Three regulatory frameworks are landing simultaneously — namely MiCA, DORA and the EU AI Act, but there is no shared governance architecture that covers all three. Compliance leader and consultant Natalia Taft explores what this means for financial services firms.

I recently looked at an institution that spent 18 months stacking smart contract settlement, DeFi protocols and AI risk models on top of each other. From the outside, it was a success: Systems were running and revenue was climbing. But when a supervisor asked a simple question — which legal entity was actually responsible for an AI model routing assets through an unaudited protocol — nobody could answer cleanly.

Three different teams held pieces of the puzzle, but no one owned the end-to-end logic. The AI model had been validated at launch, but the underlying protocols had already been updated twice. Because the client-facing entity and the AI engine sat in different jurisdictions, visibility evaporated. This is the hidden cost of convergence: Everything looks under control until you realize your innovation speed has completely outrun your ability to govern it.

The regulatory collision

The frameworks are arriving, but they are arriving separately. MiCA now applies to crypto asset service providers (CASPs) across the EU, establishing licensing, custody and conduct requirements for the first time at continental scale. DORA has been in force since January 2025, requiring information and communications technology (ICT) risk management, incident reporting and third-party oversight, including for CASPs authorized under MiCA. The EU AI Act is phasing in risk-based obligations for high-risk AI systems: risk management, data governance, technical documentation, human oversight.

Each framework solves a specific problem, but none governs their convergence. A firm that tokenizes assets, offers protocol access and uses AI for client-facing decisions has to comply with all of them and build internal governance that connects them because the regulations do not. Meanwhile, the International Organization of Securities Commissions (IOSCO) DeFi recommendations push jurisdictions to identify responsible persons behind decentralized arrangements. Basel’s prudential framework for crypto asset exposures is pulling crypto risk into formal capital and disclosure requirements for internationally active banks. And FATF continues to note that identifying persons exercising control over DeFi remains an unresolved challenge. The supervisory perimeter is expanding from every direction at once.

Where governance actually breaks

Governance for convergent systems starts with what I call an activity map, a map of what the firm actually does. Which product, which client, which legal entity, which protocols, which models, which data sources, which third parties, where the assets sit and where the money moves. If you cannot draw that map, you cannot govern the activity. The NIST AI risk management framework organizes AI risk around four functions (govern, map, measure, manage) and that structure is a useful backbone. But it only works if data lineage is real. In AI and DeFi environments, data is the control environment.

If you cannot trace where the data came from, how it was transformed and what decision it fed, you cannot defend that decision to a supervisor. Then there has to be a stop mechanism, not an escalation path that terminates in a committee meeting — a real ability to pause a model, freeze a feature or restrict a protocol before the next trade clears. Most firms I work with can approve a product in weeks. Halting one under pressure takes far longer than it should.

Trustless does not mean unaccountable

The word “trustless” describes how a protocol settles transactions. It says nothing about the firm that connected its clients and custody infrastructure to that protocol.

The practical question is where your control points are. Where does the client enter the system? Who screens them? Which entity provides access? Where are assets held? Which smart contracts are touched? What happens when liquidity disappears, when the protocol is exploited, when a sanctions hit appears midstream? Who can stop everything and how fast?

I keep hearing firms argue that they do not control the protocol, as if that closes the question. A regulated firm may not control Ethereum, but it absolutely controls whether it routes clients, assets and regulated services through it. The US Treasury’s DeFi risk assessment made this point directly: The touchpoints between regulated firms and decentralized protocols create the accountability surface, regardless of the protocol’s own architecture. Due diligence, approved protocol lists, smart contract audits, wallet screening, sanctions controls, concentration limits and incident playbooks — none of this is optional; it is the cost of participation.

Financial Services

FinCEN’s Proposed New AML Rules: What You Need to Know

by Abhishek Bhasin

June 5, 2026

The rule-making process is a culmination of years of moves toward standardizing financial institutions’ AML/CFT processes

Read moreDetails

When AI operates inside the control perimeter

My rule: Nothing executes, moves assets, approves exposure or interacts with DeFi infrastructure until six things are answered. What data the model uses, exactly. How it behaves under stress and adversarial conditions. What it is permitted to do, written down, limited and enforced. Where the human intervention point sits. Whether we can reconstruct every decision after the fact. And how drift is monitored once the model is live, because models change as soon as data, markets and clients change.

