Regulatory Compliance Lifecycle

Who Makes the Rules & Regulations?

The regulatory process starts with Congress passing a law that addresses a perceived need for government oversight of the society or the economy. Examples include the Dodd-Frank Act, Affordable Care Act (ACA) also known as Obamacare and Sarbanes-Oxley (SOX) Act. Federal Agencies such as the Federal Reserve Board (Fed), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Bureau of Consumer Financial Protection (CFPB) the Comptroller of Currency (OCC), and the Environmental Protection Agency (EPA) etc. are provided authority to translate these laws into regulations using the processes and procedures that are defined in the Administrative Procedures Act (APA).



The Rule Making Process

As required by the APA, the Agencies publish notices of proposed rulemaking (NPRs) in the Federal Register, the official journal of the government, to alert the public and specifically those areas of society that are affected by the proposed rule. Agencies can publish a final rule without a commentary period if it has "good cause", but normally the public has 30-60 days to provide comments regarding the proposed rule so that the Agencies can consider the potential impact and make appropriate modifications to the rule. Once the rule has been finalized, the Agencies publish the Final Rule in the Federal Register and will designate an effective date by which the affected parties must comply with the provisions of the new regulation. In addition, once the rule becomes effective, it is updated in the e-CFR, which is updated on a daily basis.



Often, Agencies publish Guidance or Supervisory Letters to provide additional information about the expectations in the rule or to highlight their observations about the way industry is trying to adopt the rule. While the Guidance is usually published in the Federal Register, Supervisory Letters are typically available on the Agency Websites.

Rule Implementation by Affected Parties

Once a rule is final and the implementation date is known, those affected by the regulation must take steps to:

  1. Understand the requirements of the rule
  2. Formalize a plan of action to ensure they comply with the requirements
  3. Implement the changes needed to become compliant



Demonstration of Compliance

Regulated firms are periodically audited by their Supervisory Agency (also called as regulators). Usually supervisory agencies send what is called as the First Day Letter indicating their intent to audit the desired section(s) of rule(s). This process requires that the firm be able to demonstrate how their operations and supporting systems comply with the requirements in the rule, their staff has been properly trained and the entire process is well documented. It's essential to have properly organized evidence and documentation to support a firm's claim of compliance. If for example, models are used in the compliance process, supervisors expect that a firm has evidence of the development process, including theoretical approaches, validation procedures, an understanding of their limitations, and controls over their use and management reviews. It should be noted that in an increasing number of regulations, a firm is required to conduct ongoing periodic reviews and validations to ensure they remain compliant. All this takes a lot of time, effort and represents a significant cost. Regulated firms have no choice and they are required to comply with applicable regulations.



If the agencies determine that the company or organization has not met with the expected standards as determined in the rules, they would provide them with comments in documents called Matters Requiring Attention (MRA). Continuing failure to demonstrate compliance would result in fines and penalties.

How many Supervisory Agencies Audit a Regulated Firm?

Some firms have several regulators - a primary supervisor as well as other agencies. For example, a large bank might have the Fed as it primary supervisor, but is also subject to review by the FDIC.

Impact of Non-Compliance

Failure to comply with a rule potentially subjects a regulated firm to sanctions including administrative reprimands, fines and in extreme cases, closure. This is commonly referred to as Regulatory Risk. But perhaps the more devastating risk of non-compliance is damage to a firm's reputation or brand commonly referred to as Reputational Risk.



Select the type of deployment - BCube compliance cloud or private data center;
select the agency(s) you need (rules for the entire agency included) and
select a pilot regulation.

About Us

An agile and cloud-based compliance platform equipped with rule content for banking, finance, healthcare and insurance and tools to perform gap analysis, audit and monitoring effectively.

Our vision is to enable our clients reduce their compliance challenges, and meet heightened regulatory standards.


Center for Innovation and Entrepreneurship, UMass Dartmouth
Suite 103, 151 Martine Street, Fall River, MA-02723

+1 (617) 944-2823 OR +1 (617) 944-CUBE
+1 (617) 399-6678