What is regulatory compliance?

Workplace safety and diversity

Compliance with regulations regarding machinery, hygiene, ingredients, and material handling help prevent accidents and ensure products are safe for consumption. Complying with rules that prohibit discrimination and harassment contributes to a positive work environment and fosters acceptance.

In sum, proper compliance maintains the integrity of the business. It generates goodwill among customers and partners and helps the organization stay on top of changing regulations with just a little adjustment.

Primary U.S. compliance regulations

Some of the most well-known U.S. compliance regulations are about protecting your business from data leaks and lawsuits that can damage the organization, protecting employees from harmful working conditions, and protecting customers from fraudulent activities like predatory lending and price gouging:

• The Health Insurance Portability and Accountability Act (HIPAA) created standards to protect patient information and ensure a straightforward transfer of the information between health insurance companies and doctors and health systems.

• The Sarbanes-Oxley Act (SOX) of 2002 was enacted to protect investors of publicly traded companies from fraudulent financial practices by establishing standards for audits and public disclosure of financial data with steep penalties for violations.

• The Dodd-Frank Act came about in the aftermath of the 2008 financial crisis, in which some Wall Street entities were deemed “too big to fail.” It ended taxpayer bailouts and placed rules on banks concerning speculative trading, investment activities, and reserve requirements to facilitate financial transparency and accountability.

• The Payment Card Industry Data Security Standard (PCI DSS) sets technical and operational compliance standards for businesses to securely accept and process credit card data provided by cardholders and transmitted through card processing transactions.

• The California Consumer Privacy Act (CCPA) applies to the collection and storage of customer information by companies doing business in the state of California. It requires businesses with at least $25 million in annual revenue to disclose if they will be selling personal information and gives consumers the right to opt out of data collection activities.

• The Federal Information Security Management Act (FISMA) of 2002 made it a requirement for all federal agencies to develop, document, and implement an information security and protection program including risk assessment and continuous threat monitoring in light of growing cyberattack threats. FISMA standards have been updated several times in 2010 and 2019 to keep pace with the latest cyber threats.

• Equal Employment Opportunity Commission (EEOC) regulations defend employees and job applicants against discrimination on the basis of race, color, nationality, religion, gender, age, disability, genetic information, and retaliation for whistleblowing in working situations. This includes hiring, firing, promotion, harassment, training, wages, and benefits at both public and private employers.

Primary U.S. compliance regulatory agencies

The major regulatory agencies responsible for overseeing compliance include:

• Food and Drug Administration (FDA) – Oversees companies involved in manufacturing food products, cosmetics, drugs and medical devices.

• Federal Trade Commission (FTC) – Enforces antitrust laws that are non-criminal for establishing a competitive market and protecting consumers from deceitful business practices.

• National Institute of Standards and Technology (NIST) – Develops standards and guidelines to help meet specific regulatory compliance requirements such as IT and data security under FISMA.

• Occupational Health & Safety Administration (OSHA) – Regulates working conditions by preparing and enforcing standards to provide a safe and healthy work environment.

• Payment Card Industry Security Standards Council (PCI SSC) – Develops and drives adoption of data security standards and resources for safe payments worldwide.

• U.S. Equal Employment Opportunity Commission (EEOC) –Enforces federal laws that make it illegal to discriminate against a job applicant or employee and sets penalties for unfair treatment in the workplace.

• Companies doing business outside of the U.S. also adhere to compliance regulations put in place by foreign or international governing bodies.

One example is the General Data Protection Regulation (GDPR). Its regulations apply to organizations collecting data from citizens in the European Union regardless of the headquarters location of the business. GDPR is enforced in all EU member states. Further, GDPR applies to the data collected from residents in the EU even if they are not EU citizens, such as diplomats and vacationers.

Conversely, Canada, for instance, has no federal regulatory agency for securities trading. Instead, financial firms operate according to guidelines set by each province.

