Regulatory Compliance: Overview and Guide

Regulatory Compliance: Overview and Guide

Regulatory compliance is pivotal to industries and sectors that are inherently subject to some form of oversight. Oversight could be in the form of an international body, and in the case of the United States, federal agencies and state-level organizations also provide oversight functions in some situations. The financial services, healthcare, and information technology (IT) sectors are examples of industries with varying degrees of oversight.

This article provides an overview of regulatory compliance from multiple perspectives and provides state, federal, international, and industry-specific examples. It also presents guidance on implementing a compliance management plan and identifies the benefits of compliance.

What is Regulatory Compliance?

Regulatory compliance management is the process of ensuring that a company or organization is following all applicable laws, regulations, and guidelines. Adherence to regulatory compliance requirements is essential in maintaining organizational trust and credibility and safeguarding against incidents such as data breaches. Compliance also contributes to organizations operating ethically and responsibly. Compliance requirements might impact items like medical devices, patient data, and credit card data.

Conforming to regulations is a broad concept. In most cases, compliance requirements entail adhering to laws, standards, or other regulatory obligations. This is not limited to legal compliance and can also include adhering to best practices, industry-specific guidelines, or corporate policies. Compliance-related activities can also vary widely based on state, federal, and international jurisdictions. For example, large multinational companies will likely be subject to multiple compliance regulations.

Several examples of regulatory requirements are summarized below. The California Consumer Privacy Act (CCPA), and The California Privacy Rights Act (CPRA) are examples of state-level compliance laws. Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) are examples of federal statutes. The General Data Protection Regulation (GDPR) is an example of an international compliance requirement.

CCPA and CPRA

According to Bloomberg Law, Which States Have Consumer Data Privacy Laws? | Bloomberg Law, 11 states have implemented comprehensive privacy protection laws. Of these, California was the first state to enact a comprehensive privacy law via the California Consumer Privacy Act (CCPA). The CCPA was introduced in 2018 and became enforceable on January 1, 2020. The law affords consumers more control over their data and imposes stricter requirements on businesses that collect and use this data. CCPA compliance involves implementing the necessary measures to protect consumer data and provide transparency in their data practices.

Source: Which States Have Consumer Data Privacy Laws?

CPRA is an amendment of the CCPA. Passed in 2020, the CPRA includes additional privacy protections for consumers. Most CPRA provisions took effect January 1, 2023, with enforcement starting July 1, 2023. Key changes between the CCPA and the CPRA, CCPA vs CPRA: What Is the Difference? include the addition of the sensitive personal information category, increased penalties, a broader range of information that can be requested from businesses, the addition of four new consumer rights, and increased power of the right to delete.

HIPAA

HIPAA establishes the standard for sensitive patient data protection. The legislation is regulated by the Department of Health and Human Services. HIPAA is not only applicable to healthcare organizations but any organization handling protected health information (PHI) must ensure strict regulatory compliance with HIPAA. This involves implementing necessary physical, network, and process security measures to guard against unauthorized access to PHI. HIPAA requirements facilitate healthcare entity’s ability to maintain the highest level of data privacy and security in patient interactions. A useful HIPAA compliance checklist can be found here: How to Be HIPAA Compliant? The Checklist You’ll Need

SOX

The Sarbanes-Oxley Act (SOX) is a federal act passed in 2002 with bipartisan congressional support to improve auditing and public disclosure in response to several accounting scandals in the early 2000s. The act was named after the bill sponsors, Senator Paul Sarbanes and Representative Michael Oxley, and is also commonly referred to as SOX, Sarbanes-Oxley Act | Wex | US Law | LII / Legal Information Institute (cornell.edu). SOX compliance is mandatory for any organization that is publicly traded or planning to go public. The law not only helps prevent financial fraud but also enhances transparency and accountability within a company. SOX compliance leads to improved financial reporting processes, increased trust with investors and stakeholders, and overall transparency.

SOX cybersecurity compliance generally refers to a public company implementing strong internal control processes over the IT infrastructure and applications that house the financial information that flows into its financial reports to enable it to make timely disclosures to the public if a breach were to occur. What Is SOX Cybersecurity Compliance?

SOX cybersecurity requirements can be implemented via performing a SOX cyber-related risk assessment and risk management activities, evaluating compliance risk, identifying controls and policies, implementing cyber controls using a reliable framework or compliance standard, and monitoring and testing controls.