Article 17 of the EU AI Act mandates quality management systems for providers of high-risk AI. SEC Rule 15c3-5, designed for traditional broker-dealer market access, already established the principle that automated access to markets requires documented pre-trade controls, supervisory procedures and clear system ownership. That principle only gets sharper when the automated system makes decisions about client money on decentralized infrastructure.

Validation cannot be a one-time sign-off. Firms that get this right version their models the way engineering versions code. Every new data source, every retraining cycle is a fresh approval event. If you cannot explain the model’s decision to a regulator, the model should not be making that decision.

And when a model or smart contract does fail, the remediation looks nothing like fixing a manual process. You are unpicking a system that may have scaled the error across every decision it made while it was live. The evidence trail, logs, inputs, outputs, model versions, code versions, deployment records, has to exist before the failure occurs. “The model did it” will not satisfy a supervisor. Instead they will ask who approved the model, how it was tested, what controls missed the failure and which clients were affected.

The 2027 prediction

Over the next two years, supervisory pressure will concentrate around custody and client asset protection, liquidity and concentration risk under stress, operational resilience across technology and blockchain disruptions, model accountability with real validation and human oversight and cross-border clarity on which legal entity owns which obligation. The FCA’s discussion paper DP25/1 is already signaling how the UK intends to bring crypto activity inside the perimeter. The direction is consistent globally, even where timelines diverge.

I believe by 2027, the defining question for any institution operating at this intersection will be whether it can demonstrate, in real time and after the fact, that every automated decision, asset movement and client exposure sat inside a controlled, explainable and accountable governance perimeter. Who approved the model. Who validated the data. Who tested the smart contract. Who had the authority to stop it.

Firms that close the gaps deliberately will shape what comes next. The rest will learn about it through enforcement.

The post The Convergence of TradFi, DeFi & AI appeared first on Corporate Compliance Insights.

Most companies confident they can meet recovery objectives, but less than 40% did

Businesses are confident they can recover from a major disruption, but that confidence could be misplaced, according to a survey by GRC software provider Optro, formerly AuditBoard.

More than nine out of 10 of business leaders (92%) said they were confident they can meet recovery objectives during a major disruption, but only 39% actually met those targets during their most significant incidents, the survey found.

Optro surveyed 506 risk, IT, security, audit, compliance and business continuity leaders at organizations with revenues of at least $100 million. 

As expected, disruptions are bad for businesses. Just over 90% reported customer impacts from disruptions with 17% saying they experienced significant customer loss or churn. 

Other findings include:

• 76% experienced a vendor-related disruption in the past two years.
• Only 31% conduct continuity testing with critical third-party providers.
• 54% took longer than their defined recovery window during their most significant disruptions.
• 42% of companies invested between $1 million and almost $5 million in AI over the past year, but only 26% have a formal AI governance program and 30% have never tested an agentic AI failure scenario.

Less than two-thirds of mid-market companies require review of AI output

Mid-market companies are deploying AI without establishing data strategy, governance and change management needed to effectively scale such deployments, according to a new survey by CPA and advisory firm Kaufman Rossin.

Kaufman Rossin surveyed 100 senior decision-makers across US industries and conducted eight in-depth interviews.

The survey found that 83% of mid-market firms are testing or deploying AI, but 64% only have acceptable-use policies for generative AI. Less than two-thirds (57%) require human-in-the-loop review before external use of AI-generated output. 

Of the respondents, 40% said they had restrictions or bans on AI in place, while only 21% reported performing general holistic AI risk assessments.

Other findings include:

• About 40% of respondents said resistance to change, legacy integration, AI talent shortage and cybersecurity and privacy concerns are the top barriers to AI deployment.
• Most mid-market companies surveyed aren’t reporting return on investment as the value of AI (only 44% did), but time saved (82%) and reduced costs (61%) are where companies measure value.
• 70% of mid-market companies surveyed reported using generative AI tools, with ChatGPT leading the way at 89% of companies using it, 76% for Copilot and 47% for Gemini. 

European banks increasingly report Scope 3 emissions

European financial institutions increasingly reported their part in creating greenhouse gases through financing emission-producing companies from 2021 to 2024, according to an analysis by Clarity AI, a sustainability and fintech platform.

