Key takeaways:

• • • Country-by-country reporting will only increase in complexity — Australia’s enhanced Country-by-country reporting (CbCR) requirements — reconciling taxes accrued against taxes credited — are a preview of where other high-scrutiny jurisdictions are heading, and companies need to build that explanatory analysis capability now, systematically, rather than scrambling later.

    • There has to be a shared narrative from corporate teams — The EU’s public CbCR is a reputational event, not just a filing. So that means tax, communications, and investor relations teams need a shared narrative before the data goes public — inconsistencies create exposure you do not want to manage reactively.

    • Rethink your filing jurisdiction in light of changes — If EU filing jurisdiction was chosen at initial implementation and never revisited, look again. Guidance has matured, and a more efficient or better-suited option may now be available.

WASHINGTON, DC — Among the many pressing topics discussed in detail at the recent , country-by-country reporting (CbCR) and its ability to reshape the corporate tax industry, certainly had its place. Between escalating local jurisdiction requirements, the , and for deeper explanatory disclosures, CbCR has quietly evolved from a transfer pricing filing obligation into something far more strategically consequential.

The floor is just the floor

The creation of the by the Organisation for Economic Co-operation and Development (OECD) was intended as a minimum standard for countries. And now jurisdictions are increasingly layering additional requirements on top of the OECD’s basic template, resulting in a widening gap between the standard requirements and what tax authorities actually want.

Currently, Australia is the most pointed example. Australian tax authorities are now requiring multinational groups to go beyond the standard CbCR data fields and provide explanatory narratives that reconcile taxes accrued against taxes actually credited. This requires corporate tax departments to bridge the gap between financial statement accruals and their organizations’ cash tax positions in a way that is coherent, defensible, and consistent with positions taken elsewhere.

At the TEI event, panelists explained that for tax departments this will carry complex timing differences, deferred tax positions, or significant jurisdictional mismatches between booked and cash taxes. Indeed, this additional layer of scrutiny will need dedicated attention.

Please add your voice to ¶¶ŇőłÉÄę’ flagship , a global study exploring how the professional landscape continues to change.Ěý

The broader signal matters: Australia will not be the last jurisdiction to move in this direction. So that means that tax departments should treat Australia’s approach as a leading indicator of where other high-scrutiny jurisdictions could be heading. Building the capability to produce this kind of explanatory analysis systematically — rather than scrambling jurisdiction by jurisdiction — would be the smarter long-term investment for corporate tax teams.

Public CbCR in the EU: The transparency ratchet has turned

For US-based multinationals with significant European operations, the EU’s public CbCR directive has fundamentally changed the calculus. Unlike the confidential tax authority filings most corporate tax departments are accustomed to, the EU’s public CbCR rules put organizations’ jurisdictional profit and tax data into the public domain, making it visible to investors, journalists, civil society groups, and organizations’ employees and customers.

The EU framework specifies which entities trigger the reporting obligation and which entity within the group is responsible for making the public filing. That scoping analysis is not always straightforward for complex multinational structures and getting it wrong could present both reputational and legal risk.

Choosing a filing jurisdiction is not purely an administrative decision — it is a choice that affects the regulatory environment that governs the disclosure, the language requirements, the timing, and the interpretive framework that applies to data.

For US-headquartered groups, the implications extend well beyond Europe. Public CbCR data is now being read alongside US disclosures, reporting on ESG activities, and public narratives about tax governance. Inconsistencies, including those technically explainable, could create unwanted noise about the company. This is clearly another reason why the tax function should partner across the business — in this case with the communications team — to make they both are aligned to tell the CbCR story instead of being caught off guard by a journalist or an investor during an earnings call.

Questions that US multinationals should be asking

Fortunately, US multinationals with multiple EU subsidiaries are not required to file public CbCR reports in every EU member state in which they have a presence. Instead, under the EU framework, a qualifying ultimate parent or standalone undertaking can satisfy the public disclosure requirement through a single filing in one EU member state, provided the relevant conditions are met. Germany and the Netherlands have emerged as two of the more popular choices for this consolidated filing approach, given their well-developed regulatory frameworks and the depth of available guidance on what compliant disclosure looks like in practice.

The strategic implication is meaningful. Choosing a filing jurisdiction is not purely an administrative decision — it is a choice that affects the regulatory environment that governs the disclosure, the language requirements, the timing, and the interpretive framework that applies to data. Corporate tax departments that defaulted to a filing jurisdiction early in the EU implementation process should take a fresh look. Regulatory guidance has matured significantly, and there may be a more efficient or better-suited path available than the one originally chosen.

The uncomfortable divergence

There is a notable irony in the current environment. Domestically, the IRS and U.S. Treasury’s 2025-2026 Priority Guidance Plan reflects an explicit focus on deregulation and burden reduction, detailing dozens of projects aimed at reducing compliance costs for US businesses. Meanwhile, the international compliance environment has moved in the opposite direction, adding disclosure layers, explanatory requirements, and public transparency obligations that many US businesses cannot avoid simply because they are headquartered in the United States.

This divergence has a direct implication for how tax departments allocate resources and make the internal case for investment in international compliance infrastructure. The burden internationally is not going down — indeed, it is intensifying — and that argument is now backed by concrete examples rather than projections.

3 things worth doing now

There are several actions that corporate tax teams should consider, including:

Audit CbCR data quality with Australia’s enhanced requirements in mind — If you cannot readily reconcile taxes accrued to taxes credited at the jurisdictional level, that gap needs to be closed before it becomes an authority inquiry.

Revisit EU filing jurisdiction strategy — If your jurisdictional decision was made at the time of initial implementation and has not been reviewed since, it is worth a fresh look before the next reporting cycle.

Develop an internal narrative around public CbCR data before it circulates externally — Your company’s tax story should not be a surprise to the corporate teams involved in communications, investor relations, or ESG — and in today’s world, assuming such news stays quiet is no longer a safe assumption.

While CbCR started as a tool for tax authorities, it today has become something more visible, more public, and more consequential than that — and that trajectory is not reversing any time soon.

You can download a full copy of the Thomson Reuters Institute’s

Key insights:

• • • Non-compliance is significantly more expensive than compliance — Data consistently shows the cost of non-compliance can be greater than proactive compliance investments.

    • Reputational damage and hidden costs often outweigh direct fines — Beyond financial penalties, the damage from legal fees, loss of customer trust, and operational disruptions from non-compliance can inflict long-term harm.

    • Strategic investment in compliance yields a competitive advantage — A robust compliance program builds trust, attracts investors, and demonstrates greater operational resilience in a complex regulatory landscape.

