In general, compliance means conforming to a rule, such as a specification,
policy
Policy is a deliberate system of guidelines to guide decisions and achieve rational outcomes. A policy is a statement of intent and is implemented as a procedure or protocol. Policies are generally adopted by a governance body within an organ ...
, standard or law. Compliance has traditionally been explained by reference to the deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer (specific deterrence) and by others (general deterrence). This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium (Becker 1968). However, psychological research on motivation provides an alternative view: granting rewards (Deci, Koestner and Ryan, 1999) or imposing fines (Gneezy Rustichini 2000) for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.
Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant
law
Law is a set of rules that are created and are enforceable by social or governmental institutions to regulate behavior,Robertson, ''Crimes against humanity'', 90. with its precise definition a matter of longstanding debate. It has been vario ...
s, policies, and
regulations.
[Compliance, Technology, and Modern Finance, 11 Journal of Corporate, Financial & Commercial Law 159 (2016)](_blank)
/ref> Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources.
Regulations and accrediting organizations vary among fields, with examples such as PCI-DSS and GLBA in the financial industry, FISMA
The Federal Information Security Management Act of 2002 (FISMA, , ''et seq.'') is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (, ). The act recognized the importance of information security to the ec ...
for U.S. federal agencies, HACCP
Hazard analysis and critical control points, or HACCP (), is a systematic preventive approach to food safety from biological, chemical, and physical hazards in production processes that can cause the finished product to be unsafe and designs mea ...
for the food and beverage industry, and the Joint Commission
The Joint Commission is a United States-based nonprofit tax-exempt 501(c) organization that accredits more than 22,000 US health care organizations and programs. The international branch accredits medical services from around the world. A majori ...
and HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...
in healthcare. In some cases other compliance frameworks (such as COBIT
COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance.
The framework is business focused and defines a set of generic processes for the m ...
) or even standards ( NIST) inform on how to comply with regulations.
Some organizations keep compliance data—all data belonging or pertaining to the enterprise or included in the law, which can be used for the purpose of implementing or validating compliance—in a separate store for meeting reporting requirements. Compliance software is increasingly being implemented to help companies manage their compliance data more efficiently. This store may include calculations, data transfers, and audit trails.
By nation
Regulatory compliance varies not only by industry but often by location. The financial, research, and pharmaceutical regulatory structures in one country, for example, may be similar but with particularly different nuances in another country. These similarities and differences are often a product "of reactions to the changing objectives and requirements in different countries, industries, and policy contexts".
Australia
Australia
Australia, officially the Commonwealth of Australia, is a Sovereign state, sovereign country comprising the mainland of the Australia (continent), Australian continent, the island of Tasmania, and numerous List of islands of Australia, sma ...
's major financial services regulators of deposits, insurance, and superannuation include the Reserve Bank of Australia
The Reserve Bank of Australia (RBA) is Australia's central bank and banknote issuing authority. It has had this role since 14 January 1960, when the ''Reserve Bank Act 1959'' removed the central banking functions from the Commonwealth Bank.
Th ...
(RBA), the Australian Prudential Regulation Authority
The Australian Prudential Regulation Authority (APRA) is a statutory authority of the Australian Government and the prudential regulator of the Australian financial services industry. APRA was established on 1 July 1998 in response to the re ...
(APRA), the Australian Securities & Investments Commission
The Australian Securities and Investments Commission (ASIC) is an independent commission of the Australian Government tasked as the national corporate regulator. ASIC's role is to regulate company and financial services and enforce laws to pro ...
(ASIC), and the Australian Competition & Consumer Commission
The Australian Competition and Consumer Commission (ACCC) is the chief competition regulator of the Government of Australia, located within the Department of the Treasury. It was established in 1995 with the amalgamation of the Australian Trad ...
(ACCC). These regulators help to ensure financial institutes meet their promises, that transactional information is well documented, and that competition is fair while protecting consumers. The APRA in particular deals with superannuation and its regulation, including new regulations requiring trustees of superannuation funds to demonstrate to APRA that they have adequate resources (human, technology and financial), risk management systems, and appropriate skills and expertise to manage the superannuation fund, with individuals running them being "fit and proper".
Other key regulators in Australia include the Australian Communications & Media Authority
The Australian Communications and Media Authority (ACMA) is an Australian government statutory authority within the Communications portfolio. ACMA was formed on 1 July 2005 with the merger of the Australian Broadcasting Authority and the Aus ...
