Regulatory compliance

Last updated

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to the deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer (specific deterrence) and by others (general deterrence). This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium (Becker 1968). However, psychological research on motivation provides an alternative view: granting rewards (Deci, Koestner and Ryan, 1999) or imposing fines (Gneezy Rustichini 2000) for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.

Contents

Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations. [1] Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. [2] This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources.

Regulations and accrediting organizations vary among fields, with examples such as PCI-DSS and GLBA in the financial industry, FISMA for U.S. federal agencies, HACCP for the food and beverage industry, and the Joint Commission and HIPAA in healthcare. In some cases other compliance frameworks (such as COBIT) or even standards (NIST) inform on how to comply with regulations.

Some organizations keep compliance data—all data belonging or pertaining to the enterprise or included in the law, which can be used for the purpose of implementing or validating compliance—in a separate store for meeting reporting requirements. Compliance software is increasingly being implemented to help companies manage their compliance data more efficiently. This store may include calculations, data transfers, and audit trails. [3] [4]

By nation

Regulatory compliance varies not only by industry but often by location. The financial, research, and pharmaceutical regulatory structures in one country, for example, may be similar but with particularly different nuances in another country. These similarities and differences are often a product "of reactions to the changing objectives and requirements in different countries, industries, and policy contexts". [5]

Australia

Australia's major financial services regulators of deposits, insurance, and superannuation include the Reserve Bank of Australia (RBA), the Australian Prudential Regulation Authority (APRA), the Australian Securities & Investments Commission (ASIC), and the Australian Competition & Consumer Commission (ACCC). [6] These regulators help to ensure financial institutes meet their promises, that transactional information is well documented, and that competition is fair while protecting consumers. The APRA in particular deals with superannuation and its regulation, including new regulations requiring trustees of superannuation funds to demonstrate to APRA that they have adequate resources (human, technology and financial), risk management systems, and appropriate skills and expertise to manage the superannuation fund, with individuals running them being "fit and proper". [6]

Other key regulators in Australia include the Australian Communications & Media Authority (ACMA) for broadcasting, the internet, and communications; [7] the Clean Energy Regulator for "monitoring, facilitating and enforcing compliance with" energy and carbon emission schemes; [8] and the Therapeutic Goods Administration for drugs, devices, and biologics; [9]

Australian organisations seeking to remain compliant with various regulations may turn to AS ISO 19600:2015 (which supersedes AS 3806-2006). This standard helps organisations with compliance management, placing "emphasis on the organisational elements that are required to support compliance" while also recognizing the need for continual improvement. [10] [11]

Canada

In Canada, federal regulation of deposits, insurance, and superannuation is governed by two independent bodies: the OSFI through the Bank Act, and FINTRAC, mandated by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, 2001 (PCMLTFA). [12] [13] These groups protect consumers, regulate how risk is controlled and managed, and investigate illegal action such as money laundering and terrorist financing. [12] [13] On a provincial level, each province maintain individuals laws and agencies. Unlike any other major federation, Canada does not have a securities regulatory authority at the federal government level. The provincial and territorial regulators work together to coordinate and harmonize regulation of the Canadian capital markets through the Canadian Securities Administrators (CSA). [14]

Other key regulators in Canada include the Canadian Food Inspection Agency (CFIA) for food safety, animal health, and plant health; Health Canada for public health; and Environment and Climate Change Canada for environment and sustainable energy. [15]

Canadian organizations seeking to remain compliant with various regulations may turn to ISO 19600:2014, an international compliance standard that "provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization". [16] For more industry specific guidance, e.g., financial institutions, Canada's E-13 Regulatory Compliance Management provides specific compliance risk management tactics. [17]

The Netherlands

The financial sector in the Netherlands is heavily regulated. The Dutch Central Bank (De Nederlandsche Bank N.V.) is the prudential regulator while the Netherlands Authority for Financial Markets (AFM) is the regulator for behavioral supervision of financial institutions and markets. A common definition of compliance is:'Observance of external (international and national) laws and regulations, as well as internal norms and procedures, to protect the integrity of the organization, its management and employees with the aim of preventing and controlling risks and the possible damage resulting from these compliance and integrity risks'. [18]

India

In India, compliance regulation takes place across three strata: Central, State, and Local regulation. India veers towards central regulation, especially of financial organizations and foreign funds.< Compliance regulations vary based on the industry segment in addition to the geographical mix. Most regulation comes in the following broad categories: economic regulation, regulation in the public interest, and environmental regulation. [19] India has also been characterized by poor compliance - reports suggest that only around 65% of companies are fully compliant to norms. [20]

Singapore

The Monetary Authority of Singapore is Singapore's central bank and financial regulatory authority. It administers the various statutes pertaining to money, banking, insurance, securities and the financial sector in general, as well as currency issuance.