In a review of nearly 1,600 financial institution disclosures, Clarity AI found that the share of European financial institutions reporting financed emissions rose from 24% to 80% over that period. Reporting of Scope 3 emissions under the European sustainability reporting standards (ESRS) also grew sharply, nearly tripling over the same timeframe.

“European financial institutions appear to be getting more carbon intensive, largely because they are reporting more completely, not because they are getting dirtier,” Clarity AI said.

The study comes as the European Union debates scaling back sustainability reporting requirements in the ESRS, Clarity AI noted, warning that doing so risks reversing the trend toward greater transparency and could leave the EU behind other regions globally in reporting completeness.

Two-thirds of organizations hit with AI identity attacks

Nearly two-thirds of organizations had an AI identity related security incident in the past 12 months, according to a survey by FusionAuth, a customer identity and access management platform.

Of the 312 security and technology leaders surveyed, 65% reported a confirmed AI identity related security issue, the survey said. 

The survey points out what it called a “counterintuitive crisis” with 84% of organizations saying they’re “extremely confident” in their AI security but also reporting a confirmed AI identity incident. Only 12% of respondents emerged without an incident with 23% reporting a near-miss, the survey found.

Other findings include:

• 88% said AI deployment is outpacing their identity and security infrastructure.
• 80% reported employees were connecting to AI tools without security or IT review, also known as using “shadow AI.”
• 93% said AI is already a trigger for evaluating identity infrastructure.

The post Only 39% of Businesses Meet Recovery Targets After Major Disruption appeared first on Corporate Compliance Insights.

A merger, acquisition deal or IPO is not where you build a security program, writes Matt Hillary, CISO of Drata. It’s where you defend years of effort put into what you’ve built. Leaders who come away with the deal intact built programs long before any transaction was on the table.

Whether you’re preparing an organization for an IPO or facing scrutiny during acquisition due diligence, the process goes much smoother when your security program is operating as expected. That doesn’t mean what’s documented in a policy or what your most recent auditor has attested to. It means what’s actually operating every day, protecting the company, defending the business and keeping deal conversations from getting knocked off track when an acquirer’s third-party firm starts looking for gaps.

Policies that exist on paper, controls that are documented but not enforced and risk registers that haven’t been actively managed don’t survive a motivated acquirer with a third-party security firm and 10 days in the data room.

With global M&A deal value rising to roughly $3 trillion in 2025, security and GRC leaders are taking on a new, more critical role at the go/no-go deal table.

Investors and acquirers are engaging these teams earlier and expecting them to both quantify risk and translate it into financial and legal impact in the context of a transaction. This shift is changing how security and GRC leaders contribute to deal decisions and what’s required of them when scrutiny is highest.

Security and GRC centers in decision-making

Until recently, security and GRC were not central to deal evaluation. Teams were often brought in too late into the process to validate controls, respond to diligence requests or produce documentation once a transaction was already moving forward. The role was reactive and largely focused on finding anything grossly negligent that might impact the overall risk of the acquiring company.

While some companies may still operate this way, rising breach costs and reputational risk mean this model no longer reflects how security, GRC and privacy show up in the deal evaluation process.

As organizations have become more dependent on digital infrastructure and third-party systems, the risk inherited through an acquisition can multiply. Previously unknown and exploitable vulnerabilities can directly affect revenue, disrupt operations and introduce regulatory exposure.

That shift in risk profile is driving a different level of scrutiny and engagement from security and GRC teams. Investors and acquirers are taking a closer look at how organizations manage risk, govern their control environments and make disclosure decisions. The focus has shifted to how actual risk is identified, assessed and managed in practice.

Gaps surface quickly at that level of scrutiny, potentially eroding deal valuations, delaying timelines and, in some cases, putting deals at risk.

The financial impact of security incidents reinforces that shift. With the average cost of a data breach reaching $4.4 million, according to IBM, a single gap can have material consequences. In a deal context, that risk can influence valuation and introduce additional conditions before closing.

How GRC and security leaders’ roles are shifting

Security and GRC leaders are increasingly involved earlier and more directly in the process, using more structured criteria in their assessments. They’re brought in to help assess and quantify risk as part of the transaction itself, not just respond to diligence requests. In some cases, their perspective can function as a genuine go/no-go input.

This changes the nature of the role. Security and GRC leaders now evaluate how controls operate in practice and use that understanding to inform decisions, rather than focusing solely on whether documentation exists.

