Gearing Up for 2024: Regulatory Developments to Watch

As the year draws to a close, we find ourselves at an important time in the compliance sector—a time to pause and take stock of the year's most impactful developments. This year-end wrap-up is more than just a retrospective; it's a critical lens through which we can forecast the trends and challenges that await us in 2024. From the escalating importance of environmental, social, and governance (ESG) initiatives to the transformative role of AI in compliance strategies, let's prepare for the emerging compliance landscape of the coming year. 

Key Topics to Watch in 2024

Artificial Intelligence (AI) and Large Language Models

Generative AI made a big splash in 2023, quickly becoming part of business solution suites and is now increasingly used in a variety of tasks. However, it also raises ethical questions, such as data privacy, algorithmic bias, and job displacement, that need to be addressed. In light of the recent Executive Order and the EU AI Act, there will be a spike in regulatory response around the use of AI in 2024 internationally, and compliance teams need to be prepared.

First AI Law: On December 9, 2023, the European Union (EU) reached a provisional agreement on the EU AI Act, which is considered the world's first dedicated law on artificial intelligence. This legislation establishes a comprehensive regulatory framework aimed at ensuring the safety, legality, trustworthiness, and protection of fundamental rights within AI systems. The EU intends to set global standards for AI regulation, similar to the impact of the General Data Protection Regulation (GDPR) on data privacy. The law categorizes AI systems into different risk levels and imposes varying degrees of regulation, from minimal or no risks to unacceptable risks. It bans AI systems with unacceptable risks, including cognitive manipulation, predictive policing, emotion recognition in workplaces and schools, social scoring, and certain remote biometric identification systems. 

Multi-Level Regulatory Responses: In the US, following Biden’s Executive Order in October, various federal agencies are conducting assessments on AI, which will lead to a multitude of recommendations and guidelines. This will likely result in a cascade of new federal legislation and regulations. In parallel, states may enact their own AI regulations, similar to the diverse approaches seen in privacy laws like California's CCPA or Virginia's CDPA. Navigating this patchwork of federal and state regulations will require efficient systems for tracking, analyzing, and implementing these guidelines.

Inter-agency and Inter-state Coordination: As different agencies and states roll out their recommendations and regulations, there will be a need for coordination to avoid contradictory policies. Compliance professionals will need to monitor these developments closely and participate in industry discussions to understand and influence the regulatory landscape.

Adaptive Compliance Programs: Compliance programs will need to be adaptable and agile, capable of quickly responding to new regulations and guidelines around AI, particularly around Privacy and Information Security. This may involve investing in technology solutions that can assist in managing complex compliance requirements.

Risk Assessment and Management: Comprehensive risk assessments will be critical in identifying areas of potential non-compliance. Regular audits and reviews of AI systems and practices will become more common to ensure ongoing compliance.

Sustainability and ESG Directives

The year 2023 was a pivotal one for sustainability and ESG (Environmental, Social, and Governance) reporting. As of September 2023, various U.S. states actively drafted and implemented ESG regulations. However, there was controversy surrounding ESG investing and business decisions in the US, prompting a significant focus on anti-ESG efforts. This makes for a very diverse and evolving regulatory landscape in 2024:

Anti-ESG Rules: 20 states have enacted "anti-ESG" rules. These rules generally aim to limit the influence of ESG factors in investment decisions and discourage ESG-related investments.

Pro-ESG Rules: 8 states have implemented "pro-ESG" rules, which are designed to protect and sometimes incentivize ESG-related investments.

Disclosure-Related ESG Regulations: 3 states have enacted regulations related to ESG disclosures.

Pending Legislation: More than 75 additional anti- or pro-ESG bills are pending across various state legislative sessions. In total, 41 states have either effective or pending ESG investing rules.

Federal Regulations: At the federal level, the regulatory environment has also been dynamic. The Draft Rule, issued in 2022 and proposed by the Securities and Exchange Commission (SEC), aims to enhance and standardize climate-related disclosures for investors. The focus is on providing detailed and consistent information about climate-related risks and impacts. When finalized (anticipated in 2024), companies would be required to disclose information about their greenhouse gas emissions, climate-related risks, and how these risks are managed. At the same time, the U.S. Department of Labor has eased paths for ERISA-regulated retirement plan fiduciaries to consider certain ESG factors in making investment decisions.

The scope, structure, and effects of these state-level rules vary widely and frequently require interpretive analysis for compliance. ESG has become a top area of focus for CEOs, boards, investors, regulators, and customers. Many companies are now in various stages of implementing controls and governance processes over the collection, review, and reporting of sustainability information. This includes creating multifunctional teams that bring together finance, risk management, legal, and internal audit professionals. 

As we look toward 2024, compliance professionals should prepare for a number of key developments in ESG-related regulations:

Enhanced Reporting and Data Management: The need for accurate data collection and reporting will increase significantly. Compliance professionals must ensure robust systems for tracking and reporting environmental data and climate-related financial risks.

Third-Party Assurance and Verification: As regulations like California’s SB 253 require third-party assurance for emissions reporting, organizations will need to engage with external auditors or assurance providers.

Here are the key provisions of the act summarized by Reggi:

‍

‍

Understanding of Scope 1, 2, and 3 Emissions: Organizations must understand the differences between these emission scopes and how to accurately calculate and report them.

