Regulatory compliance can be broadly defined as the adherence to laws, regulations, and guidelines created by government legislations and regulatory bodies applicable to an organization based on the industry and jurisdiction in which it operates.
Depending on the industry and jurisdiction, regulations vary significantly. Large organizations with a global footprint need to comply with pertinent laws and regulations in all the countries they operate in, and from. Some industries such as financial services, information technology (IT), and healthcare face numerous and often complex regulations and compliance frameworks due to their impact on the economy, business, and health infrastructure respectively. Additionally, many of these industries are also at significant risk of cyber breaches, due to the increasingly complex and evolving cyberattack surface.
As a business grows and expands, the regulations it is subjected to also increase in scale and volume, often becoming complex due to overlapping jurisdictions of multiple authorities. This requires an organization to implement the right measures, policies, and processes to ensure compliance.
This page provides a comprehensive overview of regulatory compliance and its importance, the benefits of regulatory compliance, the consequences of non-compliance, and best practices to follow to achieve regulatory compliance.
In the US, several laws and regulations are in place to protect various stakeholders, including the business itself.
Compliance laws protect consumers from any harmful consequences of the firm’s operations, help the firm protect its reputation, and help senior management and leadership avoid criminal liability. These laws, regulations, and guidelines are industry-specific and some of them have dedicated oversight bodies who ensure implementation.
For example, the financial industry is governed by legislation including the Dodd-Frank Act and the Sarbanes-Oxley Act (SOX). The Dodd-Frank Act was brought into effect in 2010 to facilitate financial stability by augmenting transparency and accountability. Regulatory compliance of banks concerning speculative trading, investment activities, and reserve requirements was tightened as a direct consequence of this Act. The Sarbanes-Oxley Act (SOX) was created to protect stakeholders of publicly traded companies from fraudulent accounting and financial practices. SOX regulates activities of corporations, such as the certification of financial reports and corporate record-keeping.
Further, the Health Insurance Portability and Accountability Act (HIPAA) was created to safeguard the data and interests of people covered through health insurance and governs the storage and privacy of their personal medical information and data. Legislations such as HIPAA further serve as a starting point for instituting a comprehensive cyber security program in place.
Major regulatory agencies in the US include
The European Union is a supranational entity and therefore its regulations apply to all its member countries. It established the European Systemic Risk Board (ESRB) for financial supervision and has independent entities such as the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) which set up technical standards.
The General Data Protection Regulation (GDPR) includes regulations that apply to organizations collecting data from EU citizens irrespective of the location of the organization. Further, GDPR applies to the data storage of residents within the EU even if they are not EU citizens.
Countries outside the EU in Europe such as the United Kingdom have their own regulatory compliance frameworks and authorities such as the Financial Conduct Authority (FCA) to preserve market integrity.
While mandates of regulatory compliance differ from country to country, similar laws to SOX exist in various countries such as the Corporate Law Economic Reform Program Act 2004 (CLERP 9) of Australia and Deutscher Corporate Governance Kodex (DCGK) of Germany.
In Canada, unlike the majority of countries, there is no federal regulatory agency for securities. Agencies within the provinces and other territories collaborate to regulate trading in securities.
Regulatory compliance is important to uphold the integrity of business processes, protecting public interest as well as stakeholder interest. It ensures that businesses operate fairly and ethically. When businesses are open and transparent about their regulatory compliance mechanisms, trust and goodwill among clients and business partners increase. This can, over time, improve brand perception and increase the overall profitability of the organization.
With good regulation, consumers are protected from harmful and fraudulent actions taken by business entities such as predatory mortgage lending, which led to the subprime mortgage crisis of 2008. At the same time, directors and managers of businesses that follow regulatory compliance can steer clear of criminal liability and premature career termination due to actions that they may be held directly responsible for.
Additionally, formulating a solid regulatory compliance strategy helps organizations stay on top of risks by being future ready.