Cybersecurity

5 Structural Barriers Breaking Your Cybersecurity Compliance Framework

by Steve Durbin

April 30, 2026

Compliance challenges rarely stem from a lack of intent, but are often rooted in how systems and processes are designed.

Read moreDetails

Diligence compresses what would normally take weeks into a matter of days. Security and GRC leaders are pulled into sessions where they must answer detailed diligence questions in real time, often without the ability to step away and validate responses. Success depends on how quickly they can synthesize information and present a clear, defensible position to an audience evaluating risk from multiple angles.

That dynamic has shifted the role from managing a program to representing it under pressure.

Leaders are often required to translate complex findings into a view of risk that others can act on. That includes clarifying which issues matter, how they are being managed and what they could mean for the business. Those explanations can influence valuation, introduce conditions or change how a transaction moves forward.

There’s also an element of asymmetry. Acquirers may engage third-party firms to test systems and probe for weaknesses independently. They then compare those findings against what has been presented during diligence. Any gap between the two becomes a credibility issue.

These third-party firms may be tasked with breaching the target company to ascertain weaknesses in security defenses. A “breached” outcome could be used as evidence to quantify the cost of rectifying those gaps post-deal.

Lacking risk alignment is a critical pitfall

While the pace and intensity of diligence change how risk is evaluated, they also expose how differently risk is understood across the organization.

Security, finance and legal teams often look at the same issues through different lenses. Security focuses on security posture, configurations, vulnerabilities and control effectiveness. Finance is concerned with financially relevant, material impacts. Legal is focused on disclosure obligations, privacy, risk and exposure.

During a transaction, those perspectives converge quickly.

When that alignment isn’t already in place, friction shows up in high-stakes moments. Questions about whether a risk is material become harder to answer. Security, finance and legal teams may interpret the implications of a control gap differently depending on their perspective.

In those moments, decisions about how to classify risk, whether it needs to be disclosed and how it could affect the transaction are made without a shared framework, or even a shared vocabulary, for evaluating risk across functions.

This is where deal scrutiny changes how security and GRC leaders think about their roles. Identifying and managing risk within the function is not enough. Leaders are increasingly responsible for ensuring that risk is evaluated consistently and quickly across the business, especially when decisions cannot be deferred.

As organizations move toward IPO or face deeper diligence, attention shifts to systems that support financial reporting and material transactions. That includes enterprise platforms and the controls that govern access, change management and operations. These areas often sit outside the traditional focus of security teams, but they become central in a deal context and require closer coordination with finance and audit.

This also reinforces a broader shift in how the role is defined. Security and GRC leaders are responsible for ensuring that controls across the organization can stand up to scrutiny.

What effective security and GRC leadership looks like

Security and GRC leaders are increasingly operating as part of the decision-making process, working alongside finance and legal to assess how risk affects the outcome of a transaction. In practice, that means interpreting risk in context and communicating what it means for the business.

From what I’ve seen, even organizations that aren’t actively preparing for an IPO or transaction are already being held to these expectations. This is especially true in B2B SaaS companies, where a constant stream of customer inquiries requires ongoing proof of security posture and risk management. The way risk is understood, communicated and governed is tested when scrutiny increases, not when teams have time to prepare.

It runs the same on a quiet Tuesday as it does with an acquirer’s outside firm in the building. That’s the version that holds up under scrutiny. And it’s the only one that pays you back over time, in shorter diligence, steadier valuations and the kind of trust acquirers actually price into the deal.

The post Deal Scrutiny is Changing the Role of GRC Leaders appeared first on Corporate Compliance Insights.

Integreon has appointed Krishna Nacha as CEO and a member of its board of directors, effective immediately, the legal and business solutions provider said.

Nacha brings more than 30 years of experience in business process, technology services and information management. He most recently served as head of Americas at Iron Mountain, a provider of information management services, and previously held executive roles at Wipro and EXL Service, as well as commercial and operational leadership roles at Capgemini, Infosys and Unilever. Nacha succeeds interim CEO Bill Carter, who took the role after former CEO Subroto Mukerji retired in December 2025. Integreon, which has headquarters in Austin and London, is majority-owned by investment funds managed by private equity firm EagleTree Capital.

“In a world defined by speed and AI, clients need a strategic partner that can deliver high velocity results,” Nacha said in a news release.