United Kingdom

There is considerable regulation in the United Kingdom, some of which is derived from European Union legislation. Various areas are policed by different bodies, such as the Financial Conduct Authority (FCA), Environment Agency, Scottish Environment Protection Agency, Information Commissioner's Office, Care Quality Commission, and others: see List of regulators in the United Kingdom.

Important compliance issues for all organizations large and small include the Data Protection Act 1998 and, for the public sector, Freedom of Information Act 2000.

Financial compliance

The U.K. Corporate Governance Code (formerly the Combined Code) is issued by the Financial Reporting Council (FRC) and "sets standards of good practice in relation to board leadership and effectiveness, remuneration, accountability, and relations with shareholders". [21] All companies with a Premium Listing of equity shares in the U.K. are required under the Listing Rules to report on how they have applied the Combined Code in their annual report and accounts. [22] (The Codes are therefore most similar to the U.S.' Sarbanes–Oxley Act.)

The U.K.'s regulatory framework requires that all its publicly listed companies should provide specific content in the core financial statements that must appear in a yearly report, including balance sheet, comprehensive income statement, and statement of changes in equity, as well as cash flow statement as required under international accounting standards. [23] It further demonstrates the relationship that subsists among shareholders, management, and the independent audit teams. Financial statements must be prepared using a particular set of rules and regulations hence the rationale behind allowing the companies to apply the provisions of company law, international financial reporting standards (IFRS), as well as the U.K. stock exchange rules as directed by the FCA. [24] It is also possible that shareholders may not understand the figures as presented in the various financial statements, hence it is critical that the board should provide notes on accounting policies as well as other explanatory notes to help them understand the report better.

Challenges

Data retention is a part of regulatory compliance that is proving to be a challenge in many instances. The security that comes from compliance with industry regulations can seem contrary to maintaining user privacy. Data retention laws and regulations ask data owners and other service providers to retain extensive records of user activity beyond the time necessary for normal business operations. These requirements have been called into question by privacy rights advocates. [25]

Compliance in this area is becoming very difficult. Laws like the CAN-SPAM Act and Fair Credit Reporting Act in the U.S. require that businesses give people the right to be forgotten. [26] [27] In other words, they must remove individuals from marketing lists if it is requested, tell them when and why they might share personal information with a third party, or at least ask permission before sharing that data. Now, with new laws coming out that demand longer data retention despite the individual’s desires, it can create some real difficulties.

Money laundering and terrorist financing pose significant threats to the integrity of the financial system and national security. To combat these threats, the EU has adopted a risk-based approach to Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) that relies on cooperation and coordination between EU and national authorities. In this context, risk-based regulation refers to the approach of identifying and assessing potential risks of money laundering and terrorist financing and implementing regulatory measures proportional to those risks. However, the shared enforcement powers between EU and national authorities in the implementation and enforcement of AML/CFT regulations can create legal implications and challenges. The potential for inconsistent application of AML regulations across different jurisdictions can create regulatory arbitrage and undermine the effectiveness of AML efforts. Additionally, a lack of clear and consistent legal frameworks defining the roles and responsibilities of EU and national authorities in AML enforcement can lead to situations where accountability is difficult to establish.

United States

Corporate scandals and breakdowns such as the Enron case of reputational risk in 2001 have increased calls for stronger compliance and regulations, particularly for publicly listed companies. [1] The most significant recent statutory changes in this context have been the Sarbanes–Oxley Act developed by two U.S. congressmen, Senator Paul Sarbanes and Representative Michael Oxley in 2002 which defined significantly tighter personal responsibility of corporate top management for the accuracy of reported financial statements; and the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The Office of Foreign Assets Control (OFAC) is an agency of the United States Department of the Treasury under the auspices of the Under Secretary of the Treasury for Terrorism and Financial Intelligence. OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign states, organizations, and individuals.