GDPR

GDPR is a legal framework that sets guidelines for the collection and processing of personal data of individuals within the European Union (EU). The framework aims to give control to EU citizens over their personal data and simplify the regulatory environment for international business by unifying privacy regulations across the EU. 

The United Kingdom, Canada, and Australia have also implemented data protection laws. The UK implemented the Data Protection Act 2018 which is the UK’s implementation of GDPR. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information. Australia is in the process of reforming its existing privacy laws, Privacy Act Review Report.

Industry Specific Requirements

Industries such as healthcare, finance, and technology are often subject to industry-specific standards and compliance regulations. Ignoring these industry-specific regulations can result in severe consequences, including financial and reputational damages. The Payment Card Industry (PCI) Data Security Standard (DSS) and International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 are examples of industry-driven regulations. The Federal Information Security Modernization Act (FISMA) is an example of a requirement specific to US federal agencies.

PCI-DSS

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data. What is PCI DSS? Requirements & How to Comply (itgovernance.co.uk). The standard consists of a set of security standards that were established by the major credit card companies. The primary purpose of the standard is to ensure that payment card data is processed, stored, and transmitted securely. The standards cover a wide range of security controls including network, physical, and operational security. These requirements are constantly updated to keep up with changing technology and evolving threats.

PCI-DSS compliance is mandatory for all businesses that accept credit card payments. This includes merchants, processors, financial institutions, and service providers that handle cardholder data. Failure to comply with the standards can result in heavy fines and penalties.

Additional PCI DSS requirements can be found here: The 12 PCI DSS Compliance Requirements: What You Need to Know.

Source: PCI DSS Certification

ISO/IEC 27001

ISO 27001 is an international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS), BeyondTrust Industry Certifications | BeyondTrust. It was developed by the ISO/IEC.

The main objective of ISO 27001 is to provide a framework for organizations to manage and protect their information assets. These assets can include sensitive data, such as customer information, financial records, intellectual property, or any other type of valuable data.

FISMA

According to the National Institute of Standards and Technology (NIST), FISMA mandates that federal agencies implement information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected/maintained by or on behalf of an agency, or Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency, NIST Risk Management Framework.

All of the regulatory compliance and requirements described above share common traits such as data privacy, cybersecurity, and accurate record-keeping.

How Do You Implement a Compliance Plan?

Compliance management can be a daunting process. Organizations could potentially be subject to multiple compliance regulations. As a result, compliance plans can be just as diverse as the laws, regulations, and standards themself. Most compliance plans will incorporate procedures related to internal auditing, personnel training, and policy management. The involvement of a compliance officer and performing continuous monitoring should also be considered in compliance planning activities. Let’s explore these areas further below.

Audit Your Environment

Compliance-related audits involve examining a company’s practices, procedures, and records to determine if they adhere to relevant laws and regulations. The primary objective of compliance auditing is to identify any areas where a company may be non-compliant and provide recommendations for improvement. This process facilitates the ability to ensure that operations are in line with legal requirements, industry standards, and internal policies. Perhaps most importantly, compliance audits can facilitate companies to gain the trust and confidence of stakeholders, including customers, investors, and regulators.

During the audit, the role of a compliance auditor is to review and evaluate a company’s operations to ensure that they comply with relevant laws, regulations, and policies. They are responsible for conducting compliance audits, identifying areas of noncompliance, and providing recommendations for improvement. Additionally, compliance auditors can play an advisory role by helping companies understand regulatory requirements and developing strategies to ensure ongoing compliance.

More recently, compliance audits are also used as input to environmental, social, and governance programs.

Hire a Compliance Officer

The primary responsibility of a compliance officer is to ensure that the company complies with all relevant laws and regulations. This includes understanding and interpreting legal requirements, monitoring regulatory changes, and implementing necessary changes within the organization to maintain compliance.

Another key responsibility of a compliance officer is to participate in compliance audits to assess the company’s adherence to internal policies and procedures. This helps identify any potential areas of risk or non-compliance.

Provide Training 

To ensure regulatory compliance within an organization, it is essential to provide adequate training to all employees. This training should include relevant laws and regulations, role-specific training, and training on internal policies and procedures related to compliance. Ongoing training should take place and training materials should be regularly updated to reflect changes in laws regulations or internal procedures. Let’s briefly examine these training requirements in more detail.