The post Integreon Names Krishna Nacha CEO appeared first on Corporate Compliance Insights.

Casepoint has appointed Paul Colangelo as CEO, the Washington, D.C.-based legal and data discovery software provider said in a news release.

Colangelo brings more than 25 years of experience leading government and enterprise software companies. He most recently served as founder and CEO of Neumo, a government software business providing applications to justice, compliance, DMV and public administration agencies. Colangelo fills a role that has seen turnover in recent years: Previous Casepoint CEO Haresh Bhungalia left in January 2025 after the company merged with OPEXUS. Howard Langsam, the OPEXUS CEO, led the combined company until mid-2025, and Krystal Putman-Garcia and Mohit Manocha served as co-interim CEOs after that. Putman-Garcia and Manocha will return to their previous roles, the company said.

Casepoint provides eDiscovery, investigations, FOIA, regulatory and compliance response software to government agencies and enterprises.

“Organizations today face growing data volumes, increasing regulatory demands and pressure to respond quickly and defensibly,” Colangelo said in a news release.

The post Legal Discovery Software Provider Casepoint Names New CEO appeared first on Corporate Compliance Insights.

K2 Integrity has acquired RiskFront AI, a developer of agentic AI systems that automate financial crime compliance and risk operations, the New York-based risk management and investigations firm said. The deal has closed, though financial terms were not disclosed.

Founded in 2024, RiskFront AI automates the manual work between alert generation and human decision-making, including research, data extraction and analysis. The Los Angeles-based company serves clients across banking, management consulting, technology services and cryptocurrency trading. RiskFront AI’s full team, including co-founders Andy Bethurum and Mikhail Abramchyk, is joining K2 Integrity. The acquisition is K2 Integrity’s second since Aaron Karczmer became CEO in October 2025, following its purchase of cybersecurity firm Leviathan Security Group in March 2026.

“Pairing RiskFront AI’s proven technology with K2’s regulatory credibility and practitioner experience enables clients to adopt fit-for-purpose solutions with confidence,” Karczmer said in a news release.

The post K2 Integrity Acquires AI Compliance Automation Provider RiskFront AI appeared first on Corporate Compliance Insights.

New products & platforms

Trust management platform Drata released an AI agent governance tool.

Risk management software company FossID announced early access to FossID Workflows, a product for managing software bills of materials across suppliers, products and releases.

Fincrime prevention platform Hummingbird introduced Research Agent and Review Agent, two AI agents designed to automate some compliance work.

Audit and assurance platform MindBridge announced new features for risk assessment and audit workflow automation.

Financial markets infrastructure and data provider LSEG Risk Intelligence launched Identity Gateway, a tool for accessing digital identity verification schemes.

Legal and compliance software provider Wolters Kluwer introduced Jurisdictional Compare, an agentic AI tool for cross-jurisdiction legal analysis.

LegitScript, a merchant and product certification and monitoring company, launched Risk & Policy Advisory, a subscription offering that gives clients access to the company’s regulatory and investigative staff for policy research and development.

Other news

Speeki, a global sustainability assurance and ISO certification firm, and Pilot Partners, an Australian audit firm, announced a strategic partnership to provide sustainability assurance services to Australian companies subject to mandatory climate disclosure and assurance requirements.

Ministry Brands, a church management software and fintech provider, relocated its headquarters from Knoxville, Tenn., to Milton, Ga., about 30 miles north of Atlanta.

Surveillance and financial risk software provider Eventus announced the appointment of Eric Litz as chief technology officer and Sarah-Jane McColl as chief customer officer.

The post GRC News Roundup: Drata, AMLYZE, LSEG Risk Intelligence, Speeki & More appeared first on Corporate Compliance Insights.

Compliance into the Weeds

Each week, Tom Fox and Matt Kelly delve into all the details of a different topic in Enterprise Risk Management.

The post Compliance Lives appeared first on Corporate Compliance Insights.

The post [FULL VIDEO]: Wildly Effective, 10 Years Later appeared first on Corporate Compliance Insights.

Often citing culture and team cohesion, dozens of major employers over the past several years have instituted return-to-office mandates, rolling back the remote-work revolution of the Covid era. While such mandates are generally within employers’ rights, as contributing writer Laura Scott explores, that does not mean they are not without risk, whether legal or reputational.

