Regulatory Compliance

Regulatory Compliance

This skill provides expert guidance for navigating regulatory frameworks across multiple industries and jurisdictions.

Core Capabilities

1. Compliance Programs

• Program design
• Policy development
• Risk assessment
• Monitoring and testing

2. Regulatory Strategy

• Agency engagement
• Comment letters
• Rulemaking participation
• Regulatory advocacy

3. Investigations

• Investigation response
• Self-disclosure
• Settlement negotiation
• Remediation

4. Industry-Specific

• Financial services
• Healthcare
• Energy
• Technology

Compliance Program Framework

Essential Elements (DOJ/SEC Framework)

EFFECTIVE COMPLIANCE PROGRAM ELEMENTS

1. COMMITMENT FROM SENIOR MANAGEMENT
   - Tone at the top
   - Resource allocation
   - Accountability

2. AUTONOMY AND RESOURCES
   - Chief Compliance Officer
   - Reporting structure
   - Budget and staff

3. POLICIES AND PROCEDURES
   - Clear standards
   - Tailored guidance
   - Regular updates

4. RISK ASSESSMENT
   - Enterprise risk assessment
   - Control environment review
   - Third-party risk

5. TRAINING AND COMMUNICATION
   - Role-based training
   - Annual certifications
   - Ongoing awareness

6. REPORTING MECHANISMS
   - Hotline/helpline
   - Non-retaliation
   - Investigation protocol

7. INCENTIVES AND DISCIPLINE
   - Compliance in performance
   - Consistent enforcement
   - Documented actions

8. CONTINUOUS IMPROVEMENT
   - Testing and monitoring
   - Remediation
   - Lessons learned

9. THIRD-PARTY MANAGEMENT
   - Due diligence
   - Contract requirements
   - Monitoring

10. M&A DUE DILIGENCE
    - Pre-acquisition review
    - Integration planning
    - Post-acquisition remediation

Risk Assessment Process

┌─────────────────────────────────────────────────┐
│  1. IDENTIFY RISKS                               │
│     - Regulatory requirements                    │
│     - Industry-specific risks                    │
│     - Geographic considerations                  │
│     - Business activities                        │
└─────────────────────────────────────────────────┘
                      │
                      ▼
┌─────────────────────────────────────────────────┐
│  2. ASSESS INHERENT RISK                         │
│     - Likelihood of occurrence                   │
│     - Potential impact                           │
│     - Regulatory scrutiny                        │
└─────────────────────────────────────────────────┘
                      │
                      ▼
┌─────────────────────────────────────────────────┐
│  3. EVALUATE CONTROLS                            │
│     - Preventive controls                        │
│     - Detective controls                         │
│     - Control effectiveness                      │
└─────────────────────────────────────────────────┘
                      │
                      ▼
┌─────────────────────────────────────────────────┐
│  4. DETERMINE RESIDUAL RISK                      │
│     - Risk after controls                        │
│     - Risk tolerance                             │
│     - Action required                            │
└─────────────────────────────────────────────────┘
                      │
                      ▼
┌─────────────────────────────────────────────────┐
│  5. PRIORITIZE AND REMEDIATE                     │
│     - High-risk areas first                      │
│     - Resource allocation                        │
│     - Timeline and milestones                    │
└─────────────────────────────────────────────────┘

Financial Services Regulation

US Regulatory Agencies

Agency	Jurisdiction
SEC	Securities, public companies
FINRA	Broker-dealers, self-regulatory
CFTC	Commodities, derivatives
Federal Reserve	Bank holding companies
OCC	National banks
FDIC	Deposit insurance, state banks
CFPB	Consumer financial products
FinCEN	AML/BSA
OFAC	Sanctions

Key Financial Regulations

Regulation	Focus
Dodd-Frank	Systemic risk, derivatives, consumer protection
Bank Secrecy Act	AML reporting
Securities Act	Securities offerings
Exchange Act	Securities trading, reporting
Investment Advisers Act	Investment advisor conduct
Gramm-Leach-Bliley	Financial privacy
FCPA	Foreign bribery

AML Compliance Program

AML PROGRAM REQUIREMENTS

1. POLICIES AND PROCEDURES
   □ Written AML program
   □ Risk assessment
   □ Customer identification (CIP)
   □ Customer due diligence (CDD)
   □ Beneficial ownership

2. COMPLIANCE OFFICER
   □ Designated BSA/AML officer
   □ Authority and independence
   □ Board reporting

3. TRAINING
   □ Initial and ongoing training
   □ Role-specific content
   □ Documentation

4. INDEPENDENT TESTING
   □ Annual audit
   □ Scope and coverage
   □ Remediation tracking

5. MONITORING AND REPORTING
   □ Transaction monitoring
   □ SAR filing
   □ CTR filing
   □ Regulatory reporting

Healthcare Regulation

Key Agencies and Laws

Regulation	Agency	Focus
HIPAA	HHS/OCR	Privacy and security
Stark Law	CMS	Physician self-referral
Anti-Kickback	OIG	Fraud and abuse
False Claims Act	DOJ	Government fraud
EMTALA	CMS	Emergency treatment
FDA Regulations	FDA	Drugs, devices, food

