Compliance 101: What is Compliance?
When a business, product, service, or process is compliant, this typically means that specific regulations or standards have been adhered to, and particular requirements to meet compliance have been established. Compliance is generally linked to rules or laws that can be industry-specific, geographically localized, or cross-jurisdiction. The regulatory landscape is in flux due to the evolving nature of technology and business processes. As such, compliance tends to be an ongoing task.
Various governing bodies apply regulations and standards to industry sectors and geographies. Sometimes there is significant overlap between different regulations, and meeting compliance in one area may lead to adherence across another. Whatever the case, regulatory compliance is expensive, time-consuming, and requires specialist knowledge.
Examples of compliance standards include:
Specific industry regulations
Compliance and regulations in healthcare
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to the healthcare sector in the USA. It is a framework used to apply security and privacy protections to Protected Health Information (PHI).
Compliance and regulations in finance
The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that affects how financial institutions communicate and protect customer data. The Sarbanes-Oxley Act (SOX), a U.S. federal law, outlines practices for recording financial records that came about as a response, in part, to the Enron scandal.
Compliance and regulations in retail/eCommerce
The Payment Card Industry Data Security Standard (PCI DSS) affects any company that processes a financial transaction. It was developed by a consortium comprising Mastercard, Visa, Discover, American Express, and JCB. The remit of PCI DSS is to protect cardholder data.
Geographic compliance regulations
The EU’s General Data Protection Regulation (GDPR) came into effect in May 2018. This law revolves around the principles of “Privacy by Design and Default.” It is an EU law, but it has wide-reaching jurisdiction as it affects all data collected on European citizens, regardless of the geographic location of the collector.
The California Consumer Privacy Act (CCPA) focuses on the respect and protection of a consumer's personal data within the boundaries of California.
Workplace specific compliance regulations
The Occupational Safety and Health Administration (OSHA) is a U.S. law that provides frameworks to ensure that a workplace is safe. The OSH Act requires that employers “provide a workplace free from serious recognized hazards.”
The compliance department or team
An organization may have an internal compliance team, use external experts, or deploy a mix of both to help them achieve compliance. Compliance departments typically employ individuals who have experience and/or certifications in the specific compliance areas that the company must adhere to. A Chief Compliance Officer (CCO) is increasingly important in heavily regulated industries, such as finance. A CCO will oversee compliance programs, ensuring they are appropriately staffed, effective, and efficient. A CCO and their team will work to identify areas of the business that are non-compliant with compliance laws and external regulations.
Compliance risk and compliance management
Organizations that are non-compliant with regulations and laws that govern their industry or geographic reach are at an increased risk of fines, personal penalties, reputation damage, and share price drops—data privacy and data protection non-compliance results in massive fines for privacy breaches. An example is the 2021 Amazon fine of €746 million for being non-compliant with GDPR. In specific regulations and laws, personal liability is also a concern; recent research from Thomson Reuters “2021: Cost of Compliance” found that 50% of respondents expect personal liability for compliance issues to increase.
Compliance management and RegTech to enforce compliance
Compliance can be managed using specialist software solutions that come under the umbrella of RegTech. RegTech is not a single solution but a group of powerful technologies that help an organization ensure compliance efforts. Many RegTech solutions will use emerging technologies such as artificial intelligence (AI) and machine learning (ML), data analytics, blockchain, robotics, and data orchestration engines. An example of a RegTech solution is intelligent anti-money laundering (AML) platforms that use ML to identify fraud. Some regulations and laws, such as the Bank Secrecy Act (BSA)/AML, strongly suggest using emerging RegTech solutions to combat complex areas such as anti-money laundering.