Several large employers, including EY, Fidelity, Home Depot, Instagram, Kroger, Microsoft, NBCUniversal, Novo Nordisk, PNC Financial and Sherwin-Williams, have announced return-to-office (RTO) mandates for 2026, according to workplace management and coworking software platform Archie’s RTO tracker.

Whether due to corporate restructuring, a need to justify the cost of long-term commercial leases, a doubling down on company culture and collaboration or some other reason, organizations generally have the right — absent a non-revocable agreement to the contrary — to call employees back for in-person work.

“Some businesses function better when employees are in the office, and an in-office work mandate is appropriate for some employers,” Catherine Cano, a principal in the Omaha, Neb., office of Jackson Lewis, told CCI. 

But that doesn’t necessarily mean organizations are in the clear, Cano warned: “For employers who require in-person attendance, they will still have to properly handle requests for accommodation in the form of work-from-home requests.” 

Other pitfalls may stand in the way of a clean return to in-person work after the Covid-related remote work revolution.

The anatomy of federal claims

Failure to properly handle work-from-home accommodation requests in response to RTO mandates could ignite compliance landmines under federal antidiscrimination laws, such as the Americans with Disabilities Act of 1990 (ADA) — and the Rehabilitation Act of 1973 for federal employees — the Pregnancy Discrimination Act of 1978 (PDA) and the Pregnant Workers Fairness Act of 2023 (PWFA), as well as under the Age Discrimination in Employment Act of 1967 (ADEA) and Title VII of the Civil Rights Act of 1964 (Title VII).

Under the ADA, physical and mental impairments substantially limiting one or more major life activities entitle employees to protection if they can perform their essential job functions with or without reasonable accommodation. If a reasonable accommodation is required for them to perform their duties, the employer must grant an accommodation request unless doing so would pose an undue hardship for the employer, which is generally accepted to mean great expense or significant difficulty.

That’s not to say that an employer must grant an employee’s requested accommodation. The interactive process allows employers and their employees to discuss specific job requirements and limitations that may require a reasonable accommodation, such as telework.

The PDA guards against disparate treatment of pregnant workers. Namely, if two employees perform the same or similar work, the employer can’t grant the non-pregnant employee an accommodation and deny the same request from the pregnant employee. The PFWA adds a layer of protection for known limitations related to pregnancy, childbirth or related medical conditions even if they wouldn’t be classified as disabilities under the ADA. 

Cano noted that often, the first step is to get information from the employee to understand the underlying restrictions or limitations for pregnancy-related conditions. 

“The goal is to understand what it is about the employee’s home environment that enables them to perform their essential job functions. Employees may not know the extent of accommodations that may be available in the office, and there may be equally effective alternative accommodations that allow the employee to stay in the office,” she said.

From there, it’s about determining whether medical documentation should be requested. Under the PWFA, the scope of requestable medical documentation is narrower than under the ADA, Cano said, and applicable state laws may impose additional constraints. Since obtaining documentation can take several days, employers should consider offering temporary accommodations in the meantime — especially for pregnancy-related conditions. Once all necessary information is gathered, the employer should generally engage the employee in a conversation to land on an appropriate accommodation.

“These situations are fluid, and it can be helpful to periodically check in with the employee and their leaders to assess the accommodation. When dealing with a pregnancy-related accommodation, it is important to remember that the obligations are broader than under the ADA,” Cano added.

RTO policy decisions could also trigger potential liability under Title VII and the ADEA if one or more protected class members are denied telework but employees in comparable roles who are outside of those protected classes are allowed to work remotely. Employers’ burden is demonstrating the neutral application of the policy, its job relatedness and its consistency with business necessity.

Fraud

The Unseen Risks of Remote Work: Stopping Employee Fraud Before It Starts

by Prakash Santhana

February 3, 2025

From unauthorized data access to BYOD risks, hybrid work demands smarter strategies to combat employee fraud before it escalates

Read moreDetails

EEOC’s telework guidance

The Equal Employment Opportunity Commission (EEOC) released telework guidance in February 2026 for federal employers. Using established case law and ADA standards to illustrate acceptable and questionable RTO practices, this guidance discussing the Rehabilitation Act also may be helpful for private employers.

While an employer may not have an obligation to continue granting recurring or full-time telework accommodations, it should not ignore the crucial step of conducting an individualized assessment to determine if telework is a reasonable accommodation that should be granted. Where an employer fails to do so “it risks liability in those cases where an individualized assessment would have shown that telework was either the only possible effective accommodation or that an in-office alternative was necessary to maintain an effective accommodation in lieu of telework,” the guidance says.