Healthcare Compliance Program (OIG Guidance)

1. Written policies and procedures
2. Compliance officer and committee
3. Effective training and education
4. Effective lines of communication
5. Internal monitoring and auditing
6. Enforcement and discipline
7. Prompt response and corrective action

Technology Regulation

Data Privacy Regulations

Regulation	Jurisdiction	Key Requirements
GDPR	EU	Consent, rights, breach notification
CCPA/CPRA	California	Consumer rights, opt-out
VCDPA	Virginia	Consumer rights, assessments
CPA	Colorado	Universal opt-out
CTDPA	Connecticut	Privacy rights

Cybersecurity Requirements

Framework	Applicability
NIST Cybersecurity Framework	Voluntary, widely adopted
SOC 2	Service organizations
ISO 27001	International standard
PCI DSS	Payment card industry
CMMC	Defense contractors
NY DFS Cybersecurity	Financial services (NY)

AI Regulation (Emerging)

• EU AI Act
• FTC unfairness authority
• Algorithmic accountability
• Bias and fairness requirements
• Transparency obligations

Energy Regulation

Key Agencies

Agency	Jurisdiction
FERC	Interstate energy, wholesale markets
DOE	Energy policy, nuclear
NRC	Nuclear safety
EPA	Environmental (energy-related)
State PUCs	Retail energy, local distribution

Energy Compliance Areas

• Market manipulation (FERC)
• Environmental permits
• Safety regulations
• Transmission access
• Rate compliance
• Renewable portfolio standards

Regulatory Investigations

Investigation Response Protocol

1. INITIAL RESPONSE
   □ Preserve documents
   □ Issue litigation hold
   □ Identify key custodians
   □ Engage outside counsel
   □ Assess privilege issues

2. ASSESSMENT
   □ Understand scope
   □ Identify relevant conduct
   □ Assess exposure
   □ Develop strategy

3. DOCUMENT PRODUCTION
   □ Collect and process
   □ Review for privilege
   □ Produce responsively
   □ Track requests

4. WITNESS PREPARATION
   □ Identify witnesses
   □ Prepare for interviews
   □ Coordinate testimony
   □ Protect rights

5. ENGAGEMENT WITH REGULATORS
   □ Establish communication protocol
   □ Cooperate appropriately
   □ Advocate for client
   □ Negotiate resolution

6. REMEDIATION
   □ Address root causes
   □ Implement improvements
   □ Document changes
   □ Monitor effectiveness

Self-Disclosure Considerations

Factor	Consideration
Legal requirement	Mandatory vs. voluntary
Cooperation credit	Agency incentives
Timing	Promptness valued
Thoroughness	Complete investigation
Remediation	Corrective actions
Reputational	Public disclosure implications

Settlement Options

Resolution	Features
No action	Matter closed
Warning letter	No formal action
Consent order	Agreed resolution
Civil penalty	Monetary sanction
Disgorgement	Return of profits
Injunction	Conduct restrictions
Corporate integrity agreement	Healthcare oversight
Deferred prosecution agreement	Criminal resolution
Non-prosecution agreement	No charges filed

Regulatory Engagement

Comment Letter Best Practices

EFFECTIVE COMMENT LETTERS

1. INTRODUCTION
   - Identify commenter
   - State position clearly
   - Summarize key points

2. LEGAL ANALYSIS
   - Statutory authority
   - Administrative law issues
   - Constitutional concerns

3. PRACTICAL IMPACT
   - Cost-benefit analysis
   - Industry impact
   - Unintended consequences

4. ALTERNATIVE APPROACHES
   - Propose modifications
   - Suggest alternatives
   - Offer to collaborate

5. DATA AND EVIDENCE
   - Support with data
   - Industry examples
   - Academic research

6. COALITION BUILDING
   - Coordinate with others
   - Consistent messaging
   - Demonstrate broad support

Agency Relationships

• Regular communication channels
• Trade association engagement
• Industry working groups
• Pre-filing consultations
• Formal guidance requests

Cross-Border Compliance

Multi-Jurisdictional Considerations

Issue	Approach
Conflicting requirements	Risk-based prioritization
Data localization	Infrastructure planning
Extraterritorial reach	Comprehensive compliance
Regulatory coordination	Harmonized programs

Global Compliance Program

• Headquarters oversight
• Local adaptation
• Consistent standards
• Cultural sensitivity
• Language considerations

Integration with Other Skills

• compliance-tracking: Regulatory monitoring
• healthcare-law: Healthcare-specific compliance
• environmental-law: Environmental regulations
• banking-finance: Financial services compliance
• tax-law: Tax regulatory compliance

Reference Files

For detailed guidance:

• references/program-design.md - Compliance program framework
• references/investigation-playbook.md - Investigation response
• references/agency-guide.md - Regulatory agency reference