusion even with no direct communication between firms.

• The panel cited the RealPage litigation—where multiple major landlords used a common AI system to set rents and several have already settled—as the leading real-world example of how shared pricing algorithms attract antitrust scrutiny.

• The governing principle is that an AI tool may advise on price but cannot be permitted to decide it for an entire market, because outsourcing the price-setting decision to a shared engine recreates the legal substance of a smoke-filled-room conspiracy.

Salespeople and Compliance Teams Often Cannot See the Collusion Happening

• The panel cautioned that sales teams crave fresh competitive pricing data and may adopt AI tools that aggregate it without realizing the sourcing creates antitrust exposure, a "set it and forget it" laziness risk distinct from the human-in-the-loop debate.

• Mitigation requires repeating uncomfortable messages to the salesforce, monitoring how pricing decisions are actually made, and asking pointed questions about where competitive information originates—old compliance disciplines applied to a more complex problem.

• The recommended structural response is a full AI-use inventory across departments, because the sheer number and creativity of use cases means compliance cannot manage risks it has never been told exist.

Whistleblower Incentives Create a Second Lane of Enforcement Pressure

• Daniel Glad signaled enthusiasm for paying individual whistleblower awards in antitrust matters, deliberately creating pressure parallel to the traditional leniency race among colluding companies.

• The panel explained that this changes the calculus of self-reporting: if a whistleblower reaches the government first, none of the participating companies receive the customary cooperation break, sharpening the incentive for voluntary self-disclosure.

• AI compounds this exposure because algorithmic collusion involves far more potential witnesses—internal users, engineers, and third-party vendors—and generates a durable system of record that becomes discoverable evidence.

Voluntary Self-Disclosure Earns Credit, But It Is Not a Refund

• Bosch received substantial credit—and a criminal declination—for disclosing before it had even completed its own internal investigation, a pattern also seen in recent FCPA resolutions, signaling that early disclosure to executives and boards is increasingly expected.

• The panel stressed that a declination still came with a $36 million payment, underscoring that cooperation is a consolation prize for prevention that did not happen, not a strategy in its own right.

• The broader lesson is that nearly all of the failures discussed were preventable, and the value of studying other organizations' near-misses lies in dialing in one's own program before a similar control gap surfaces.

Closing Summary

Across every topic—from sanctions and export controls to algorithmic antitrust, beneficial-ownership due diligence, and the economics of AI—this quarter's session returned to a single theme: the gap between regulatory expectations and organizational capability is widening, and it is being filled with penalties. The companies that stumbled were not careless villains but sophisticated firms that under-resourced critical functions, missed red flags, or failed to move information to the people who could act on it. At the same time, AI is simultaneously creating new exposures (collusion through shared pricing tools) and new operational pressures (the runaway cost of tokens forcing leaders to ration which teams get the best models). For compliance, ethics, and HR professionals, the through-line is one of high agency: anticipate where guidance points next, prioritize risk rigorously, demand adequate resourcing, and make the case for the function's value before the next enforcement action makes it for you.