Regulatory Compliance Lifecycle
Regulatory Compliance Lifecycle
Who Makes the Rules & Regulations?
The Rule Making Process
As required by the APA, the Agencies publish notices of proposed rulemaking (NPRs) in the Federal Register, the official journal of the government, to alert the public and specifically those areas of society that are affected by the proposed rule. Agencies can publish a final rule without a commentary period if it has "good cause", but normally the public has 30-60 days to provide comments regarding the proposed rule so that the Agencies can consider the potential impact and make appropriate modifications to the rule. Once the rule has been finalized, the Agencies publish the Final Rule in the Federal Register and will designate an effective date by which the affected parties must comply with the provisions of the new regulation. In addition, once the rule becomes effective, it is updated in the e-CFR, which is updated on a daily basis.
Often, Agencies publish Guidance or Supervisory Letters to provide additional information about the expectations in the rule or to highlight their observations about the way industry is trying to adopt the rule. While the Guidance is usually published in the Federal Register, Supervisory Letters are typically available on the Agency Websites.
Rule Implementation by Affected Parties
Once a rule is final and the implementation date is known, those affected by the regulation must take steps to:
- Understand the requirements of the rule
- Formalize a plan of action to ensure they comply with the requirements
- Implement the changes needed to become compliant
Demonstration of Compliance
Regulated firms are periodically audited by their Supervisory Agency (also called as regulators). Usually supervisory agencies send what is called as the First Day Letter indicating their intent to audit the desired section(s) of rule(s). This process requires that the firm be able to demonstrate how their operations and supporting systems comply with the requirements in the rule, their staff has been properly trained and the entire process is well documented. It's essential to have properly organized evidence and documentation to support a firm's claim of compliance. If for example, models are used in the compliance process, supervisors expect that a firm has evidence of the development process, including theoretical approaches, validation procedures, an understanding of their limitations, and controls over their use and management reviews. It should be noted that in an increasing number of regulations, a firm is required to conduct ongoing periodic reviews and validations to ensure they remain compliant. All this takes a lot of time, effort and represents a significant cost. Regulated firms have no choice and they are required to comply with applicable regulations.
If the agencies determine that the company or organization has not met with the expected standards as determined in the rules, they would provide them with comments in documents called Matters Requiring Attention (MRA). Continuing failure to demonstrate compliance would result in fines and penalties.
How many Supervisory Agencies Audit a Regulated Firm?
Some firms have several regulators - a primary supervisor as well as other agencies. For example, a large bank might have the Fed as it primary supervisor, but is also subject to review by the FDIC.
Impact of Non-Compliance
Failure to comply with a rule potentially subjects a regulated firm to sanctions including administrative reprimands, fines and in extreme cases, closure. This is commonly referred to as Regulatory Risk. But perhaps the more devastating risk of non-compliance is damage to a firm's reputation or brand commonly referred to as Reputational Risk.