Organizations that maintain consistent regulatory compliance management can reap significant benefits and outcomes both in the short term and over an extended period of time. Important benefits include:
Non-compliance arises when the business fails to comply with applicable legal obligations. An increasing number of organizations are prioritizing regulatory compliance as a key strategic requirement. In MetricStream’s State of the Compliance Survey Report, 2021, it was found that 64% organizations intend to focus on enhancing regulatory and internal compliance assessments.
Along with non-compliance, lapses in regulatory compliance can lead to several adverse consequences, such as:
A regulatory compliance policy is a blueprint based on which an organization draws its compliance practices. It is a declaration of a company, usually in written format, wherein the establishment affirms its compliance and commitment to relevant laws and regulations. It provides necessary details on the procedures and structures created for this purpose such as a regulatory compliance plan and appointment of a compliance officer.
A regulatory compliance policy helps to create a culture of compliance in the organization and is useful in shielding the organization from risk caused by rogue employees. Moreover, given the yearly increase in regulatory information, a regulatory compliance policy acts as a reference to prioritize compliance processes keeping business goals and interests aligned with regulatory compliance.
Leveraging technology for policy and document management helps streamline and simplify the creation and communication of organizational policies, while providing a centralized policy portal to store and access the latest policies.
A regulatory compliance policy can be formulated by considering the following aspects that may vary individually for each organization.
Understand the context and purpose of the regulatory compliance policy. Is it to decrease compliance risk? Is it to foster communication with stakeholders? Is it to educate employees?
The contents of the regulatory compliance policy are often overseen by a Chief Compliance Officer in a draft policy, which is then further discussed with various functional heads to determine its application across the organization. Open deliberation and consensus can lead to wider acceptance of the policy in the organization.
Once the policy is considered a final draft, the company’s Board of Directors is responsible for actioning it and ensuring that compliance becomes a necessary discussion during reviews by the Board.
The compliance officer in an organization handles all compliance-related matters such that the business can manage risk, maintain its reputation and goodwill, and avoid legal consequences. Most importantly, the chief compliance officer is responsible for driving a culture of compliance and integrity.
Depending on the industry, the role of compliance might change in detail but in general, the compliance officer holds the responsibility for setting up and implementing the regulatory compliance policy or program. The compliance officer is usually tasked with
By following known and accepted best practices, organizations can consistently maintain regulatory compliance.
While not all organizations can have specialized roles such as a full-time compliance officer, the responsibilities for the same can be delegated to existing personnel in appropriate organizational positions and with the support of best-in-class tools.
Here are some general best practices for organizations to follow in ensuring regulatory compliance.
Regulatory compliance focuses on aligning with external legal mandates such as laws and regulations in respective jurisdictions or industries. Corporate compliance is internal in nature with processes and procedures aimed at streamlining internal business requirements. Both regulatory compliance and corporate compliance have a common goal—that is ensuring accountability of the business.
Having a regulatory compliance policy is an explicit indicator that the organization is serious about its commitment to regulatory compliance. This is particularly important for large corporations as they have to adhere to numerous regulations within the country at various levels and internationally if they have a global presence.
Sometimes, regulations in one area can be at cross-purposes with regulations in other areas. For instance, the data privacy regulation where citizens can exercise the ‘right to be forgotten’ can conflict with regulations that mandate organizations to retain the data of users for long durations of time.
Other challenges include predicting the impact of regulatory compliance on the strategic direction of the company as directly measuring the value of compliance can be difficult.
Regulatory compliance management is how an organization systematically secures regulatory compliance by establishing a standard set of processes, procedures, and investing in appropriate technology that align and facilitate visibility into controls while eliminating inefficiencies.
The regulatory compliance cost is the sum total of all expenses an organization spends to comply with applicable laws, rules, and regulations. Such a cost includes items such as investment in technology that facilitates compliance, salaries paid to employees appointed for compliance, and so on.