Regulatory Compliance

Overview

Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations. In general, compliance means conforming to a specification or policy, standard or law that has been clearly defined.

Corporate scandals and breakdowns such as the Enron case in 2001 have highlighted the need for stronger compliance regulations for publicly listed companies. The most significant regulation in this context is the Sarbanes-Oxley Act developed by two U.S. congressmen, Senator Paul Sarbanes and Representative Michael Oxley in 2002 which defined significant tighter personal responsibility of corporate top management for the accuracy of reported financial statements.

Compliance data is defined as all data belonging or pertaining to enterprise or included in the law, which can be used for the purpose of implementing or validating compliance. It is the set of all data that is relevant to a governance officer or to a court of law for the purposes of validating consistency, completeness, or compliance.

Privacy, Governance, and National Security

While it may seem overwhelming, in general, regulations fall into three categories: Privacy, Governance, and National Security. Privacy regulations, like HIPPA, govern how organizations gather, use, and retain private information. Governance regulations, like SOX, require organizations to maintain standards in record keeping that represent good corporate governance. The USA Patriot Act and other National Security regulations control how organizations track and report suspicious activities.

Regulations and Mandates

Managing vital and sensitive corporate information has always been a cumbersome and complex process, but now, companies must be constantly prepared for government audits aimed to prove or disprove their adherence with regulations. Below are a few important statutes to consider on the road to compliance.

Sarbanes-Oxley Act (SOX) focuses on financial records by examining corporate reporting practices and auditor policies. How companies retain financial reports, as well as the integrity of the procedures related to the process, are scrutinized.

Securities and Exchange Commission (SEC) Rule 17a describes mandates for financial brokers and dealers regarding the retention, storage, and retrieval of electronic records, particularly email and instant messages. Information must be stored in an immutable, or unaltered, format for a period of three years.

The USA Patriot Act requires that banking and financial institutions implement procedures to verify the identity of anyone seeking to open an account. Banks must maintain records of the information used to verify a personís identity. The Patriot Act also affects other organizations that conduct customer screening such as car dealerships, travel agencies, real estate firms, and jewelers.

The Gramm-Leach-Bliley Act requires that all financial institutions ensure the security and confidentiality of customer records. Firms must protect personal information from anticipated threats and unauthorized access.

The Bank Secrecy Act (BSA) requires that financial institutions maintain a record of personal transactions that "have a high degree of usefulness in criminal, tax and regulatory investigations." Institutions are required to report any suspicious transactions to the U.S. Treasury Department.

Health Insurance Portability and Accountability Act (HIPAA) imposes standards on the healthcare industry for electronic documents and transactions. The security and privacy of patient information is paramount. HIPAA mandates compliance for providers such as doctors, hospitals, and clinics; payors such as insurance companies, HMOs, and health plans; as well as organizations that do business with providers and payors.

FDA Title 21CFR Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data that are (a) required to be maintained by the FDA predicate rules or (b) used to demonstrate compliance to a predicate rule.

The U.S. Department of Defense Directive 5015.2óDoD Records Management Programódefines mandatory requirements for records management and assures data is being stored according to government standards. This directive applies to the Office of the Secretary of Defense, the Military, the Joint Chiefs of Staff, and all other organizational entities of the Department of Defense. It requires that these groups create, maintain, and preserve information as records, in any media, that document the transaction of business and mission in wartime and peacetime.

The Government Paperwork Elimination Act (GPEA) provides for the option of electronic information as a substitute for paper. This requires federal agencies to provide electronic submission forms and to utilize electronic signatures.