Multi-sector regulatory compliance skill for industry-specific regulations. Use when the user needs assistance with regulatory frameworks, compliance programs, regulatory investigations, or industry-specific requirements across sectors. Triggers on keywords like "regulatory", "compliance program", "regulated industry", "agency", "enforcement", "regulatory investigation", "consent decree", "compliance audit", "regulatory risk".
This skill provides expert guidance for navigating regulatory frameworks across multiple industries and jurisdictions.
EFFECTIVE COMPLIANCE PROGRAM ELEMENTS
1. COMMITMENT FROM SENIOR MANAGEMENT
- Tone at the top
- Resource allocation
- Accountability
2. AUTONOMY AND RESOURCES
- Chief Compliance Officer
- Reporting structure
- Budget and staff
3. POLICIES AND PROCEDURES
- Clear standards
- Tailored guidance
- Regular updates
4. RISK ASSESSMENT
- Enterprise risk assessment
- Control environment review
- Third-party risk
5. TRAINING AND COMMUNICATION
- Role-based training
- Annual certifications
- Ongoing awareness
6. REPORTING MECHANISMS
- Hotline/helpline
- Non-retaliation
- Investigation protocol
7. INCENTIVES AND DISCIPLINE
- Compliance in performance
- Consistent enforcement
- Documented actions
8. CONTINUOUS IMPROVEMENT
- Testing and monitoring
- Remediation
- Lessons learned
9. THIRD-PARTY MANAGEMENT
- Due diligence
- Contract requirements
- Monitoring
10. M&A DUE DILIGENCE
- Pre-acquisition review
- Integration planning
- Post-acquisition remediation
┌─────────────────────────────────────────────────┐
│ 1. IDENTIFY RISKS │
│ - Regulatory requirements │
│ - Industry-specific risks │
│ - Geographic considerations │
│ - Business activities │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ 2. ASSESS INHERENT RISK │
│ - Likelihood of occurrence │
│ - Potential impact │
│ - Regulatory scrutiny │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ 3. EVALUATE CONTROLS │
│ - Preventive controls │
│ - Detective controls │
│ - Control effectiveness │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ 4. DETERMINE RESIDUAL RISK │
│ - Risk after controls │
│ - Risk tolerance │
│ - Action required │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ 5. PRIORITIZE AND REMEDIATE │
│ - High-risk areas first │
│ - Resource allocation │
│ - Timeline and milestones │
└─────────────────────────────────────────────────┘
| Agency | Jurisdiction |
|---|---|
| SEC | Securities, public companies |
| FINRA | Broker-dealers, self-regulatory |
| CFTC | Commodities, derivatives |
| Federal Reserve | Bank holding companies |
| OCC | National banks |
| FDIC | Deposit insurance, state banks |
| CFPB | Consumer financial products |
| FinCEN | AML/BSA |
| OFAC | Sanctions |
| Regulation | Focus |
|---|---|
| Dodd-Frank | Systemic risk, derivatives, consumer protection |
| Bank Secrecy Act | AML reporting |
| Securities Act | Securities offerings |
| Exchange Act | Securities trading, reporting |
| Investment Advisers Act | Investment advisor conduct |
| Gramm-Leach-Bliley | Financial privacy |
| FCPA | Foreign bribery |
AML PROGRAM REQUIREMENTS
1. POLICIES AND PROCEDURES
□ Written AML program
□ Risk assessment
□ Customer identification (CIP)
□ Customer due diligence (CDD)
□ Beneficial ownership
2. COMPLIANCE OFFICER
□ Designated BSA/AML officer
□ Authority and independence
□ Board reporting
3. TRAINING
□ Initial and ongoing training
□ Role-specific content
□ Documentation
4. INDEPENDENT TESTING
□ Annual audit
□ Scope and coverage
□ Remediation tracking
5. MONITORING AND REPORTING
□ Transaction monitoring
□ SAR filing