(ACMA) for broadcasting, the internet, and communications; the Clean Energy Regulator
The Clean Energy Regulator is an Australian independent statutory authority responsible for implementing legislation to reduce carbon emissions and increase the use of clean energy. Based in Canberra, Australia, the Clean Energy Regulator was ...
for "monitoring, facilitating and enforcing compliance with" energy and carbon emission schemes; and the Therapeutic Goods Administration
The Therapeutic Goods Administration (TGA) is the medicine and therapeutic regulatory agency of the Australian Government. As part of the Department of Health and Aged Care, the TGA regulates the quality, supply and advertising of medicines, pa ...
for drugs, devices, and biologics;
Australian organisations seeking to remain compliant with various regulations may turn to AS ISO 19600:2015 (which supersedes AS 3806-2006). This standard helps organisations with compliance management, placing "emphasis on the organisational elements that are required to support compliance" while also recognizing the need for continual improvement
A continual improvement process, also often called a continuous improvement process (abbreviated as CIP or CI), is an ongoing effort to improve products, services, or processes. These efforts can seek "incremental" improvement over time or "breakth ...
.
Canada
In Canada
Canada is a country in North America. Its ten provinces and three territories extend from the Atlantic Ocean to the Pacific Ocean and northward into the Arctic Ocean, covering over , making it the world's second-largest country by tot ...
, federal regulation of deposits, insurance, and superannuation is governed by two independent bodies: the OSFI
The Office of the Superintendent of Financial Institutions (OSFI; french: Bureau du surintendant des institutions financières, BSIF) is an independent agency of the Government of Canada reporting to the Minister of Finance created "to contribute ...
through the Bank Act
The ''Bank Act'' (1991, c. 46) (the ''Act'') is an act of the Parliament of Canada respecting banks and banking.
History
The ''Bank Act'' was originally passed in 1871. The terms of the ''Act'' provide for a statutory review of the ''Act'' ...
, and FINTRAC
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC; french: Centre d'analyse des opérations et déclarations financières du Canada) is the national financial intelligence agency of Canada. FINTRAC was established in 2000 ...
, mandated by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, 2001 (PCMLTFA). These groups protect consumers, regulate how risk is controlled and managed, and investigate illegal action such as money laundering and terrorist financing. On a provincial level, each province maintain individuals laws and agencies. Unlike any other major federation, Canada does not have a securities regulatory authority at the federal government level. The provincial and territorial regulators work together to coordinate and harmonize regulation of the Canadian capital markets through the Canadian Securities Administrators (CSA).
Other key regulators in Canada include the Canadian Food Inspection Agency
The Canadian Food Inspection Agency (CFIA; french: Agence canadienne d'inspection des aliments) is a regulatory agency that is dedicated to the safeguarding of food, plants, and animals (FPA) in Canada, thus enhancing the health and well-being of ...
(CFIA) for food safety, animal health, and plant health; Health Canada for public health; and Environment and Climate Change Canada
Environment and Climate Change Canada (ECCC; french: Environnement et Changement climatique Canada),Environment and Climate Change Canada is the applied title under the Federal Identity Program; the legal title is Department of the Environment ...
for environment and sustainable energy.
Australian organizations seeking to remain compliant with various regulations may turn to ISO 19600:2014, an international compliance standard that "provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization". For more industry specific guidance, e.g., financial institutions, Canada's E-13 Regulatory Compliance Management provides specific compliance risk management tactics.
The Netherlands
The financial sector in the Netherlands is heavily regulated. The Dutch Central Bank (De Nederlandsche Bank N.V.) is the prudential regulator while the Netherlands Authority for Financial Markets (AFM) is the regulator for behavioral supervision of financial institutions and markets. A common definition of compliance is:'Observance of external (international and national) laws and regulations, as well as internal norms and procedures, to protect the integrity of the organization, its management and employees with the aim of preventing and controlling risks and the possible damage resulting from these compliance and integrity risks'.
India
In India, compliance regulation takes place across three strata: Central, State, and Local regulation. India veers towards central regulation, especially of financial organizations and foreign funds.< Compliance regulations vary based on the industry segment in addition to the geographical mix. Most regulation comes in the following broad categories: economic regulation, regulation in the public interest, and environmental regulation. India has also been characterized by poor compliance - reports suggest that only around 65% of companies are fully compliant to norms.
Singapore
The Monetary Authority of Singapore
The Monetary Authority of Singapore (MAS) is the central bank and financial regulatory authority of Singapore. It administers the various statutes pertaining to money, banking, insurance, securities and the financial sector in general, as well ...
is Singapore
Singapore (), officially the Republic of Singapore, is a sovereign island country and city-state in maritime Southeast Asia. It lies about one degree of latitude () north of the equator, off the southern tip of the Malay Peninsula, borde ...