Role-Specific Training

While employees should have a general understanding of regulatory compliance, it is also important for personnel to receive role-specific training. For example, an employee in the finance department may require training in financial regulations, while an employee in the marketing department may need to be trained in advertising laws. This targeted training ensures that employees are equipped with the knowledge and skills they need to comply with regulations in their daily work.

Internal

In addition to external laws and regulations, organizations often have their own internal policies and procedures related to compliance. These may include codes of conduct, data protection policies, or safety protocols. Employees should receive training on these internal policies and procedures as well, as they are just as important for maintaining compliance within the organization.

Ongoing Training

Regulatory compliance is not a one-time event, but an ongoing process. Therefore, organizations need to provide regular and ongoing training. This could include refresher courses, updates on new laws or regulations, and reminders of best practices. By providing continuous training, organizations can ensure that their employees always remain knowledgeable on relevant requirements.

Maintain Policies

Establishing policies that align with relevant laws and regulations and internal requirements is a mandatory component of most compliance standards. These policies might outline the processes for handling sensitive information, maintaining data privacy, and ensuring ethical practices within the organization. Organizations might also require employees to review and acknowledge policies on a certain cadence (e.g. annually). Additionally, organizations must also regularly review and update these policies as regulations evolve and as part of continuous improvement efforts.

Continual Improvements 

Continuous improvement is a proactive approach that focuses on continuously evaluating and improving compliance measures within an organization. This methodology helps businesses stay ahead of regulatory changes and reduces the risk of non-compliance. Common continuous improvement methodologies include Kaizen, Plan-Do-Check-Act, Six Sigma, and Total Quality Management. The similarities between these methodologies are that continuous improvement should be an organizational-wide issue and not simply a management activity. Also, each of these methodologies involves implementing continuous improvement in small repeatable steps.

Compliance management can be automated as described here: Scaling With Automation: How to Transform Four Key Compliance Processes Using Automation.

What are the Benefits of Regulatory Compliance?

Improved Workflow and Efficiency

One of the key advantages of regulatory compliance is improved workflows and efficiencies. When companies have well-defined policies and procedures in place to meet regulatory requirements, they can streamline their operations. For example, clear data privacy and information processing guidelines and operating procedures facilitate employees’ ability to perform activities without fear of operating in a noncompliant manner. This efficiency can also lead to faster decision-making, smoother coordination between departments, and ultimately an overall improvement in workflow.

Reduced Risk

Compliance also helps organizations proactively identify and mitigate potential risks, improving overall risk management efforts. Noncompliance can result in customer data loss, large fines, loss of business opportunities, and potential legal repercussions. In maintaining compliance and adhering to regulatory standards, companies can avoid these risks and protect their bottom line.

Improved Public Image 

Maintaining compliance is essential for protecting and enhancing an organization’s reputation. By demonstrating a commitment to regulatory standards, companies can build trust with their stakeholders, including customers, partners, and investors. This can lead to increased brand loyalty, improved relationships with regulators, and ultimately a stronger position in the market.

Resilience

Another benefit of regulatory compliance is the resilience it provides to companies. Compliance helps businesses identify potential risks and prepare for them  before they occur. This can range from financial risks to environmental hazards. By having proper policies in place, companies are better equipped to handle any unforeseen circumstances and mitigate their impact.

Consequences of Noncompliance?

Non-compliance can lead to severe consequences such as fines, sanctions, or even legal action as described in the table below. Compliance issues could affect profitability, corporate reputation, and overall success.

ISO 27001 is voluntary. However, the cost of noncompliance can be correlated with the certification cost.

Conclusion – Tips for Successful Regulatory Compliance

Regulatory compliance requires ongoing effort and commitment from the entire organization. The most successful regulatory compliance programs are those that are a natural extension of the company’s values and culture, and those that view compliance as an opportunity for continuous improvement, rather than a burden. Regulatory compliance has numerous benefits for companies, including improved workflow, improved public image, resilience, and increased efficiencies.  Learn how AuditBoard’s integrated compliance management system can help you achieve compliance and scale your compliance program as requirements are updated and as your organization grows.

Keith

Keith Acfalle, CISA, is a Manager of Compliance Solutions at AuditBoard. Prior to joining Auditboard, Keith was an IT Consultant at Ernst and Young, specializing in SOX and GRC Compliance.