There’s a persistent myth in the business world that compliance programs are a necessary burden, a line item to be minimized and managed rather than invested in strategically. The data tells a very different story, however, and it has for quite some time. For organizations still treating compliance as an overhead expense, it’s time to reconsider the math and view the broader strategic picture.

The numbers don’t lie: Non-compliance costs more

Non-compliance costs are 2.65-times the cost of compliance itself, a finding that dates back to the of multinational organizations. While the average cost of compliance for the organizations in that study was $3.5 million, the cost of non-compliance was much greater. That means simply by investing in compliance activities, organizations can help avoid problems such as business disruption, reduced productivity, fees, penalties, and other legal and non-legal settlement costs.

According to a later report from from 2017 (the most recent set of analytical data on the subject), the numbers have only grown more striking. The study showed that average cost of compliance increased 43% from 2011 to 2017, totaling $5.47 million annually. However, the average cost of non-compliance increased 45% during the same time frame, adding up to $14.82 million annually. The costs associated with business disruption, productivity losses, lost revenue, fines, penalties, and settlement costs add up to 2.71-times the cost of compliance.

And these non-compliance costs from business disruption, productivity losses, fines, penalties, and settlement costs, among others aren’t simply abstract risks. They’re real, recurring, and measurable, and they don’t stop with the fine itself.

Beyond the fines themselves, legal costs are a significant and often underestimated component of non-compliance.

This gap between compliance and non-compliance provides evidence that organizations do not spend enough of their resources on core compliance activities. If companies spent more on compliance in areas such as audits, enabling technologies, training, expert staffing, and more, they would recoup those expenditures and possibly more through a reduction in non-compliance cost.

While the math here is straightforward, the strategic case is even clearer. Compliance isn’t overhead; rather, it’s an investment with a measurable, proven return.

The hidden costs: Legal fees, fines & reputational fallout

Regulatory fines get the headlines, but they represent only part of what non-compliance actually costs an organization — a cost that has only risen over time. As of February, a total of 2,394 fines of around €5.65 billion have been recorded in the database, which lists the fines and penalties levied by European Union authorities in connection with its General Data Protection Regulation (GDPR).

Beyond the fines themselves, legal costs are a significant and often underestimated component of non-compliance. Regulatory norms are shifting constantly and navigating them requires specialized expertise. As quickly as the rules change, outside counsel and compliance specialists must keep pace, and that knowledge comes at a price. Every alleged compliance violation triggers an immediate need to engage qualified counsel, adding to a cost burden that compounds quickly and unpredictably.

Then there is reputational damage, perhaps the most enduring consequence of all. The cost of business disruption, including lost productivity, lost revenue, lost customer trust, and operational expenses related to cleanup efforts, can far exceed regulatory fines and penalties. Consider , whose compliance failures around its anti-money laundering (AML) efforts became a cautionary tale for the industry. TD Bank’s massive $3 billion in fines from US authorities wasn’t just the result of a few missteps; rather, it was caused by years of deep-rooted failures in its AML program, pointing to a culture that prioritized profit over compliance.

The findings from both the 2011 and 2017 studies provide strong evidence that it pays to invest in compliance.

TD Bank’s failure to make compliance a priority not only led to a huge fine but also seriously damaged its reputation, with revising TD’s outlook to negative in May 2024, where it remains. This is the kind of a reputational stigma that can take years to repair.

Leveraging compliance as a competitive advantage

There is also a positive side of the ledger that often goes unacknowledged. A robust compliance program signals to investors, partners, and clients that an organization is well-governed and trustworthy. That reputation doesn’t just retain market value; it actively attracts it.

Organizations that cut corners in compliance risk engaging in a short-sighted, high-risk strategy that will ultimately result in a negative outcome for the organization. Businesses that take compliance seriously tend to operate with greater predictability, fewer surprises, and stronger stakeholder confidence.

The 2017 Ponemon and Globalscape and study found that, on average, only 14.3% of total IT budgets were spent on compliance then, not much of an increase from the 11.8% reported in 2011. This clearly indicates that organizations are underspending on core compliance activities in the short term and aren’t prepared to allot further resources as the years go on. That gap represents not just risk, but a clear missed opportunity.

“The findings from both the 2011 and 2017 studies provide strong evidence that it pays to invest in compliance,” explains Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. “With the passage of more data protection regulations that can result in costly penalties and fines, it makes good business sense to allocate resources to such activities as audits and assessments, enabling technologies, training, and in-house expertise.”

The organizations that recognize compliance as a strategic function, not a reactive one, are the ones that will earn the trust of clients, the confidence of investors, and the operational resilience to weather an increasingly complex regulatory environment. The data is clear, and the choice is a critical one.

Please add your voice to ¶¶ŇőłÉÄę’ flagship , a global study exploring how the professional landscape continues to change.Ěý

Key insights:

• • • Nature-related risks underreported — Companies’ nature-related interfaces are underreported across industries, despite being increasingly seen as decision-useful information for investors and regulators.

    • Stricter requirements for disclosure growing — Both voluntary and mandatory frameworks are increasing their requirements for nature-related disclosure.

    • Organizations should be proactive — Getting ahead of disclosure trends means that organizations should be measuring their nature-related interface as well as integrating nature-positive transition planning to their business strategy.

As the impacts of nature loss become more prevalent, companies are on business risk and performance. This is due to both physical nature-related impacts and increasing stakeholder pressure on organizations to integrate long-term nature-positive strategies. Managing nature-related impacts and dependencies is a framework-driven mandate for all boards of directors to consider.

Why nature matters

All businesses impact and depend on the four realms of nature: land, freshwater, ocean, and atmosphere to some extent, with the highest impact sectors being . These dependencies could include the provision of water supply to an organization, or services provided by nature to a business, such as flood mitigation. A could result in a $2.7 trillion GDP decline annually by 2030. In turn, most businesses also positively and negatively impact nature.

Financial flows that were determined to be harmful to biodiversity reached , including private investment in high impact sectors, with only $213.8 billion (€184.6 billion) invested in conservation and restoration. Despite this financing gap, less than 1% of publicly reporting companies currently disclose biodiversity impacts, indicating the need to align incentives and policies with nature-related outcomes.

Indeed, nature does not have a single indicator, like greenhouse gas (GHG) emissions; instead, its measurement involves multiple complex, location-specific factors. Despite this, disclosure of nature-related risks and impacts are increasingly being required by regulators.

Regulatory incentives to disclose

The disclosures being driven by regulatory frameworks include material information on all nature-related risks, particularly those requested by the International Sustainability Standards Board (ISSB) and European Sustainability Reporting Standards (ESRS). The ISSB Biodiversity Ecosystem and Ecosystem Services project (BEES) was initially considered a research workplan but was modified to a standard-setting approach.