Compliance in the U.S. generally means compliance with laws and regulations. These laws and regulations can have criminal or civil penalties. The definition of what constitutes an effective compliance plan has been elusive. Most authors, however, continue to cite the guidance provided by the United States Sentencing Commission in Chapter 8 of the Federal Sentencing Guidelines. [28] [29]

On October 12, 2006, the U.S. Small Business Administration re-launched Business.gov (later Business.USA.gov and finally SBA.Gov) [30] which provides a single point of access to government services and information that help businesses comply with government regulations.

The U.S. Department of Labor, Occupational Health and Safety Administration (OSHA) was created by Congress to assure safe and healthful working conditions for working men and women by setting and enforcing standards and by providing training, outreach, education, and assistance. OSHA implements laws and regulations regularly in the following areas, construction, maritime, agriculture, and recordkeeping. [31]

Standards

The International Organization for Standardization (ISO) and its ISO 37301:2021 (which deprecates ISO 19600:2014) standard is one of the primary international standards for how businesses handle regulatory compliance, providing a reminder of how compliance and risk should operate together, as "colleagues" sharing a common framework with some nuances to account for their differences. The ISO also produces international standards such as ISO/IEC 27002 to help organizations meet regulatory compliance with their security management and assurance best practices. [32]

Some local or international specialized organizations such as the American Society of Mechanical Engineers (ASME) also develop standards and regulation codes. They thereby provide a wide range of rules and directives to ensure compliance of the products to safety, security or design standards. [33]

See also

Related Research Articles

Canadian securities regulation is managed through the laws and agencies established by Canada's 10 provincial and 3 territorial governments. Each province and territory has a securities commission or equivalent authority with its own provincial or territorial legislation.

<span class="mw-page-title-main">Banking regulation and supervision</span> Policy framework for credit institutions

Banking regulation and supervision refers to a form of financial regulation which subjects banks to certain requirements, restrictions and guidelines, enforced by a financial regulatory authority generally referred to as banking supervisor, with semantic variations across jurisdictions. By and large, banking regulation and supervision aims at ensuring that banks are safe and sound and at fostering market transparency between banks and the individuals and corporations with whom they conduct business.

<span class="mw-page-title-main">Financial Action Task Force</span> Intergovernmental organization to combat money laundering and terrorism financing

The Financial Action Task Force (on Money Laundering) (FATF), also known by its French name, Groupe d'action financière (GAFI), is an intergovernmental organisation founded in 1989 on the initiative of the G7 to develop policies to combat money laundering and to maintain certain interest. In 2001, its mandate was expanded to include terrorism financing.

<span class="mw-page-title-main">Know your customer</span> Financial institution and company-related term

In the United States, Know Your Customer (KYC) guidelines and regulations in financial services require professionals to verify the identity, suitability, and risks involved with maintaining a business relationship with a customer. The procedures fit within the broader scope of anti-money laundering (AML) and counter terrorism financing (CTF) regulations.

A regulatory agency or independent agency is a government authority that is responsible for exercising autonomous dominion over some area of human activity in a licensing and regulating capacity.

In domestic and international commercial law, a beneficial owner is a natural person or persons who ultimately owns or controls an interest in a legal entity or arrangement, such as a company, a trust, or a foundation. Legal owners, commonly described as the "registered owners", may hold those interests as beneficial owners or for the benefit of someone else, in which case they may be described as a "nominee".

Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data governance.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

The chief compliance officer (CCO) is a corporate executive within the C-suite responsible for overseeing and managing regulatory compliance issues within an organization. The CCO typically reports to the chief executive officer or the chief legal officer.

Anti-money laundering (AML) software is software used in the finance and legal industries to help companies comply with the legal requirements for financial institutions and other regulated entities to prevent or report money laundering activities. AML software can facilitate faster and more accurate compliance and investigations.

In financial regulation, a politically exposed person (PEP) is one who has been entrusted with a prominent public function. A PEP generally presents a higher risk for potential involvement in bribery and corruption by virtue of their position and the influence they may hold. The terms "politically exposed person" and senior foreign political figure are often used interchangeably, particularly in international forums.

