The second half of 2009 promises to see major shifts in regulatory compliance trends. Whether new rules include increased federal regulation or enforcement, changes to state data protection laws or major cybersecurity or smart-grid initiatives, there is an immense amount of information to make sense of each week. In no particular order, here are the regulatory compliance trends gleaned from half a year of reporting on conferences, sessions and information discussions with IT, security and compliance officers.
More regulation is coming
This should shock no one, of course, but when a Securities and Exchange Commission (SEC) commissioner and the head of the Financial Industry Regulatory Authority (FINRA) repeatedly talk about the need for regulatory reform,
SEC Commissioner Luis Aguilar suggested a number of directions for regulatory reform, including the formation of a "council of regulators." His other proposal, for an "integrated capital markets regulatory body," would merge the SEC, the U.S. Commodity Futures Trading Commission and the Department of Labor's Employee Benefits Security Administration. Such a body would oversee hedge funds, derivatives, commodities and municipal securities.
More enforcement coming
Deputy Attorney General Dave Ogden also was among those who see a renewed emphasis on "prosecuting financial crimes aggressively" in the months ahead.
Reflecting Ogden's assessment, former U.S. Deputy Attorney General Paul McNulty said that money laundering, fraud and tax issues are also receiving increased enforcement action. McNulty pointed to the requirements of the Sarbanes-Oxley Act (SOX), which mean that more information now must be disclosed and acted upon. Technology for internally exchanging information has also been widely implemented. In a broad sense, the trend has been toward more public disclosure, transparency and international cooperation. McNulty noted that "those factors can easily be applied to other kinds of enforcement."
SOX 404(b) will matter
SOX Section 404(a) requires that an assessment regarding the effectiveness of internal controls over financial reporting by a public company's management be submitted with the company's annual report. Section 404(b) requires an auditor's attestation regarding the effectiveness of internal controls. SEC Commissioner Aguilar said that a relevant study was "close to final" at the SEC, and that there was anecdotal evidence that both sections have enabled efficiencies and improved the ability for companies to operate.
"If I was a betting person -- and I do go to Las Vegas once in a while -- I would say companies need to be more familiar with 404(b) than they are now," Anguilar said. In other words, if you haven't had auditors assess the effectiveness of your internal controls recently, now would be a good time to do so.
Looking back: "SOX 404 compliance costs are lower than expected after first year."
McNulty observed that enforcement of the Federal Corrupt Practices Act (FCPA) has seen a dramatic increase, including skyrocketing penalties. "Within the past six months, we've seen hundreds of millions" of fines assessed, he said. Citing the SEC, McNulty said that in fact, there has been "more enforcement of FCPA in the past two years than in the past 30 years." He added that money laundering, fraud and tax issues are also receiving increased enforcement action. Compliance officers should expect more enforcement around exports to banned countries. Similarly, new regulations that govern private business, including hedge funds and financial products like derivatives, could extend to foreign activities.
XBRL compliance deadlines fast approaching
A new SEC filing mandate will affect IT and potentially transform financial reporting. If you're not familiar with the Extensible Business Reporting Language, review WhatIs.com's definition for XBRL: "An XML-based computer language for the electronic transmission of business and financial data. The goal of XBRL is to standardize the automation of business intelligence."
The buzzword of the moment among regulators is transparency. In theory, XBRL will allow both investors and regulators to quickly assess the financial health of a company through its filings. You can read a summary of SEC guidance on XBRL compliance in the Interactive Data for Financial Reporting guide. The original rules for XBRL compliance are also available online, in Chapter 6 of the EDGAR Filing Manual. Compliance officers and chief financial officers would be well-advised to be familiar with both, as they will be responsible for assuring that content in SEC XBRL meets all reporting requirements.
Read more: "SEC filings may soon require XBRL -- to your advantage."
Focus on risk management
So-called "check-box compliance" is no longer sufficient in assessing an organization's actual security or vulnerabilities. Auditors examining whether a compliance department has done due diligence will be looking for due diligence on IT controls, policies and procedures that take into account how much risk exists and what has been done to address it.
Read more: "Risk management archives - IT Compliance Advisor."
REACH and RoHS compliance
According to Courtney Bjorlin at SearchManufacturingERP.com, challenges around REACH compliance will transform supply chains. REACH, which stands for Registration, Evaluation, Authorization and restriction of Chemical substances, will regulate the use of hazardous chemicals in products sold in the European Union (EU).
REACH dovetails with the Restriction of Hazardous Substances Directive (RoHS), criteria set by the EU to regulate the use of toxic materials in electrical and electronic devices, systems and toys. Manufacturers must ensure that these toxins are not contained in manufactured goods. RoHSGuide.com has an RoHS compliance FAQ.
Greenhouse gas compliance
Greenhouse gas regulation and a shift to an economy that regulates carbon output are well under way. In other words, watch that carbon footprint: "Tough, enforceable regulations are coming to govern greenhouse gas and carbon emissions, and there's nothing you can do about it. The challenge for IT is simple, yet daunting: Collect all relevant emissions data and report it to such entities as The Climate Registry."
Such regulation -- and software to mitigate it -- will need to be taken under consideration by compliance officers in the months ahead. If a proposed cap and trade bill passes, understanding (and implementing) compliance requirements for greenhouse gas compliance won't be a theoretical exercise.
The North American Reliability Corporation (NERC) is an international, independent, self-regulatory, not-for-profit organization that oversees the reliability and security of the nation's energy grid. NERC has created Critical Infrastructure Protection Standards to improve physical security and cybersecurity, addressing all relevant vulnerabilities.
Given expectations for so-called "smart grid" improvements in the United States in coming years, and the widely reported penetration of the energy grid by cyberspies, NERC compliance will be critical to the energy industry.
In the EU, the Waste Electrical and Electronic Equipment Directive works in conjunction with RoHS to mandate targets for the collection, recovery and recycling of electronics and component materials. Expect e-cycling to become a bigger issue in the U.S. this year. States throughout the country are enacting e-cycling and e-waste programs that will affect corporate America. According to the National Electronics Recycling Infrastructure Clearinghouse, 18 states and New York City have enacted mandates as of March, with total compliance costs for the electronics manufacturing industry approaching $100 million annually.
Let us know what you think about the story; email: Alexander B. Howard, Associate Editor