Through its work, the ISSB due to: i) the deficiencies in the type of information on nature-related risks and opportunities reported by entities, which are identified as important in investor decision-making; and ii) the requirement of nature-related information that is not included in climate-related disclosures, including location-specific information on nature-related interface and nature-related transition planning.

On Jan. 28, all 12 ISSB members voted to , which included two important implications. One is that standard setting is to cover all material information on nature-related risks and opportunities that could be expected to affect an entity’s prospects. And two, it mandated that entities applying International Financial Reporting StandardsĚýS1 and S2 for climate-related disclosures supplement these with nature-related risks and opportunities disclosures as well.

Similar to the ISSB requirements to report material nature-related risks and opportunities, the ESRS also requires information to be disclosed for material impacts, risks, and opportunities found in an entity’s double-materiality assessment. The Task Force on Nature-related Financial Disclosures (TNFD) and its European counterparts have been in close collaboration since 2022, and all 14 TNFD recommendations have been incorporated throughout the ESRS environmental standards.

Companies that are required to comply with the EU’s sustainability reporting mandate also will be required to collect similar data for their future ESRS data points disclosure.

Alongside regulatory requirements, there are voluntary requirements and investor pressure to consider for many organizations. These include investor coordination initiatives on nature such as Nature Action 100 and considering which investors look at Carbon Disclosure Project (CDP) data.

To use the CDP as an example, 650 investors with $127 trillion in assets they needed in 2025. Further, the CDP is increasing its disclosure requirements for nature-related data in its questionnaire as it progresses to . This includes, for example, requiring disclosures on environmental impacts and dependencies for disclosers, enhancing commodities included in the forests questionnaire, and introducing oceans-related questions in 2026.

All of these heightened requirements underscore the need to measure a company’s nature-related impacts and proximity to its nature-related issues.

Implications for company boards

To align with these additional requirements and investor expectations, corporate decision-makers should consider the questions they are asking related to nature, as well as what data is being collected in relation to the organization’s impact on nature. The following steps can give leaders a starting point for how boards should consider this information:

Track relevant developments in regulatory and investor standards — Ensure there is a management-level understanding of how nature is considered in relevant standards for the company based on its current and anticipated locations of operation and specific industry.

Measure nature-related risks and opportunities — Given that identifying material nature-risks, with a particular focus on location specificity, is a common first step across current mandatory and voluntary regulatory frameworks, organizations should conduct a regularly updated, location-specific assessment on the company’s interface with nature, especially in instances in which these issues are material. Organizational leaders should also produce financial quantification of these risks within an overall materiality assessment and corporate risk register. For guidance, the best practice across these regulatory and disclosure frameworks is to utilize the .

Make further disclosure of any material nature-related information, including financial quantification — Frameworks such as the ESRS require further disclosure of any risks that are found to be material, including financial quantification and scale of the risk.

Integrate mitigation of nature-related risks in business strategies — Upcoming standards and research, such as that from the ISSB, indicates that missing disclosure includes company’s nature-positive transition planning. Consider how to integrate nature into long-term business strategies for full alignment with upcoming regulations and standards, including establishing nature-related governance.

Adopting these processes and integrating nature into corporate decision-making will provide corporations with a more future-proof and resilient business model. The increased adoption of nature within these frameworks is driven by the clear economic impact that our current loss of nature is having. This will only continue to become more of a priority as the impacts of nature loss are increasingly felt worldwide.

You can find out more about theĚýsustainability issues companies are facing around the environmentĚýhere

Key insights:

• • • ESG is becoming more operationalized — ESG is being conducted with a lower public profile while also playing an increasingly strategic role in supplier governance frameworks.

    • Data collection remains widespreadand robust — Companies continue to collect comprehensive ESG data from their suppliers.

    • Technology usage in ESG is increasing — Greater investment in automation demonstrates continuing commitment to effectively managing ESG.

Environmental, social and governance (ESG) issues have played an increasing role in global trade operations in recent years. As the United States government sharply pulled back its role in encouraging ESG in global trade in 2025, concerns were raised over whether that would impact ESG efforts globally.

However, ESG-related efforts in global trade have not diminished, although they are evolving in form and positioning, according to the Thomson Reuters Institute’s recent 2026 Global Trade Report. In fact, the report’s survey respondents said that ESG data collection from suppliers is now largely structurally embedded in trade operations, although at the same time, it is being carried out with a lower public profile than in previous years.

ESG management remains a core trade function

Managing ESG remains one of the most widespread responsibilities among trade professionals. Almost two-thirds (62%) of those surveyed said their role includes ensuring ESG compliance throughout the supply chain. That represents a higher percentage than for other responsibilities, such as procurement and sourcing, supplier management, trade systems management, risk management, customs clearance, and regulatory compliance. The only more widespread role being done by those global trade professionals surveyed is business strategy for global trade and supply chain.

More importantly, ESG remains integral and nearly universal when it comes to the supplier selection process. All respondents in the Asia-Pacific region (APAC), Latin American and the European Union-United Kingdom, as well as 99% of US respondents, report that ESG considerations remain moderately important, important, or very important in influencing their decisions around using a supplier. And overwhelming 78% say it is an important or very important consideration.

Clearly, as the report demonstrates, ESG remains a core component of the trade function for most businesses.

ESG moves toward structural governance frameworks

Only a very small proportion of respondents — 3% in the US and 4% globally — said they stopped ESG-related data collection entirely in 2025. Meanwhile, ESG data collection has increased across several major metrics.

As companies move to embed ESG expectations directly into their supplier governance frameworks, they are shifting these efforts from being a publicly declarative initiative to becoming operationalized as a permanent compliance and sourcing discipline alongside other operational considerations.

Businesses are focusing on supplier information in areas that have direct operational relevance. For example, companies collecting data on Free Trade Agreement (FTA) eligibility status for ESG purposes can also leverage the data to reduce costs, ensure supply chain security through Customs Trade Partnership Against Terrorism (CTPAT) participation, and better maintain compliance with country-of-origin requirements. Similarly, Country of Origin (COO) and Authorized Economic Operator (AEO) status are both classified under ESG but are also highly trade operations specific. These metrics merge the lines, representing areas in which ethical considerations intersect with practical trade strategy.

Supplier data collection is shifting to operational relevance as well. Indeed, the scope of supplier data being gathered remains broad and reflects a holistic view of the supply chain. The most common areas for ESG data collection in 2025 were: i) environmental metrics, such as water usage, waste management, energy management, and carbon emissions, including Scope 3 emissions; ii) social metrics, such as health and safety, labor standards, human rights including modern slavery or indentured service, and diversity in employees; and iii) governance and compliance, including data privacy, business ethics, and anti-corruption.