□ CTR filing
□ Regulatory reporting
| Regulation | Agency | Focus |
|---|---|---|
| HIPAA | HHS/OCR | Privacy and security |
| Stark Law | CMS | Physician self-referral |
| Anti-Kickback | OIG | Fraud and abuse |
| False Claims Act | DOJ | Government fraud |
| EMTALA | CMS | Emergency treatment |
| FDA Regulations | FDA | Drugs, devices, food |
| Regulation | Jurisdiction | Key Requirements |
|---|---|---|
| GDPR | EU | Consent, rights, breach notification |
| CCPA/CPRA | California | Consumer rights, opt-out |
| VCDPA | Virginia | Consumer rights, assessments |
| CPA | Colorado | Universal opt-out |
| CTDPA | Connecticut | Privacy rights |
| Framework | Applicability |
|---|---|
| NIST Cybersecurity Framework | Voluntary, widely adopted |
| SOC 2 | Service organizations |
| ISO 27001 | International standard |
| PCI DSS | Payment card industry |
| CMMC | Defense contractors |
| NY DFS Cybersecurity | Financial services (NY) |
| Agency | Jurisdiction |
|---|---|
| FERC | Interstate energy, wholesale markets |
| DOE | Energy policy, nuclear |
| NRC | Nuclear safety |
| EPA | Environmental (energy-related) |
| State PUCs | Retail energy, local distribution |
1. INITIAL RESPONSE
□ Preserve documents
□ Issue litigation hold
□ Identify key custodians
□ Engage outside counsel
□ Assess privilege issues
2. ASSESSMENT
□ Understand scope
□ Identify relevant conduct
□ Assess exposure
□ Develop strategy
3. DOCUMENT PRODUCTION
□ Collect and process
□ Review for privilege
□ Produce responsively
□ Track requests
4. WITNESS PREPARATION
□ Identify witnesses
□ Prepare for interviews
□ Coordinate testimony
□ Protect rights
5. ENGAGEMENT WITH REGULATORS
□ Establish communication protocol
□ Cooperate appropriately
□ Advocate for client
□ Negotiate resolution
6. REMEDIATION
□ Address root causes
□ Implement improvements
□ Document changes
□ Monitor effectiveness
| Factor | Consideration |
|---|---|
| Legal requirement | Mandatory vs. voluntary |
| Cooperation credit | Agency incentives |
| Timing | Promptness valued |
| Thoroughness | Complete investigation |
| Remediation | Corrective actions |
| Reputational | Public disclosure implications |
| Resolution | Features |
|---|---|
| No action | Matter closed |
| Warning letter | No formal action |
| Consent order | Agreed resolution |
| Civil penalty | Monetary sanction |
| Disgorgement | Return of profits |
| Injunction | Conduct restrictions |
| Corporate integrity agreement | Healthcare oversight |
| Deferred prosecution agreement | Criminal resolution |
| Non-prosecution agreement | No charges filed |
EFFECTIVE COMMENT LETTERS
1. INTRODUCTION
- Identify commenter
- State position clearly
- Summarize key points
2. LEGAL ANALYSIS
- Statutory authority
- Administrative law issues
- Constitutional concerns
3. PRACTICAL IMPACT
- Cost-benefit analysis
- Industry impact
- Unintended consequences
4. ALTERNATIVE APPROACHES
- Propose modifications
- Suggest alternatives
- Offer to collaborate
5. DATA AND EVIDENCE
- Support with data
- Industry examples
- Academic research
6. COALITION BUILDING
- Coordinate with others
- Consistent messaging
- Demonstrate broad support
| Issue | Approach |
|---|---|
| Conflicting requirements | Risk-based prioritization |
| Data localization | Infrastructure planning |
| Extraterritorial reach | Comprehensive compliance |
| Regulatory coordination | Harmonized programs |
For detailed guidance:
references/program-design.md - Compliance program frameworkreferences/investigation-playbook.md - Investigation responsereferences/agency-guide.md - Regulatory agency reference