Regulatory compliance
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.
Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations. Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources.
Regulations and accrediting organizations vary among fields, with examples such as PCI-DSS and GLBA in the financial industry, FISMA for U.S. federal agencies, HACCP for the food and beverage industry, and the Joint Commission and HIPAA in healthcare. In some cases other compliance frameworks or even standards inform on how to comply with regulations.
Some organizations keep compliance data—all data belonging or pertaining to the enterprise or included in the law, which can be used for the purpose of implementing or validating compliance—in a separate store for meeting reporting requirements. Compliance software is increasingly being implemented to help companies manage their compliance data more efficiently. This store may include calculations, data transfers, and audit trails.
Standards
The International Organization for Standardization and its ISO 37301:2021 standard is one of the primary international standards for how businesses handle regulatory compliance, providing a reminder of how compliance and risk should operate together, as "colleagues" sharing a common framework with some nuances to account for their differences. The ISO also produces international standards such as ISO/IEC 27002 to help organizations meet regulatory compliance with their security management and assurance best practices.Some local or international specialized organizations such as the American Society of Mechanical Engineers also develop standards and regulation codes. They thereby provide a wide range of rules and directives to ensure compliance of the products to safety, security or design standards.
By nation
Regulatory compliance varies not only by industry but often by location. The financial, research, and pharmaceutical regulatory structures in one country, for example, may be similar but with particularly different nuances in another country. These similarities and differences are often a product "of reactions to the changing objectives and requirements in different countries, industries, and policy contexts".Australia
Australia's major financial services regulators of deposits, insurance, and superannuation include the Reserve Bank of Australia, the Australian Prudential Regulation Authority, the Australian Securities & Investments Commission, and the Australian Competition & Consumer Commission. These regulators help to ensure financial institutes meet their promises, that transactional information is well documented, and that competition is fair while protecting consumers. The APRA in particular deals with superannuation and its regulation, including new regulations requiring trustees of superannuation funds to demonstrate to APRA that they have adequate resources, risk management systems, and appropriate skills and expertise to manage the superannuation fund, with individuals running them being "fit and proper".Other key regulators in Australia include the Australian Communications & Media Authority for broadcasting, the internet, and communications; the Clean Energy Regulator for "monitoring, facilitating and enforcing compliance with" energy and carbon emission schemes; and the Therapeutic Goods Administration for drugs, devices, and biologics;
Australian organisations seeking to remain compliant with various regulations may turn to AS ISO 19600:2015. This standard helps organisations with compliance management, placing "emphasis on the organisational elements that are required to support compliance" while also recognizing the need for continual improvement.
Canada
In Canada, federal regulation of deposits, insurance, and superannuation is governed by two independent bodies: the OSFI through the Bank Act, and FINTRAC, mandated by the Proceeds of Crime and Terrorist Financing Act, 2001. These groups protect consumers, regulate how risk is controlled and managed, and investigate illegal action such as money laundering and terrorist financing. On a provincial level, each province maintain individuals laws and agencies. Unlike any other major federation, Canada does not have a securities regulatory authority at the federal government level. The provincial and territorial regulators work together to coordinate and harmonize regulation of the Canadian capital markets through the Canadian Securities Administrators.Other key regulators in Canada include the Canadian Food Inspection Agency for food safety, animal health, and plant health; Health Canada for public health; and Environment and Climate Change Canada for environment and sustainable energy.
Canadian organizations seeking to remain compliant with various regulations may turn to ISO 19600:2014, an international compliance standard that "provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization". For more industry specific guidance, e.g., financial institutions, Canada's E-13 Regulatory Compliance Management provides specific compliance risk management tactics.
European Union
Regulatory compliance in the European Union is governed by a harmonized legal framework designed to ensure consistency across member states while allowing for national implementation. EU compliance regulations cover various industries, including consumer product safety, financial services, environmental protection, and data privacy.The General Product Safety Regulation establishes a unified safety framework for consumer products across the EU, requiring manufacturers to conduct risk assessments, maintain traceability documentation, and meet safety compliance standards before placing products on the market. The GPSR applies to all consumer products made available in the EU unless covered by sector-specific regulations, such as medical devices or food products. The regulation extends to products sold through e-commerce platforms, requiring online marketplaces to ensure that only compliant products are listed. Fulfillment service providers are also included as economic operators, making them responsible for product safety compliance in certain cases.
For business compliance, the EU’s regulatory approach is guided by the New Legislative Framework and various sector-specific directives and regulations. Businesses must comply with EU product conformity assessments and affix the CE marking to indicate compliance with essential safety and performance standards.
Financial compliance is enforced through regulations such as the Markets in Financial Instruments Directive and the General Data Protection Regulation, which set strict requirements for financial transparency, consumer protection, and data security.
The EU Legislation Compliance framework ensures that organizations operate within the legal boundaries of EU directives, helping public and private entities manage regulatory risks efficiently.
Companies operating in the EU must stay updated on evolving compliance requirements, as non-compliance can lead to fines, product recalls, or restrictions on market access.
The Netherlands
The financial sector in the Netherlands is heavily regulated. The Dutch Central Bank is the prudential regulator while the Netherlands Authority for Financial Markets is the regulator for behavioral supervision of financial institutions and markets. A common definition of compliance is:'Observance of external laws and regulations, as well as internal norms and procedures, to protect the integrity of the organization, its management and employees with the aim of preventing and controlling risks and the possible damage resulting from these compliance and integrity risks'.India
In India, compliance regulation takes place across three strata: Central, State, and Local regulation. India veers towards central regulation, especially of financial organizations and foreign funds. Compliance regulations vary based on the industry segment in addition to the geographical mix. Most regulation comes in the following broad categories: economic regulation, regulation in the public interest, and environmental regulation. India has also been characterized by poor compliance - reports suggest that only around 65% of companies are fully compliant to norms.Singapore
The Monetary Authority of Singapore is Singapore's central bank and financial regulatory authority. It administers the various statutes pertaining to money, banking, insurance, securities and the financial sector in general, as well as currency issuance.United Kingdom
There is considerable regulation in the United Kingdom, some of which is derived from European Union legislation. Various areas are policed by different bodies, such as the Financial Conduct Authority, Environment Agency, Scottish Environment Protection Agency, Information Commissioner's Office, Care Quality Commission, and others: see List of regulators in the United Kingdom.Important compliance issues for all organizations large and small include the Data Protection Act 2018 and, for the public sector, Freedom of Information Act 2000.