Top regulatory compliance trends that will affect IT in 2009

By Alexander B. Howard, Associate Editor 16 Jun 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More regulation is coming

This should shock no one, of course, but when a Securities and Exchange Commission (SEC) commissioner and the head of the Financial Industry Regulatory Authority (FINRA) repeatedly talk about the need for regulatory reform,

More regulatory compliance resources SEC commish, FINRA head: Reform financial services regulations FAQ: What is the impact of Sarbanes-Oxley on IT operations?

expect changes. Investor trust and consumer confidence are at historic lows, said FINRA CEO Rick Ketchum. Trillions of dollars have been lost, and now trillions more have been spent by government. Ketchum said he believes that "some form of systemic risk regulation will exist in most countries by the end of 2009."

SEC Commissioner Luis Aguilar suggested a number of directions for regulatory reform, including the formation of a "council of regulators." His other proposal, for an "integrated capital markets regulatory body," would merge the SEC, the U.S. Commodity Futures Trading Commission and the Department of Labor's Employee Benefits Security Administration. Such a body would oversee hedge funds, derivatives, commodities and municipal securities.

Read more: "SEC commish, FINRA head: Reform financial services regulations."

More enforcement coming

Deputy Attorney General Dave Ogden also was among those who see a renewed emphasis on "prosecuting financial crimes aggressively" in the months ahead.

Reflecting Ogden's assessment, former U.S. Deputy Attorney General Paul McNulty said that money laundering, fraud and tax issues are also receiving increased enforcement action. McNulty pointed to the requirements of the Sarbanes-Oxley Act (SOX), which mean that more information now must be disclosed and acted upon. Technology for internally exchanging information has also been widely implemented. In a broad sense, the trend has been toward more public disclosure, transparency and international cooperation. McNulty noted that "those factors can easily be applied to other kinds of enforcement."

Read more: "Financial crimes resulting in increased compliance enforcement."

SOX 404(b) will matter

SOX Section 404(a) requires that an assessment regarding the effectiveness of internal controls over financial reporting by a public company's management be submitted with the company's annual report. Section 404(b) requires an auditor's attestation regarding the effectiveness of internal controls. SEC Commissioner Aguilar said that a relevant study was "close to final" at the SEC, and that there was anecdotal evidence that both sections have enabled efficiencies and improved the ability for companies to operate.

"If I was a betting person -- and I do go to Las Vegas once in a while -- I would say companies need to be more familiar with 404(b) than they are now," Anguilar said. In other words, if you haven't had auditors assess the effectiveness of your internal controls recently, now would be a good time to do so.

Looking back: "SOX 404 compliance costs are lower than expected after first year."

FCPA compliance

McNulty observed that enforcement of the Federal Corrupt Practices Act (FCPA) has seen a dramatic increase, including skyrocketing penalties. "Within the past six months, we've seen hundreds of millions" of fines assessed, he said. Citing the SEC, McNulty said that in fact, there has been "more enforcement of FCPA in the past two years than in the past 30 years." He added that money laundering, fraud and tax issues are also receiving increased enforcement action. Compliance officers should expect more enforcement around exports to banned countries. Similarly, new regulations that govern private business, including hedge funds and financial products like derivatives, could extend to foreign activities.

Read more: "FCPA Compliance and FCPA Enforcement: A Look Ahead to 2009 and Beyond."

XBRL compliance deadlines fast approaching

A new SEC filing mandate will affect IT and potentially transform financial reporting. If you're not familiar with the Extensible Business Reporting Language, review WhatIs.com's definition for XBRL: "An XML-based computer language for the electronic transmission of business and financial data. The goal of XBRL is to standardize the automation of business intelligence."

The buzzword of the moment among regulators is transparency. In theory, XBRL will allow both investors and regulators to quickly assess the financial health of a company through its filings. You can read a summary of SEC guidance on XBRL compliance in the Interactive Data for Financial Reporting guide. The original rules for XBRL compliance are also available online, in Chapter 6 of the EDGAR Filing Manual. Compliance officers and chief financial officers would be well-advised to be familiar with both, as they will be responsible for assuring that content in SEC XBRL meets all reporting requirements.

Read more: "SEC filings may soon require XBRL -- to your advantage."