Data collection from suppliers

Meanwhile, ESG data collection has been scaled back in areas such as trade evaluation, AEO/CTPAT status in some jurisdictions, diversity in ownership, and anti-corruption assessments. The most cited reason for the pullbacks was insufficient cost-benefit return for collecting data in areas in which customer scrutiny was minimal. This trade-off reflects a rational reprioritization: companies are focusing their ESG diligence in areas in which regulatory risk is more material rather than reputational.

Integrating ESG into broader trade workflows

The report also shows that businesses are leveraging ESG to make it more operationally effective, drive greater efficiency, reduce costs, and add greater value for the organization. ESG is becoming less of a marketing and brand building exercise, and more of a compliance and sourcing discipline that factors into strategic decision-making — it is subject to the same analytical rigor as financial or operational risks.

To this end, organizations are less prone to make a string of bold public goals and commitments, or issue standalone ESG reports, updates, or scorecards that tout their progress. Instead, ESG data is being seamlessly embedded into supplier evaluation and selection alongside non-ESG business metrics and other considerations. As such, organizations are using ESG to quietly build the structural frameworks, data infrastructure, and management approaches they’ll need for more strategic planning.

ESG is shifting to strategically supporting business growth and away from reputational focus

Helping this shift along, the report shows, is that the use of technology to manage ESG has accelerated significantly in 2025. One-third of respondents said their organizations use automated ESG solutions, a major increase from only 20% in 2024. This provides a clear indication that more organizations are not only continuing but strengthening their commitment to effectively managing ESG.

And this provides a boost, because greater automation can improve the efficiency and ability of trade professionals to manage ESG efforts, further enhancing the integration of ESG data into other operational workflows as organizations incorporate ESG data to drive greater value.

What lies ahead for ESG

ESG practices and organizations’ embrace of them remain near-universal across trade operations. This continuation presents a clear indication that there is no widespread retreat from ESG management. For trade professionals, ESG is here to stay and is evolving into an operational discipline to help grow their business.

For organizations to have continued success in this evolving ESG environment, they should take several steps that require strategic thinking, including:

• • • Identify which metrics truly matter — Connect ESG metrics that affect trade operations, particularly those that impact supply chain cost, efficiency, and reliability.
    • Invest in the technology infrastructure — Improve efficiency in tracking and analyzing key ESG metrics.
    • Articulate ESG value — Develop the ability to demonstrate the value of ESG to the trade function and communicate it in business terms to senior management.

The shift of ESG towards operational trade management may represent a more sustainable long-term path forward than the earlier wave of ESG enthusiasm — embedding ethical considerations into core business processes rather than treating them as separate compliance exercises. By focusing on metrics that genuinely matter to business operations, companies are building practices that will persist regardless of any political winds or public relations trends.

Those corporate trade departments that can skillfully navigate this evolving environment will be positioned to more effectively leverage ESG considerations as a strategic asset and competitive differentiator. And in an increasingly complex and volatile global trading landscape, they will find themselves playing a more central role in their organizations’ success.

You can download a copy of the Thomson Reuters Institute’s 2026 Global Trade Report here

Key highlights:

• • • Treat AI use as a material sustainability driver — Bring AI explicitly into financial materiality and impact assessments so you can see where AI changes the scale or severity of existing issues or introduces new risks or opportunities.

    • Map, measure, and baseline AI demand to make it governable — Create an inventory of in which situations or how often AI is used and establish utilization metrics over time so you can spot growth, redundancy, and hotspots.

    • Control AI impact through policy, oversight, and supplier expectations — Set rules for appropriate AI use and triggers for extra review before scaling AI, and manage impacts whether AI is in-house or provided by vendors.

While AI clearly already is changing how companies operate and deliver, it’s also demanding changes in how sustainability systems are designed and governed. Indeed, much focus to date has been on the environmental impact of AI’s energy use, water consumption, and supply chain challenges.

Yet, there is another side to consider that involves examining how AI itself is used within organizations. It is important to understand where AI is applied throughout an organization, how often it is used, and whether those uses are necessary — and most crucially, how and when the review processes is applied. By including AI in materiality assessments, a clear track is set for its deployment, with systems in place to address any environmental and social impacts and risks that arise before they become problems.

To ensure effective value creation of AI use, organizational leaders need to focus beyond the footprint, by mapping their AI use, defining control and review processes, developing systems for ongoing quantification, and reporting transparently. The goal is to manage AI’s impact from the inside out, making sure the benefits are worth the risks and that sustainability remains a priority.

Bringing AI use into materiality and impact assessments

Financial materiality and impact assessments provide a practical basis for governing AI through the structured process of identifying and prioritizing significant impacts. Many sustainability topics influenced by AI use — including energy demand, emissions, water use, and workforce effects — are already assessed in existing materiality exercises. What is often missing is an explicit examination of how AI alters the drivers of those impacts.

The International Sustainability Standards Board’s centers on financial materiality, which is defined by whether a topic could reasonably be expected to influence the decisions of investors or other users of financial statements. How AI is used within companies undoubtedly influences the risks and opportunities the company faces and certainly can affect a company’s financial position.

Early closures aligned with the European Union’s Corporate Sustainability Reporting Directive (CSRD) suggest that AI is typically addressed within broader topics such as workforce impacts, digital governance, or business conduct rather than identified as a standalone source of dependencies, impacts, risks, and opportunities. This reflects the difficulty of assessing impacts that are indirect, cumulative, and demand-driven, and topics in which regulations and best practices are still evolving.

Bringing AI into materiality assessments requires assessing whether its use alters the scale or severity of existing impacts, introduces new risks and opportunities, or creates dependencies that warrant prioritization.

In practice, determination of the materiality of AI hinges on understanding scale and concentration — such as in which situations it is used or embedded in critical workflows and the scale of applications across functions, tools, and systems. Mapping AI use across use cases and delivery models can help provide the basis for determining in which instances AI meaningfully alters environmental, social, or financial exposure.

Once these priority areas are identified, organizations then can move from qualitative assessment to structured oversight by establishing a baseline for AI utilization and its associated potential impacts.

Governing AI demand through policy

Once a basis of materiality for AI is determined, the next governance step is to shift towards control, primarily through policy that’s supported by proportionate measurement of demand.

As access to AI expands, it can become a default tool for routine tasks, increasing demand through duplication and persistent use cases without sufficient oversight or challenge. Policies then can set expectations for appropriate application, conditions to assess depth relative to task value, and crucially, what conditions should trigger additional review before AI is scaled or embedded into core work processes.

Quantification underscores these policies by making AI use visible over time and by tracking its impact. For most organizations, the starting point for measuring AI impact is obtaining a consistent view of utilization and its evolution. This determination of scale will then later support the precise attribution of energy or emissions. Comparing precise indicators to utilization will enable leaders to establish a baseline and then support effective identification of growth, potential redundancy, and overall impact.

Managing AI’s impact

Where organizations own or operate their own AI infrastructure, management responsibility will sit within established operational controls, including decarbonization of electricity supply, managing cooling water use, and overseeing hardware lifecycles, such as refurbishment, reuse, and recycling. Governance also explicitly needs to cover model training and retraining, especially in areas in which concentrated energy and water demand can arise. In fact, it should be subject to planning and review rather than treated as a purely technical decision.

Where AI capability is accessed through external or third-party providers, these same impact areas must be addressed through policy and a rollout of supplier engagement practices that link disclosure with procurement decision-making. Management without direct control necessitates setting expectations and engaging external providers on energy sourcing, water stewardship, hardware management, and transparency around model training practices and associated impacts.

Governing AI as an impact on sustainability

AI’s sustainability effects depend on infrastructure efficiency, energy sources, and governance of its use in organizations. That means that effective management must include assessing material impacts, setting policies for demand and monitoring, measuring results, and making transparent reporting.

Treating AI as a source of managed sustainability can better help mitigate risks and ensure that the environmental and social effects of AI use are aligned with value creation.

You can find out more about here

Key takeaways:

• • • Real-time oversight and strict compliance — Mexico’s SAT now requires digital platforms to provide real-time access to transaction data and withhold taxes at the source, with severe penalties, including service blocking, for non-compliance.

    • Major technological and operational demands — Platforms must invest in secure, scalable systems for data sharing, billing, and cybersecurity, and small businesses likely will face extra challenges adapting to these requirements.

    • New roles for legal and tax professionals — Lawyers and accountants will be essential in guiding businesses through compliance, privacy, and operational risks, as well as supporting technology integration and adapting to the demands of Mexico’s digital tax environment.

Mexico’s digital tax overhaul is more than a regulatory update — it’s a fundamental shift that will reshape how businesses in that country operate online. By granting the Tax Administration System (SAT) real-time access to platform data, the government aims to curb tax evasion and strengthen collection in the digital economy. This means platforms like Amazon, Uber, Netflix, TikTok, DiDi, and Mercado Libre must now share transaction details as they happen, which will mean unprecedented compliance, technology, and operational challenges for companies and professionals alike.

Platforms must also — 2.5% for income tax (ISR) and 8% for value added tax (IVA). If a seller does not give a tax ID number (RFC), the platform will keep up to 20% of the payment; and, if the platform does not comply, SAT can block the service in Mexico until the problem is fixed. That means users will not be able to access the platform until it follows the law.

The goal of all this is to make tax collection fair and stop fake invoices and false transactions. The law also adds ; now, selling fake tax documents online can lead to two to nine years in prison.

These new tax measures also raise questions about with the United State-Mexico-Canada Agreement (USMCA or T-MEC), because some proposals — such as increased data access and stricter penalties for digital platforms — could conflict with the treaty’s provisions on cross-border data flows and platform liability.

Indeed, this shift is part of a wider digital transformation in Mexico, as seen not only with the new biometric CURP for identity verification, but also with SAT’s adoption of AI-driven smart auditing — both of which bring new opportunities and challenges for compliance, security, and public trust.

Technological impact on companies

These latest rules mean big changes for tech systems. Platforms must create secure connections for SAT to access their data, although they may use APIs or that send transaction details in real time.

Companies will need stronger cybersecurity policies because opening a permanent link to SAT creates risks, especially considering the high value of data that will be flowing through the system en masse. At a minimum, businesses will need to invest in heightened encryption to protect data, authentication systems to control access, and monitoring tools to detect unusual activity

Platforms also need to update their . Every sale must include correct tax retention and generate a digital invoice (CFDI). For larger platforms that process millions of transactions daily, this means building high-capacity systems to avoid delays or errors. These platforms will also need data pipelines to handle the huge volumes of information and, in turn, send that to SAT without slowing down the services of SAT or themselves.

Small companies and startups may face extra challenges. They might not have the money or staff to make these changes quickly; and they likely will require the assistance of technology providers or consultants to implement new solutions such as compliance-as-a-service and automated tax reporting software.

Challenges and opportunities for tax and legal professionals

For lawyers, these rule changes will create new work areas. Companies will need legal advice to comply with the new rules and protect user privacy. Lawyers, for example, can help draft policies, negotiate limits on data sharing, and design compliance programs.

There will also be litigation opportunities. Many that real-time accesses could violate privacy rights and even the Mexican Constitution, with legal challenges likely by companies as a result. However, due to the recent amendments to the Amparo Law, many of these lawsuits could be frustrated at the outset, because the new Amparo requirements demand the claim of direct and personal harm and impose stricter limits on judicial suspensions, making it harder for platforms to obtain effective protection against real-time monitoring.

For accountants and tax advisors, the challenge is operational. They must help businesses manage new tax retentions and keep accurate records. Many smaller businesses, especially in retail, will need help registering with SAT, issuing invoices, and recovering taxes withheld. Accountants will also need to plan for their clients’ as a result of the retentions potentially reducing liquidity.

Both professions are likely to see more demand for their respective services. Lawyers will focus on compliance and defense matters, while accountants will handle routine tax activities; however, both will be involved in technology integration. Professionals who combine legal or tax knowledge with these needed tech skills will have a big advantage.

Adapting to Mexico’s real-time tax landscape

Real-time tax monitoring is a major shift for Mexico’s digital economy, and it aims to increase tax collection and reduce fraud, but it also brings big risks and costs. And the success of this big fiscal change depends on balance. Authorities must ensure strong security and clear limits on data access, and they should also offer support to small businesses, either in educational or instructional fashion, to help those enterprises that may have fewer resources at their disposal to navigate this turbulence.

If implemented well, however, this system could make Mexico’s tax collection more efficient and fairer. If not, these changes could lead to privacy violations, higher costs, and even less participation in the digital economy by smaller entities.

Indeed, Mexico is entering new territory with these rule changes, and the world will be watching carefully as this could become a model for other countries’ digital tax compliance — or it could become a cautionary tale of what happens when technology and regulation collide without enough safeguards.

You can find out more about theĚýregulatory and legal issues impacting MexicoĚýhere

Key insights:

• • • Elevate AI governance to the board — Companies should tie their AI deployment to enterprise risk management with explicit KPIs for energy intensity, water withdrawals and consumption, and supply‑chain human rights.

    • Make transparency a competitive asset — Implement auditable disclosures on AI workload footprints, water stewardship, and supplier traceability, and then link executive compensation and vendor contracts to measurable efficiency and resiliency outcomes.

    • Demand transparency despite practical challenges — Although demanding transparency from suppliers may not be practical now due to current challenges, collectively asking for detailed information sends a notable requirement to AI infrastructure providers that the company is seeking to drive change and preserve trust in an AI-driven economy.

AI now sits at the center of corporate sustainability governance as it supercharges data gathering, analytics, and reporting. Indeed, there is is areas of energy optimization, emissions monitoring, land‑use assessment, and climate scenario analysis.

At the same time, AI’s rise is colliding with sharply growing electricity and water demands from data centers and concerns over geopolitically exposed supply chains. The governance challenge for companies therefore is to manage risk at this intersection. This means treating AI as a capital‑intensive, cross‑border infrastructure program whose environmental footprint and supply dependencies must be actively governed.

Why electricity and water are now board‑level AI risks

AI has turned electricity and water from background utilities into constraints that should be dealt with on the board level. Indeed, AI magnifies water risk across cooling, power generation, and chip manufacturing. This makes sourcing and efficiency choices strategic imperatives for many organizations.

Electricity demand — AI use and the data centers that power the tools already account for a significant and rising share of electricity use in the United States. The finds , a figure poised to grow as AI workloads scale. Forward‑looking projections from the U.S. Department of Energy indicate that by 2028 could be attributed to AI workloads.

If you translate those projections into , you can get an idea of the potential magnitude of the problem. Together, these sources suggest that the fastest‑growing part of AI’s energy appetite is not just for training models, but the steady, pervasive inference capabilitiesĚýrequired to power AI features in everyday products and operations.

Direct and indirect water use — Data centers powering AI also negatively impact local water footprints. It shows up in three places: i) data‑center cooling; ii) the electricity feeding those facilities, including thermoelectric and hydroelectric generation; and iii) AI’s own hardware supply chain. In regions already facing scarcity, these demands compound local stress. For example, the average per capita water withdrawal is 132 gallons per day; yet a large data center consumes water .

This makes data centers one of theĚý in the country, which incidentally is home to . At the end of 2021, aroundĚý from moderately to highly stressed watersheds in the western US. This is a common situation as well.

Geopolitical exposure — The hardware that powers AI includes advanced logic and memory chips, which depend on concentrated manufacturing nodes and supply chains with access to critical minerals. Extraction and processing of inputs, such as lithium and cobalt, are often clustered in jurisdictions with elevated levels of human‑rights, environmental, or geopolitical risk. This potential amplifies exposure to export controls, sanctions, or resource nationalism, especially directly for companies’ supply chains and indirectly for those companies using AI.

Companies need to ensure their communication on legal and policy issues are pointing in the same direction in regard to these concerns. Indeed, companies need to deepen value‑chain due diligence while navigating evolving supply‑chain and AI‑specific regulatory regimes.

Recommended actions for companies

These intersections have clear implications for corporate governance. AI’s promise to accelerate decarbonization, improve transparency, and strengthen decision‑making will be realized only if leaders can properly manage the physical, political, and social realities underpinning the technology. Recommended actions to manage risk in areas in which AI and geopolitics converge include:

Demand transparency in electricity and water consumption of AI infrastructure — Companies building AI infrastructure need to conduct AI workload planning. Companies using AI can demand transparency of their suppliers’ 24- to 36-month forecast of training and inference by region with overlays in grid carbon and local water stress to better understand their indirect environmental impacts.

De‑risk impact by incentivizing clarity in supply chains — Companies using AI can begin asking AI infrastructure companies to provide due diligence in tier 2, 3, and 4 suppliers, all the way down to smelters, refiners, and miners to make sure that companies are not indirectly contributing to environmental and social harms.

The bottom line

While these recommendations generally align with evolving corporate practices in sustainability and risk management, the challenge of implementation will vary based on the company’s size, influence over suppliers, and existing governance structures. The most challenging aspect will likely be achieving transparency and clarity in supply chains, which requires cooperation from suppliers and the investment of potentially significant resources.

At the same time, however, if more companies collectively ask for this level of detailed information from their AI infrastructure providers, it will send a notable demand signal. Indeed, AI is both a sustainability tool and a sustainability liability, but its benefits will be realized only if leaders confront the physical and geopolitical constraints that make AI possible.

Those companies that begin asking for this level of transparency can preserve the trust that underwrites their license to navigate successfully in an AI‑driven economy.

You can find out more on the sustainability issues companies are facing around the environment here

Key takeaways:

• • • Smart resource efficiency and decarbonization are good differentiators —Concrete gains in decarbonization, smarter resource efficiency, and rigorous human-rights due diligence increasingly distinguish market leaders from the rest.

    • Consideration for voluntary reporting is required — Companies should keep strengthening ESG data governance, involve finance and audit early, and consider voluntary alignment to maintain credibility with investors and supply‑chain partners regardless of legal thresholds.

    • Ongoing monitoring of regulation is critical — Legal uncertainty will continue, likely even up to the final decision. Companies should expect ongoing uncertainty and legal risk throughout the rest of this year.

The European Union’s effort to streamline its sustainability rulebook has entered a decisive stage. Through the Omnibus initiative, the European Commission aims to align and simplify overlapping environmental, social, and governance (ESG) regulations, particularly its Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD). Framed as a push to enhance competitiveness, the Omnibus package reflects a broader recalibration that seeks to balance economic pragmatism with the EU’s sustainability ambition. The current goal is to finalize the legislative process by the end of 2025.

Over the past three years, the EU has assembled one of the world’s most far‑reaching reporting frameworks. CSRD seeks consistency and comparability in disclosures, while CSDDD extends human‑rights and environmental responsibilities across value chains. The Omnibus would narrow which companies report, reduce data points, and limit due‑diligence obligations mainly to tier‑one suppliers.

Proponents argue this will ease compliance and focus effort where it matters most. Critics fear that fewer reporters and fewer metrics could dilute accountability and the CSRD’s role as a global benchmark.

Debating the details

Decision‑making now shifts to the European Parliament and the Council, followed by a trilogue, in which the institutions converge on a compromise text. The Council has already staked out a position to raise the CSRD turnover threshold to €450 million from €50 million, which would significantly reduce the number of companies under its scope. Inside Parliament, center‑right groups prioritize deregulation and cost relief, while left‑leaning groups press to maintain or strengthen standards and comparability.

What happens next will determine scope and granularity. If thresholds rise and data points drop, complexity and audit costs decline, especially for smaller and midsize companies. Yet comparability could suffer if disclosures become thinner or less standardized.

The central question is whether simplification improves usability or merely softens obligations. Striking the right balance will shape the EU’s standing as a standard‑setter and the usefulness of ESG data for capital allocation, supply‑chain management, and regulatory oversight.

Reactions remain split. Business groups welcome burden relief and a narrower due‑diligence perimeter as pro‑competitiveness measures. Civil‑society organizations and some investors, on the other hand, warn that scaling back disclosures could undermine transparency, reduce comparability across sectors and borders, and weaken incentives for meaningful action on environmental and social issues. The debate underscores the persistent tension between short‑term economic pressures and long‑term sustainability objectives at the heart of the Omnibus process.

What companies should do now

For companies preparing for CSRD, the Omnibus adds uncertainty. While some smaller organizations may fall outside scope, larger enterprises must continue under a simplified regime. Practical steps include maintaining strong ESG data governance, engaging finance and audit teams early, and focusing on material topics that drive performance and risk management. Companies also should track institutional positions through 2025 and adjust their programs, targets, and controls as the final contours emerge.

Regardless of their position under the current or future framework, several strategic actions can help businesses stay prepared and maintain credibility with investors and regulators alike, including:

• • • Continue to strengthen sustainability data and governance — Even if the reporting scope narrows, robust ESG data management remains essential. Companies should ensure that internal processes, data systems, and oversight structures can deliver consistent and verifiable information. This will reduce compliance risks and position those companies well for any future expansion of requirements.
    • Consider voluntary alignment with simplified frameworks — Some firms potentially falling outside CSRD scope may still benefit from voluntary reporting under frameworks such as those for small and midsize entities (SMEs). This supports transparency with lenders, investors, and supply-chain partners that increasingly may expect sustainability disclosures, regardless of legal thresholds.
    • Focus on decarbonization and risk mitigation — Beyond reporting, tangible progress on decarbonization, resource efficiency, and human-rights due diligence remains a critical differentiator. Companies that integrate these areas into strategic risk management will be better equipped to respond to global sustainability standards and maintain market access in Europe.

The Omnibus represents more than a technical adjustment to EU sustainability rules. Indeed, it is a test of how effectively the bloc can balance economic pragmatism with ambitious climate and social objectives.

While the Omnibus may lead to political compromise, it does not fully close the door on legal risk. that certain proposed changes could conflict with EU principles of proportionality and the Charter of Fundamental Rights, particularly in the absence of comprehensive impact assessments.

For companies in Europe, the key takeaway is that even after legislative adoption, the regulatory landscape may continue to evolve, which will make ongoing monitoring essential.

You can find out more about the challenges corporations face with regulatory enforcement here

Key insights:

• • • Debanking can have harsh consequences — Losing a bank relationship can abruptly cut off finances and damage reputations, often excluding people and firms from basic economic life, often without a clear explanation.

    • The core tension for banks — Financial institutions need to balance the risk between AML/KYC and fraud versus preserving fair access to financial services. As reputational and ideological factors enter into decision-making, concerns about discretion and due process grow.

    • Policy is moving toward guardrails — Already many policymakers are pushing for clearer documentation, transparent notices, a common-sense path to appeal, and a bright line between financial‑crime risk and other risks.

Financial institutions serve as the foundation of the modern economy. Nearly every transaction — from paying for services to buying a cup of coffee — depends on an institution that facilitates or underwrites these exchanges. In this interconnected system, access to banking relationships has become essential for meaningful economic participation for individuals and organizations.

This dependence creates significant consequences for society. Without access to banking services, both businesses and individuals face significant barriers to participating in the economy. Businesses cannot easily pay their employees, fulfill tax obligations, or conduct basic commercial activities. Similarly, individuals struggle to receive payments and manage their personal finances. When institutions terminate these relationships, they effectively exclude people and businesses from the broader economic system. This reality applies to both traditional banks and modern FinTech companies.

Given banking relationships’ critical role in economic participation, the circumstances under which these relationships end deserve careful examination. Financial institutions face ongoing challenges in determining which customers they can serve while meeting regulatory obligations and business objectives. This decision-making process has evolved and can ultimately lead to what experts call debanking — a practice that involves closing accounts and terminating interactions between debanked individuals or organizations and the financial institutions doing the debanking.

What debanking is — and isn’t

The impact of debanking extends far beyond the inconvenience of closing an account. Affected individuals may face extended periods without access to essential funds needed for survival, and they often suffer lasting reputational damage that may cause other financial institutions to reject them as well. Most concerning, however, is that banks rarely provide clear explanations for debanking decisions, leaving individuals unable to address potential misunderstandings or prevent future occurrences.

Without access to banking services, both businesses and individuals face significant barriers to participating in the economy.

This lack of transparency and the cascading effects of banking exclusion demonstrate the profound power that financial institutions hold in determining who can fully participate in the modern economy. This also causes concern about who holds this power and how it can ultimately be kept in check.

Not surprisingly, the concept of debanking has become a contentious issue in the financial sector, with proponents and critics presenting varying perspectives on its implications. At its core, debanking most often occurs when financial institutions terminate or refuse to establish customer relationships, often due to concerns about risk management or regulatory compliance.

Financial institutions argue that debanking is a necessary measure to mitigate potential risks, such as money laundering, terrorist financing, and other fraudulent activities by certain individuals or businesses. By terminating these illicit customer relationships, banks aim to protect themselves from reputational damage, financial losses, and regulatory penalties while maintaining financial system integrity and adhering to anti-money laundering (AML) and know-your-customer (KYC) regulations.

Critics, on the other hand, argue that debanking can have unintended consequences, particularly for marginalized communities and individuals who may not have access to alternative financial services. This can lead to financial exclusion, making it difficult for people to access basic banking services, such as deposit accounts, credit, and payment processing services.

However, the scope and application of debanking practices have expanded beyond traditional risk-based criteria. Questions have emerged regarding the appropriateness of account closures based on reputational concerns, political associations, or ideological considerations. This broader application has intensified public discourse about the boundaries of institutional discretion and the potential implications for financial inclusion.

Policymakers now are working to ensure that banks can address genuine risks without discriminating against customers based on their lawful views.

To navigate this issue, financial institutions need to follow a balanced approach. This involves enhancing transparency, providing channels for appeal or alternative services, and refining regulations to define acceptable grounds for debanking. The goal is to maintain a secure and inclusive financial system that effectively manages risk while protecting the interests of ordinary citizens and legitimate businesses.

Policymakers get involved

In response to concerns that non-financial factors may influence these decisions, an Executive Order was issued by the Trump administration in August to establish clearer guidelines for banking institutions, requiring that account management decisions be based primarily on financial and risk-related criteria. The order seeks to standardize practices across the industry and provide greater transparency in the decision-making process for account closures and financial service terminations.

In September, at the Association of Certified Anti-Money Laundering Specialists (ACAMS) Assembly held in Las Vegas, Mike Greenman, Senior Vice President and Chief Counsel of Financial Crimes Legal at US Bank, emphasized the critical importance that financial institutions present clear documentation for when and how debanking decisions were made about specific industries. Greenman strongly advised institutions to “always separate financial crime risk from other risks.”

Looking ahead at debanking

The issue of debanking has garnered attention due to high-profile cases and concerns about potential misuse. Investigations in several countries have found no evidence of widespread politically motivated debanking, but the perception of potential abuse has led many critics to re-examine this practice. Policymakers now are working to ensure that banks can address genuine risks without discriminating against customers based on their lawful views.

To navigate this issue, a balanced approach is necessary, one that involves enhancing transparency, providing channels for appeal or alternative services, and refining regulations to define acceptable grounds for debanking. The goal for financial institutions should be to maintain a secure and inclusive financial system that effectively manages risk while protecting the interests of ordinary citizens and legitimate businesses.

You can find out more about the regulatory challenges that financial institutions face here

Key insights:

• • • 4 pillars of surveillance — Casinos operate under a comprehensive BSA and Title 31 anti-money laundering framework, anchored by four pillars that together create a surveillance network to detect and deter illicit activity.

    • Significant gap in enforcement — Despite a massive surge in SAR filings, enforcement actions were virtually nonexistent, revealing a significant enforcement gap that undermines deterrence.

    • Balancing regulatory rules and risk — Effective CTR and SAR practices are both a regulatory obligation and a risk signal: Strong, timely, accurate reporting and a compliance-first culture help avoid penalties and protect reputation, while weak programs invite costly, rigorous enforcement.

Casino operators face increasingly rigorous anti-money laundering (AML) obligations under federal banking secrecy laws that require extensive reporting, customer monitoring, and record maintenance systems. These regulatory mandates, enforced by the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), establish four core pillars of compliance: i) currency transaction reporting for cash activities exceeding $10,000; ii) suspicious activity reporting for potentially illicit behavior; iii) customer identification protocols; and iv) comprehensive recordkeeping standards.

While recent enforcement data reveals significant gaps between the volume of filed reports and actual regulatory actions, casinos must prioritize robust AML programs to avoid substantial penalties and reputational damage.

Under United States federal law, casinos operate within a stringent AML framework governed by Title 31 of the U.S. Code, commonly known as the Bank Secrecy Act (BSA). FinCEN serves as the primary regulator, enforcing comprehensive requirements designed to prevent casinos from becoming conduits for financial crimes.

The 4 pillars of casino AML compliance

1. Currency Transaction Reports (CTRs)— These reports form the foundation of casino reporting obligations. When a customer’s combined cash transactions exceed $10,000 in a single day, casinos must electronically file a detailed report within 15 calendar days. These reports capture essential customer information, such as name, address, Social Security number (SSN), and other identification details.

2. Suspicious Activity Reports (SARs)— These reports, filed with FinCEN, target potentially illicit behavior. For transactions of $5,000 or more that raise red flags, casinos must file comprehensive SARs within 30 days. Crucially, customers are never informed of these confidential reports.

3. Customer identification and due diligence— These requirements ensure casinos know who they’re serving during critical transactions. While not as extensive as traditional banking’s know-your-customer protocols, casinos must collect and verify customer information — name, birth date, address, and SSN — whenever filing CTRs or SARs or establishing certain accounts. This extends to monitoring gambling patterns for suspicious patterns.

4. Recordkeeping requirements— Rules around keeping records create the documentation foundation for compliance. Casinos must maintain all CTRs, SARs, supporting documentation, account records, negotiable instrument logs, and gaming activity records for five years in organized, accessible formats. Without robust recordkeeping systems, casinos risk missing reportable transactions or a failure to document suspicious activity.

Together, these four interconnected requirements create a comprehensive surveillance network, ensuring casinos serve as vigilant gatekeepers against money laundering while maintaining the integrity of their operations and supporting law enforcement investigations.

Public enforcement

SARs and CTRs are the backbone of Title 31 enforcement. Regulators use them to assess casino activity and compliance — and when reporting lapses, enforcement follows. Casinos that neglect filings or run weak AML programs face fines and mandated overhauls, while those with strong reporting and internal controls can largely avoid penalties.

The stark disparity between SAR filings and enforcement actions reveals a troubling enforcement gap.Ěý, financial institutions filed tens of thousands of SARs annually, yet only were completed during this entire period. This represents an enforcement rate that is virtually non-existant.

This enforcement deficit becomes even more striking when viewed historically.ĚýAs recently as 2000, fewer than 20 SARs were filed annually. Despite this dramatic 1,000-fold increase in reporting over two decades, enforcement actions have remained stagnant.

Indeed, the numbers tell a clear story: The current system generates massive volumes of reports but delivers minimal accountability. This, in turn, undermines the entire purpose of the SARs system and calls into question whether these reporting requirements are achieving their intended deterrent effect.

Enforcement revived in 2024, and the AML Act of 2020 also has raised expectations and risks. All casinos — large or small — must treat BSA compliance as core duty. That means casinos need to file accurate, timely CTRs; investigate and report suspicious activity via SARs; and then act on those insights to mitigate risk. Recent cases — from suppressed SARs to absent AML programs — show that failures are costly and reputationally damaging.

SARs and CTRs are the backbone of Title 31 enforcement. Regulators use them to assess casino activity and compliance — and when reporting lapses, enforcement follows.

Casinos have incurred multi-million-dollar fines for serious compliance violations, including deliberately failing to maintain AML programs, ignoring BSA requirements, and neglecting to report suspicious transactions. Additional penalties have been imposed for persistent AML deficiencies and the use of misleading compliance policies. Many of these violations occurred within some casinos over multiple years, demonstrating systemic, long-term compliance failures rather than isolated incidents.

These patterns reveal that the problems extend far beyond simple administrative mistakes. Instead, they represent fundamental breakdowns in comprehensive compliance programs — failures that can only be detected and addressed through extensive data analysis using information that must come directly from the casinos themselves.

Effective filings of SARs and CTRs serve as a double-edged sword: They not only fulfill a critical regulatory obligation but also act as a barometer of a casino’s commitment to compliance. When done well, these filings protect the institution from potential sanctions and reputational damage. Conversely, poor execution can lead to severe penalties and, more alarmingly, enable illicit activities.

The requirements are straightforward. Casino operators need to prioritize compliance investments, thoroughly know their customers, submit accurate reports, and cultivate a culture that encourages the identification of suspicious transactions. The consequences of non-compliance are steep, both financially and in terms of facilitating crime.

As FinCEN underscores, a robust compliance framework is essential to maintaining the integrity of the financial system. By embracing this responsibility, casinos can establish a strong foundation for regulatory adherence — and those that fail to do so can expect rigorous enforcement action.

You can find out more about how businesses, like casinos, are managing the threat of fraud here