Risk Assessment and Strategy Development: Understanding and reporting on climate-related risks will require a comprehensive assessment of how these risks impact business operations and financial performance.

Data Privacy Regulations

There is a lot of regulatory response to the latest technological developments, addressing cybersecurity, data privacy, eCommerce, digital assets (like cryptocurrencies and NFTs), and AI. The capability to process vast amounts of personal data will likely prompt specific privacy regulations, focusing on consent, data minimization, and algorithmic transparency. 

Data privacy regulations like the GDPR in the European Union (EU) and state-level legislation like CCPA (amended by the CPRA) in the US are expected to evolve, with potential new laws that could be more stringent. There may also be movements toward a federal privacy law to unify these state-level regulations.

Here's an overview of some key regulations in the US:

• The California Privacy Rights Act (CPRA), effective from January 1, 2023, builds on the CCPA. It gives residents the right to prevent businesses from sharing their personal data, request correction of inaccuracies, and restrict the use of sensitive data.

• The Colorado Privacy Act, effective from July 1, 2023, adds specific provisions regarding the collection, processing, and dissemination of personal data to the existing Colorado Consumer Protection Act.

• The Connecticut Personal Data Privacy and Online Monitoring Act, effective from July 1, 2023, regulates how personal data is protected, collected, and processed, and outlines penalties for noncompliance.

• The Utah Consumer Privacy Act, effective from December 31, 2023, will protect the collection, processing, and distribution of personal data.

• The Virginia Consumer Data Protection Act, effective from January 1, 2023, provides guidelines and penalties regarding the collection, processing, and distribution of personal data, affecting both government and non-government organizations.

In the EU, there may be more clarity in the GDPR around consent, data subject rights, and cross-border data transfers, especially in light of recent court rulings and technological changes.

• EU’s Digital Markets Act

• EU’s Digital Services Act
  

Countries outside the European Union are also enacting their own data privacy laws, adding another layer of complexity to compliance. Due to jurisdictional variation, compliance teams will need in 2024:

Comprehensive Risk Management: Incorporating privacy risks into the overall risk management framework, especially concerning new technologies.

Cross-Jurisdictional Compliance: Navigating a potentially complex landscape of varying regulations across different jurisdictions.

Technology-Driven Compliance Solutions: Leveraging technology to manage compliance, especially in areas like policies and control mapping and real-time monitoring of regulatory updates.

International Regulatory Harmonization Initiatives in Healthcare

There are international regulatory harmonization initiatives on the move, particularly in healthcare. They seek to advance regulations and standards across the globe. Today, there are several organizations, task forces, and initiatives that seek to advance international harmonization, convergence, and reliance on the regulation of medical devices. These initiatives aim to streamline regulations and standards globally, making it easier for medical device manufacturers to enter and operate in different markets.

Compliance professionals must navigate this environment with a deep understanding of harmonization, convergence, and reliance processes. Staying informed and engaged with key agencies and forums like the CDRH and IMDRF will be essential.

Key Regulatory Processes

• Regulatory Harmonization: This refers to the process whereby technical guidelines are developed to be uniform across participating regulatory authorities in multiple countries.

• Regulatory Convergence: This is a voluntary process whereby the regulatory requirements in different countries or regions become more similar or "aligned" over time.

• Regulatory Reliance: This refers to the act whereby a regulatory authority in one jurisdiction may take into account and give significant weight to assessments performed by another or trusted institution in reaching its own decision.

Key Agencies and Forums

Center for Devices and Radiological Health (CDRH) of the U.S. Food and Drug Administration (FDA)

• Role: The CDRH regulates firms manufacturing, repackaging, relabeling, and/or importing medical devices in the United States.
  
  
• Contribution: It plays a pivotal role in shaping and implementing globally harmonized regulatory standards for medical devices.

International Medical Device Regulators Forum (IMDRF)

• Role: A global group comprising medical device regulators from several countries, including the U.S., E.U., Japan, Canada, and others.
  
  
• Function: Facilitates international harmonization and convergence of medical device regulation.
  
  
• Activities: Develops guidance, tools, and strategies to synchronize regulatory approaches and promote regulatory convergence.

In Summary

The year 2024 will likely be marked by an increased focus on technological and ethical considerations in AI, with a heightened awareness around data privacy and the potential for new, more stringent laws. The patchwork of state-level ESG regulations, both pro- and anti-ESG, will require a nuanced approach to compliance, as will the evolving landscape of data privacy laws across the US and EU. In healthcare, the trend towards regulatory harmonization will continue, simplifying the global market for medical devices but also demanding a deeper understanding of international standards.

Compliance teams must be prepared to adapt to these changes fast. This means investing in technology to manage complex compliance requirements, engaging in ongoing education and training, and participating actively in industry discussions. By staying informed and agile, compliance professionals can not only navigate these changes effectively but also leverage them to drive strategic growth and ethical business practices.

Looking ahead, the role of the compliance professional is more crucial than ever. In a world where regulatory landscapes shift with increasing speed and complexity, those equipped with the latest knowledge, tools, and a forward-thinking mindset will be the ones leading their organizations into a successful and compliant 2024.