's central bank
A central bank, reserve bank, or monetary authority is an institution that manages the currency and monetary policy of a country or monetary union,
and oversees their commercial banking system. In contrast to a commercial bank, a central ba ...
and financial regulatory authority. It administers the various statutes pertaining to money, banking, insurance, securities and the financial sector in general, as well as currency issuance.
United Kingdom
There is considerable regulation in the United Kingdom
The United Kingdom of Great Britain and Northern Ireland, commonly known as the United Kingdom (UK) or Britain, is a country in Europe, off the north-western coast of the continental mainland. It comprises England, Scotland, Wales and North ...
, some of which is derived from European Union
The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...
legislation. Various areas are policed by different bodies, such as the Financial Conduct Authority
The Financial Conduct Authority (FCA) is a financial regulation, financial regulatory body in the United Kingdom, but operates independently of the UK Government, and is financed by charging fees to members of the financial services industry. The ...
(FCA), Environment Agency, Scottish Environment Protection Agency
The Scottish Environment Protection Agency (SEPA; gd, Buidheann Dìon Àrainneachd na h-Alba) is Scotland's environmental regulator and national flood forecasting, flood warning and strategic flood risk management authority.[Information Commissioner's Office
The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). It is the independe ...]
, Care Quality Commission
The Care Quality Commission (CQC) is an executive non-departmental public body of the Department of Health and Social Care of the United Kingdom. It was established in 2009 to regulate and inspect health and social care services in England.
I ...
, and others: see List of regulators in the United Kingdom
The following is a list of regulators in the UK. Regulators exercise regulatory or supervisory authority over a variety of endeavours.
In addition, local authorities in the UK provide regulatory functions in a number of areas. Professional ass ...
.
Important compliance issues for all organizations large and small include the Data Protection Act 1998 and, for the public sector, Freedom of Information Act 2000
The Freedom of Information Act 2000 (c. 36) is an Act of the Parliament of the United Kingdom that creates a public "right of access" to information held by public authorities. It is the implementation of freedom of information legislation
...
.
Financial compliance
The U.K. Corporate Governance Code (formerly the Combined Code) is issued by the Financial Reporting Council
The Financial Reporting Council (FRC) is an independent regulator in the UK and Ireland based in London Wall in the City of London, responsible for regulating auditors, accountants and actuaries, and setting the UK's Corporate Governance and ...
(FRC) and "sets standards of good practice in relation to board leadership and effectiveness, remuneration, accountability, and relations with shareholders". All companies with a Premium Listing of equity shares in the U.K. are required under the Listing Rules to report on how they have applied the Combined Code in their annual report and accounts. (The Codes are therefore most similar to the U.S.' Sarbanes–Oxley Act
The Sarbanes–Oxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations.
The act, (), also known as the "Public Company Accounting Reform and Investor Protecti ...
.)
The U.K.'s regulatory framework requires that all its publicly listed companies should provide specific content in the core financial statements that must appear in a yearly report, including balance sheet, comprehensive income statement, and statement of changes in equity, as well as cash flow statement as required under international accounting standards. It further demonstrates the relationship that subsists among shareholders, management, and the independent audit teams. Financial statements must be prepared using a particular set of rules and regulations hence the rationale behind allowing the companies to apply the provisions of company law, international financial reporting standards (IFRS), as well as the U.K. stock exchange rules as directed by the FCA. It is also possible that shareholders may not understand the figures as presented in the various financial statements, hence it is critical that the board should provide notes on accounting policies as well as other explanatory notes to help them understand the report better.
Challenges
Data retention Data retention defines the policies of persistent data and records management for meeting legal and business data archival requirements. Although sometimes interchangeable, it is not to be confused with the Data Protection Act 1998.
The different ...
is a part of regulatory compliance that is proving to be a challenge in many instances. The security that comes from compliance with industry regulations can seem contrary to maintaining user privacy. Data retention laws and regulations ask data owners and other service providers to retain extensive records of user activity beyond the time necessary for normal business operations. These requirements have been called into question by privacy rights advocates.
Compliance in this area is becoming very difficult. Laws like the CAN-SPAM Act and Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 ''et seq'', is U.S. Federal Government legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It ...
in the U.S. require that businesses give people the right to be forgotten
The right to be forgotten (RTBF) is the right to have private information about a person be removed from Internet searches and other directories under some circumstances. The concept has been discussed and put into practice in several jurisdiction ...
. In other words, they must remove individuals from marketing lists if it is requested, tell them when and why they might share personal information with a third party, or at least ask permission before sharing that data. Now, with new laws coming out that demand longer data retention despite the individual’s desires, it can create some real difficulties.
United States
Corporate scandals and breakdowns such as the Enron
Enron Corporation was an American energy, commodities, and services company based in Houston, Texas. It was founded by Kenneth Lay in 1985 as a merger between Lay's Houston Natural Gas and InterNorth, both relatively small regional companies. ...
case of reputational risk
Reputational damage is the loss to financial capital, social capital and/or market share resulting from damage to a firm's reputation. This is often measured in lost revenue, increased operating, capital or regulatory costs, or destruction of sh ...
in 2001 have increased calls for stronger compliance and regulations, particularly for publicly listed companies. The most significant recent statutory changes in this context have been the Sarbanes–Oxley Act
The Sarbanes–Oxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations.
The act, (), also known as the "Public Company Accounting Reform and Investor Protecti ...
developed by two U.S. congressmen, Senator Paul Sarbanes
Paul Spyros Sarbanes (; February 3, 1933 – December 6, 2020) was an American politician and attorney. A member of the Democratic Party from Maryland, he served as a member of the United States House of Representatives from 1971 to 1977 ...
and Representative Michael Oxley in 2002 which defined significantly tighter personal responsibility of corporate top management for the accuracy of reported financial statements; and the Dodd-Frank Wall Street Reform and Consumer Protection Act.
The Office of Foreign Assets Control (OFAC) is an agency of the United States Department of the Treasury under the auspices of the Under Secretary of the Treasury for Terrorism and Financial Intelligence. OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign states, organizations, and individuals.
Compliance in the U.S. generally means compliance with laws and regulations. These laws and regulations can have criminal or civil penalties. The definition of what constitutes an effective compliance plan has been elusive. Most authors, however, continue to cite the guidance provided by the United States Sentencing Commission
The United States Sentencing Commission is an independent agency of the judicial branch of the U.S. federal government. It is responsible for articulating the U.S. Federal Sentencing Guidelines for the federal courts. The Commission promulgate ...
in Chapter 8 of the Federal Sentencing Guidelines.
On October 12, 2006, the U.S. Small Business Administration
The United States Small Business Administration (SBA) is an independent agency of the United States government that provides support to entrepreneurs and small businesses. The mission of the Small Business Administration is "to maintain and stren ...
re-launched Business.gov
Business.gov is sponsored by the U.S. Small Business Administration to provide small business owners with access to federal, state and local government resources from a single access point.
History
Business.gov was launched in 1997 as the U.S. Bu ...
(later Business.USA.gov and finally SBA.Gov) which provides a single point of access to government services and information that help businesses comply with government regulations.
The U.S. Department of Labor, Occupational Health and Safety Administration (OSHA) was created by Congress
A congress is a formal meeting of the representatives of different countries, constituent states, organizations, trade unions, political parties, or other groups. The term originated in Late Middle English to denote an encounter (meeting of ...
to assure safe and healthful working conditions for working men and women by setting and enforcing standards and by providing training, outreach, education, and assistance. OSHA implements laws and regulations regularly in the following areas, construction, maritime, agriculture, and recordkeeping.
Standards
The International Organization for Standardization
The International Organization for Standardization (ISO ) is an international standard development organization composed of representatives from the national standards organizations of member countries. Membership requirements are given in Ar ...
(ISO) and its ISO 37301:2021 (which deprecates ISO 19600:2014) standard is one of the primary international standards for how businesses handle regulatory compliance, providing a reminder of how compliance and risk should operate together, as “colleagues” sharing a common framework with some nuances to account for their differences. The ISO also produces international standards such as ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled ''Information security, cybersecurity and privacy protect ...
to help organizations meet regulatory compliance with their security management and assurance best practices.
Some local or international specialized organizations such as the American Society of Mechanical Engineers (ASME) also develop standards and regulation codes. They thereby provide a wide range of rules and directives to ensure compliance of the products to safety, security or design standards.Boiler and Pressure Vessel Inspection According to ASME
/ref>
See also
*Business Motivation Model
The Business Motivation Model (BMM) in enterprise architecture provides a scheme and structure for developing, communicating, and managing business plans in an organized manner. Specifically, the Business Motivation Model does all of the followin ...
. A standard for recording governance and compliance activities
* Chief compliance officer
*Governance, risk management, and compliance
Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance. The first scholarly research on GRC was published in 2007 by Scott L. Mitch ...
*International regulation International regulation is regulation that occurs at the international level, often exercised by international organizations. An advantage of international regulation is that it allows localities and the individuals in them to be held accountable f ...
* RegTech - Regulatory Compliance Technology
References
{{Authority control