Thus, if telework was authorized as a reasonable accommodation, the employer already has notice of an employee’s need for accommodation. It would not then “be reasonable or effective . . . to revoke a previously granted telework accommodation and simply tell the employee to submit a new accommodation request,” the guidance says.

The EEOC also recognizes that for larger organizations, the sheer number of individualized assessments to be conducted could be daunting. Its recommendation is to focus on ways to minimize disruptions by evaluating telework accommodations based on organizational units or geographic locations so employees in the same work units or locations receive notice of RTO decisions in a timely and consistent manner.

Taking a flexible approach to the decision-making process concerning requests for reasonable accommodation is also recommended. For example, when a request is “low impact” and straightforward, a front-line supervisor may be the right person to make the call. But with something like telework, which could potentially have significant implications, organizations may want to consider having a centralized sign-off system in place for categories of accommodations, including for “recurring or full-time telework or for accommodations with an anticipated cost above a certain threshold,” the EEOC says

This comes with a word of caution, though, because while the review-and-approval process may be centralized, the need for an individualized assessment of each accommodation request is imperative for ensuring that the employer has engaged in the interactive process in good faith by evaluating available options for addressing an employee’s request for accommodation, any job-related limitations and the essential functions of their role.

Consider, too, that the equal enforcement of an RTO policy is required. For instance, if the employer allows hybrid or remote work to continue for some employees but not others, disparate treatment-based discrimination claims could arise.

Beyond legal considerations

Often driven by corporate narratives championing collaboration and culture and/or financial and operational considerations, RTO mandates could have financial accounting implications.

For example, if a company has a triple-net lease where, as a commercial tenant, it is responsible for the property’s taxes, insurance and maintenance and the building sits vacant, the business may have a strong case for returning employees to the premises. Otherwise, its vacant commercial space could have balance-sheet implications.

Under ASC 360 (US GAAP) and IAS 36 (IFRS), the value of a lease tied to a property where a shift to permanent remote work had been made can trigger a non-cash impairment charge, resulting in a decrease to the reported net income, which can also scare investors. Requiring in-person work could make good financial sense as employees’ physical presence could help avoid an impairment trigger on the asset. 

But that could come at the potential cost of human capital. A study by the University of Pittsburgh found that companies had anticipated better bottom-line results with RTO policy mandates, but actually saw employee satisfaction drop, something that can drive decreased engagement, burnout and absences and ultimately leading to turnover. 

While voluntary resignations can help companies avoid severance payouts, such exits come with additional recruitment, hiring and onboarding costs of up to 200% of each departed employee’s salary, Gallup research shows. 

Alternatives to RTO

Some alternatives to consider include “hot desking,” explained Gleb Tsipursky, CEO of Disaster Avoidance Experts, a boutique consulting and training firm. This flexible workspace model does away with permanently assigned desks, allowing employees to reserve workstations for the specific days when they’re in the office, Tsipursky said. 

“By decoupling headcount from desk count, organizations can dramatically reduce their real estate footprint and shed cumbersome, expensive leases, allowing them to redirect those savings toward the bottom line or strategic investments,” he said.

Consider, too, how rotating team schedules and purpose-built teamwork hubs operate. “To visualize this shift, consider a company that implements rotating team schedules: the marketing team anchors in the office on Tuesdays and Thursdays, while the product team comes in on Mondays and Wednesdays. When they arrive, they aren’t returning to rows of isolated cubicles for heads-down solo work, which is often done better at home. Instead, they arrive at a purpose-built teamwork hub,” Tsipursky said. 

By fundamentally redesigning spaces with open collaboration zones, modular brainstorming areas, soft seating and high-tech conference rooms, organizations move from daily mandates into spaces designed expressly for collaborative tasks, mentoring and team cohesion.

Other alternatives may make sense, too, such as a gradual return to in-office work (i.e., ramping up the number of mandatory in-office days per week over the course of weeks or months) and hybrid schedules, Cano said: “Some employers hold periodic in-person meetings or conferences while generally allowing remote work. There may also be different models depending on the department or work location.” 

The post Navigating Legal & Practical Risks of RTO Mandates appeared first on Corporate Compliance Insights.