RegStacker
Manage audit, risk and compliance.
Features
End-to-end GRC workflows
Pricing & FAQs
Usage models and FAQs. Common queries and their answers.
RegLibrary
Growing regulatory database
RegJournal
Subscribe to weekly regulatory updates
Integrations
Work with 3rd party tools
Banking and Finance
Solutions for finance verticals
Insurance and Wealth Management
Tools and database for compliance
Healthcare
HIPAA and other regulatory solutions
Regulatory Change Management
Keep regulatory changes in control
Risk Assessments and Compliance
Solutions for managing regulatory risks
Policies and Procedures Management
Build your custom library
Internal and External Audits
Transform audits to your competitive advantage
Audit and Compliance as a Service (ACaaS)
Manage audit or compliance with a subscription
Private Deployment of GRC Solutions
Suitable for large organizations
Solutions for Government Agencies
Manage supervisory reviews by government agencies
Audit / Consulting Firms
Augment your effort with power tools
Chief Risk Officers
Right tools for your success
CIOs and CSOs
Security management made easy
Support
Get technical support
Case Studies
Customer success stories
Blog
Articles on RegTech solutions
Become a Partner
Partnership for mutual advantage

The Road to Increasing Productivity in Regulatory Management

Download White Paper
View All White Papers
Weekly Updates for Latest Regulatory Releases
Subscribe to the weekly updates in the changes to Federal rules across financial services in the USA.
About BCube
End-to-end RegTech solutions
What Is RegTech?
Regulatory solutions for business
Security and Privacy
We value the security and privacy of data
Contact Information
Office address and contact form
Careers
Work with a growing RegTech company
Press and Newsroom
BCube in news. Download media kit

Regulatory Compliance Lifecycle

Regulatory Compliance Lifecycle

  1. Home
  2. Regulatory Compliance Lifecycle

Regulatory Compliance Lifecycle

Who Makes the Rules & Regulations?

The regulatory process starts with Congress passing a law that addresses a perceived need for government oversight of the society or the economy. Examples include the Dodd-Frank Act, Affordable Care Act (ACA) also known as Obamacare and Sarbanes-Oxley (SOX) Act. Federal Agencies such as the Federal Reserve Board (Fed), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Bureau of Consumer Financial Protection (CFPB) the Comptroller of Currency (OCC), and the Environmental Protection Agency (EPA) etc. are provided authority to translate these laws into regulations using the processes and procedures that are defined in the Administrative Procedures Act (APA).

 

 

The Rule Making Process

As required by the APA, the Agencies publish notices of proposed rulemaking (NPRs) in the Federal Register, the official journal of the government, to alert the public and specifically those areas of society that are affected by the proposed rule. Agencies can publish a final rule without a commentary period if it has "good cause", but normally the public has 30-60 days to provide comments regarding the proposed rule so that the Agencies can consider the potential impact and make appropriate modifications to the rule. Once the rule has been finalized, the Agencies publish the Final Rule in the Federal Register and will designate an effective date by which the affected parties must comply with the provisions of the new regulation. In addition, once the rule becomes effective, it is updated in the e-CFR, which is updated on a daily basis.

 

 

Often, Agencies publish Guidance or Supervisory Letters to provide additional information about the expectations in the rule or to highlight their observations about the way industry is trying to adopt the rule. While the Guidance is usually published in the Federal Register, Supervisory Letters are typically available on the Agency Websites.

Rule Implementation by Affected Parties

Once a rule is final and the implementation date is known, those affected by the regulation must take steps to:

  1. Understand the requirements of the rule
  2. Formalize a plan of action to ensure they comply with the requirements
  3. Implement the changes needed to become compliant

 

 

Demonstration of Compliance

Regulated firms are periodically audited by their Supervisory Agency (also called as regulators). Usually supervisory agencies send what is called as the First Day Letter indicating their intent to audit the desired section(s) of rule(s). This process requires that the firm be able to demonstrate how their operations and supporting systems comply with the requirements in the rule, their staff has been properly trained and the entire process is well documented. It's essential to have properly organized evidence and documentation to support a firm's claim of compliance. If for example, models are used in the compliance process, supervisors expect that a firm has evidence of the development process, including theoretical approaches, validation procedures, an understanding of their limitations, and controls over their use and management reviews. It should be noted that in an increasing number of regulations, a firm is required to conduct ongoing periodic reviews and validations to ensure they remain compliant. All this takes a lot of time, effort and represents a significant cost. Regulated firms have no choice and they are required to comply with applicable regulations.

 

 

If the agencies determine that the company or organization has not met with the expected standards as determined in the rules, they would provide them with comments in documents called Matters Requiring Attention (MRA). Continuing failure to demonstrate compliance would result in fines and penalties.

How many Supervisory Agencies Audit a Regulated Firm?

Some firms have several regulators - a primary supervisor as well as other agencies. For example, a large bank might have the Fed as it primary supervisor, but is also subject to review by the FDIC.

Impact of Non-Compliance

Failure to comply with a rule potentially subjects a regulated firm to sanctions including administrative reprimands, fines and in extreme cases, closure. This is commonly referred to as Regulatory Risk. But perhaps the more devastating risk of non-compliance is damage to a firm's reputation or brand commonly referred to as Reputational Risk.