<span class="mw-page-title-main">Asia/Pacific Group on Money Laundering</span> Inter-governmental organisation against serious financial crime

The Asia/Pacific Group on Money Laundering (APG) is a FATF style regional inter-governmental (international) body, the members of which are committed to effectively implementing the international standards against money laundering, the combating the financing of terrorism (CFT) and financing the proliferation of weapons of mass destruction. APG was founded in 1997 in Bangkok, Thailand, and currently consists of 42 member jurisdictions in the Asia-Pacific region and a number of observer jurisdictions and international/regional observer organisations.

Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle information whether it is physically or electronically created (ESI).

<span class="mw-page-title-main">Swiss Financial Market Supervisory Authority</span> Government watchdog

The Swiss Financial Market Supervisory Authority is the Swiss government body responsible for financial regulation. This includes the supervision of banks, insurance companies, stock exchanges and securities dealers, as well as other financial intermediaries in Switzerland. FINMA's name and acronym are usually expressed in English so as to avoid the semblance of favouring any one of Switzerland's linguistic regions.

<span class="mw-page-title-main">Financial Conduct Authority</span> British financial regulator

The Financial Conduct Authority (FCA) is a financial regulatory body in the United Kingdom which operates independently of the UK Government and is financed by charging fees to members of the financial services industry. The FCA regulates financial firms providing services to consumers and maintains the integrity of the financial markets in the United Kingdom.

<span class="mw-page-title-main">Cyprus Securities and Exchange Commission</span> Financial regulator of Cyprus

The Cyprus Securities and Exchange Commission, better known as CySEC, is the financial regulatory agency of Cyprus. As an EU member state, CySEC's financial regulations and operations comply with the European MiFID financial harmonization law.

Financial regulation in Australia is extensive and detailed.

ISO 19600, Compliance management systems - Guidelines, is a compliance standard introduced by the International Organization for Standardization (ISO) in April 2014. As its title suggests, it operates as an advisory standard and is not used for accreditation or certification.

Regulatory technology, Abrv: RegTech, is the use of information technology to enhance regulatory and compliance processes. RegTech is most usefully applied to heavily regulated industries and activities such as financial services, gaming, healthcare, pharmaceutical, energy and aviation. RegTech puts a particular emphasis on regulatory monitoring, reporting and compliance and aims to enhance transparency as well as consistency and to standardize regulatory processes, to remove ambiguity from regulations and provide higher quality outcomes at a lower cost.

Financial regulation in India is governed by a number of regulatory bodies. Financial regulation is a form of regulation or supervision, which subjects financial institutions to certain requirements, restrictions and guidelines, aiming to maintain the stability and integrity of the financial system. This may be handled by either a government or non-government organization. Financial regulation has also influenced the structure of banking sectors by increasing the variety of financial products available. Financial regulation forms one of three legal categories which constitutes the content of financial law, the other two being market practices and case law.

References

  1. 1 2 Compliance, Technology, and Modern Finance, 11 Journal of Corporate, Financial & Commercial Law 159 (2016)
  2. Silveira, P.; Rodriguez, C.; Birukou, A.; Casati, F.; Daniel, F.; D'Andrea, V.; Worledge, C.; Zouhair, T. (2012), "Aiding Compliance Governance in Service-Based Business Processes", Handbook of Research on Service-Oriented Systems and Non-Functional Properties (PDF), IGI Global, pp. 524–548, doi:10.4018/978-1-61350-432-1.ch022, hdl:11311/1029233, ISBN   9781613504321
  3. Norris-Montanari, J. (27 February 2017). "Compliance – Where does it fit in a data strategy?". SAS Blogs. SAS Institute, Inc. Retrieved 31 July 2018.
  4. Monica, A.D.; Shilt, C.; Rimmerman, R.; et al. (2015). "Chapter 4: Monitoring software updates". Microsoft System Center Software Update Management Field Experience. Microsoft Press. pp. 57–82. ISBN   9780735695894.
  5. Malyshev, N. (2008). "The Evolution of Regulatory Policy in OECD Countries" (PDF). OECD. Retrieved 27 July 2018.
  6. 1 2 Pearson, G. (2009). "Chapter 2: The regulatory structure". Financial Services Law and Compliance in Australia. Cambridge University Press. pp. 20–68. ISBN   9780521617840.
  7. "Regulatory Responsibility". ACMA. 17 December 2012. Retrieved 31 July 2018.
  8. "What we do". Clean Energy Regulator. 14 December 2016. Retrieved 31 July 2018.
  9. Weinberg, S. (2011). "Chapter 13: International Regulation". Cost-Contained Regulatory Compliance: For the Pharmaceutical, Biologics, and Medical Device Industries. John Wiley & Sons. pp. 227–258. ISBN   9781118002278.
  10. CompliSpace (14 April 2016). "Compliance Standards ISO 19600 and AS 3806 – Differences explained" . Retrieved 31 July 2018.
  11. "AS ISO 19600:2015". Standards Catalogue. Standards Australia. Retrieved 31 July 2018.
  12. 1 2 International Monetary Fund; Financial Action Task Force (December 2008). Canada: Report on Observance of Standards and Codes - FATF Recommendations for Anti-Money Laundering and Combating the Financing of Terrorism.{{cite book}}: CS1 maint: multiple names: authors list (link)
  13. 1 2 International Monetary Fund (August 2016). Canada: Detailed Assessment Report on Anti-Money Laundering and Combating the Financing of Terrorism. International Monetary Fund. ISBN   9781475536188.
  14. Lee, R. (2003). "Chapter 6: Promoting Regional Capital Market Integration". In Dowers, K.; Msci, P. (eds.). Focus on Capital: New Approaches to Developing Latin American Capital Markets. Inter-American Development Bank. p. 168. ISBN   9781931003490.
  15. Smyth, S.J.; McHughen, A. (2012). "Chapter 2: Regulation of Genetically Modified Crops in USA and Canada: Canadian Overview". In Wozniak, C.A.; McHughen, A. (eds.). Regulation of Agricultural Biotechnology: The United States and Canada. Springer Science & Business Media. pp. 15–34. ISBN   9789400721562.
  16. International Organization for Standardization (December 2014). "ISO 19600:2014". Standards Catalogue. Retrieved 31 July 2018.
  17. Office of the Superintendent of Financial Institutions (14 November 2014). "Revised Guideline E-13 – Regulatory Compliance Management (RCM)". Government of Canada. Retrieved 31 July 2018.
  18. The Handbook of Compliance & Integrity Management. Theory & Practice, Prof. S.C. Bleker-van Eyk & R.A.M. Houben (Eds.), 2017 Kluwer Law International.
  19. "Regulatory Management and Reform in India" (PDF). OECD.
  20. "India Inc has poor record in regulatory compliance | Latest News & Updates at Daily News & Analysis". 2014-10-12. Retrieved 2016-09-18.
  21. "UK Corporate Governance Code". Financial Reporting Council. Retrieved 31 July 2018.
  22. "LR 1.5 Standard and Premium Listing". FCA Handbook. Financial Conduct Authority. Retrieved 31 July 2018.
  23. "LR 9.8 Annual financial report". FCA Handbook. Financial Conduct Authority. Retrieved 31 July 2018.
  24. "FCA Handbook". Financial Conduct Authority. Retrieved 31 July 2018.
  25. "Compliance Challenge: Privacy vs. Security". Dell.com. Archived from the original on 2011-02-26. Retrieved 2012-06-19.
  26. Francis, L.P.; Francis, J.G. (2017). Privacy: What Everyone Needs to Know. Oxford University Press. p. PT102. ISBN   9780190612283.
  27. Dale, N.; Lewis, J. (2015). Computer Science Illuminated. Jones & Bartlett Publishers. p. 388. ISBN   9781284055924.
  28. "Special Reports and Discussions on Chapter Eight". USSC.gov. Archived from the original on November 23, 2010.
  29. The Ethics and Compliance Initiative (ECI). "Principles and Practices of High Quality Ethics & Compliance Programs". pp. 12–13. Retrieved 31 August 2016.
  30. "Explore Business Tools & Resources". Business.USA.gov.
  31. "OSHA Law & Regulations | Occupational Safety and Health Administration". www.osha.gov. Retrieved 2017-04-07.
  32. Calder, A.; Watkins, S. (2015). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002. Kogan Page Publishers. pp. 39–40. ISBN   9780749474065.
  33. Boiler and Pressure Vessel Inspection According to ASME