Regulatory compliance policy

Every enterprise should have a regulatory compliance policy in place.

Think of it as something akin to a disaster recovery policy; it is both a roadmap and a statement for adhering to relevant laws set forth by governing agencies in their industry. A regulatory compliance policy serves two primary purposes:

• Outlines processes to be followed to keep the business aligned with compliance mandates, and who is responsible

• Publicly declaring the organization’s commitment to compliance increases confidence in the business by employees, the consuming public, and governing entities

 A regulatory compliance policy typically outlines:

• The purpose and scope of the compliance policy. What regulations are covered?

• Who must follow the regulations. Are there any exceptions or limitations of the compliance policy?

• List of specific regulations that must be followed and the steps and procedures to maintain compliance.

• Communication protocols in the event of a violation including authorities to notify.

• Procedures for monitoring and scheduling periodic reviews of compliance efforts.

The regulatory compliance officer and best practices

The task of determining which regulations must be followed, developing specific workflows and procedures to ensure compliance, and communicating and reviewing policies usually falls to a compliance officer.

The compliance officer might be a position created by the company as a proactive step to avoid legal consequences in a very litigious society, or possibly demanded by a regulatory body after finding repeated violations.

The compliance officer often implements best practices to ensure compliance and minimize the risk of fines and penalties for non-compliance by:

• Developing and publishing the organization’s regulatory compliance policy.

• Performing periodic internal audits to assess present compliance status.

• Monitoring governing bodies for any changes or updates to regulations and keeping current.

• Training employees in regulatory compliance.

• Judging whether an incident meets the criteria for a violation.

• Enforcing disciplinary action in case of violations.

• Reporting known violations to governing authorities.

• Implementing automated workflow solutions that increase productivity while maintaining compliance.

• Being the face of compliance to the media after a violation.

Partner certification

Businesses rarely operate in a vacuum; sooner or later information and assets are touched by outside members of the supply or information chain.

When vetting suppliers and business partners, companies should inquire about the firm’s attitude toward maintaining compliance and only engage vendors that can demonstrate high-level certifications, such as:

HITRUST certification

The HITRUST Assurance Program helps organizations address security and data protection challenges through a comprehensive and flexible framework of scalable security controls. HITRUST certification means the organization has met key regulations and industry-defined requirements and is appropriately managing risk across 19 identified control domains.

PCI certification

PCI certification through the FTC is a must for companies processing electronic payments and using debit and credit card systems. PCI-certified businesses can be trusted to handle your customers’ transactions and secure their data. Without it, you are putting your customers at risk and exposing your firm to fines and penalties.

Equal Employment Opportunity Commission certification

This means the business is compliant with workplace hiring practices and cannot be penalized for discrimination. This provides confidence to businesses that their partners will not disrupt the supply chain based on violations of individual rights and freedoms.

FDA 510(k) clearance

Companies in the medical device space will want to make sure their partners' products have Food & Drug Administration 510(k) clearance, meaning the device to be marketed has been proven safe and effective before application on a patient.

Sometimes earning a certification like the FDA 510(k) clearance requires meeting additional quality and compliance standards. For example, to earn this FDA certification, a company must earn ISO (International Organization of Standards) 13485 certification.

Related content

Article: HITRUST Certification Explained

Article: Why We Chose PCI Certification Over PCI Compliance

Article: Ricoh FDA 510k Certification for 3D printed anatomical models

Making compliance part of your business DNA

Following compliance best practices and finding a partner who excels in the area of compliance helps to protect you and your customers.

As a company whose business revolves around information, we understand the challenges and requirements of keeping data safe.

In fact, we have earned multiple certifications relating to keeping data and products safe including HITRUST for data security, PCI DSS to help customers manage secure electronic payments, FDA 510(k) clearance for our 3D craniomaxillofacial (CMF) and orthopedic patient-specific anatomic tissue and bone modeling, and several others.