Focus on risk management

So-called "check-box compliance" is no longer sufficient in assessing an organization's actual security or vulnerabilities. Auditors examining whether a compliance department has done due diligence will be looking for due diligence on IT controls, policies and procedures that take into account how much risk exists and what has been done to address it.

Read more: "Risk management archives - IT Compliance Advisor."

REACH and RoHS compliance

According to Courtney Bjorlin at SearchManufacturingERP.com, challenges around REACH compliance will transform supply chains. REACH, which stands for Registration, Evaluation, Authorization and restriction of Chemical substances, will regulate the use of hazardous chemicals in products sold in the European Union (EU).

REACH dovetails with the Restriction of Hazardous Substances Directive (RoHS), criteria set by the EU to regulate the use of toxic materials in electrical and electronic devices, systems and toys. Manufacturers must ensure that these toxins are not contained in manufactured goods. RoHSGuide.com has an RoHS compliance FAQ.

Read more: "Challenges around REACH compliance will transform supply chains."

Greenhouse gas compliance

Greenhouse gas regulation and a shift to an economy that regulates carbon output are well under way. In other words, watch that carbon footprint: "Tough, enforceable regulations are coming to govern greenhouse gas and carbon emissions, and there's nothing you can do about it. The challenge for IT is simple, yet daunting: Collect all relevant emissions data and report it to such entities as The Climate Registry."

Such regulation -- and software to mitigate it -- will need to be taken under consideration by compliance officers in the months ahead. If a proposed cap and trade bill passes, understanding (and implementing) compliance requirements for greenhouse gas compliance won't be a theoretical exercise.

Read more: "How a startup is helping to turn carbon footprint management into cost savings."

NERC compliance

The North American Reliability Corporation (NERC) is an international, independent, self-regulatory, not-for-profit organization that oversees the reliability and security of the nation's energy grid. NERC has created Critical Infrastructure Protection Standards to improve physical security and cybersecurity, addressing all relevant vulnerabilities.

If I was a betting person ... I would say companies need to be more familiar with [Sarbanes Oxley section] 404(b) than they are now. Luis A. Aguilar commissioner, Securities and Exchange Commission

NERC regulations affect all bulk power system owners, operators and users, each of whom must comply with approved NERC reliability standards. Each of these entities are required to register with NERC through the appropriate regional entity.

Given expectations for so-called "smart grid" improvements in the United States in coming years, and the widely reported penetration of the energy grid by cyberspies, NERC compliance will be critical to the energy industry.

E-cycling compliance

In the EU, the Waste Electrical and Electronic Equipment Directive works in conjunction with RoHS to mandate targets for the collection, recovery and recycling of electronics and component materials. Expect e-cycling to become a bigger issue in the U.S. this year. States throughout the country are enacting e-cycling and e-waste programs that will affect corporate America. According to the National Electronics Recycling Infrastructure Clearinghouse, 18 states and New York City have enacted mandates as of March, with total compliance costs for the electronics manufacturing industry approaching $100 million annually.

Tags: Financial services compliance requirements,  Industry-specific requirements for compliance,  Regulatory compliance reporting,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Financial services compliance requirements Online privacy: New rules for melding e-commerce and information Security and compliance can go together, when done in the right order PCI DSS compliance fails to raise the bar on financial fraud Security and privacy top IT agenda for Massachusetts CIO Mass. officials, compliance officers debate data protection law Twitter security risks, popularity spark regulatory concerns SEC commish, FINRA head: Reform financial services regulations Financial crimes resulting in increased compliance enforcement Enforcement date for FACT's Red Flags Rule approaches Panels describe risks of noncompliance with Mass. data protection law Industry-specific requirements for compliance Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance Regulatory compliance reporting Enterprise document management FAQ: IT operations and compliance FAQ: What is the impact of a compliance audit on IT operations? FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing New evaluation criteria for Web application security scanners New HIPAA data breach notification rules put health industry on notice Energy efficiency, carbon driving sustainable business development Anatomy of a hyperproductive compliance management team Startup helps turn carbon footprint management into cost savings Chapter excerpt: The Three Core Disciplines of IT Risk Management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Fair Credit Reporting Act (FCRA)  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary