News Stay informed about the latest enterprise technology news and product updates.

Top regulatory compliance trends that will affect IT in 2009

The leading regulatory compliance trends for IT managers to watch in the second half of the year include new regulations and tougher enforcement of existing regulations.

The second half of 2009 promises to see major shifts in regulatory compliance trends. Whether new rules include increased federal regulation or enforcement, changes to state data protection laws or major cybersecurity or smart-grid initiatives, there is an immense amount of information to make sense of each week. In no particular order, here are the regulatory compliance trends gleaned from half a year of reporting on conferences, sessions and information discussions with IT, security and compliance officers.

More regulation is coming

This should shock no one, of course, but when a Securities and Exchange Commission (SEC) commissioner and the head of the Financial Industry Regulatory Authority (FINRA) repeatedly talk about the need for regulatory reform,

More regulatory compliance resources
SEC commish, FINRA head: Reform financial services regulations

FAQ: What is the impact of Sarbanes-Oxley on IT operations?
expect changes. Investor trust and consumer confidence are at historic lows, said FINRA CEO Rick Ketchum. Trillions of dollars have been lost, and now trillions more have been spent by government. Ketchum said he believes that "some form of systemic risk regulation will exist in most countries by the end of 2009."

SEC Commissioner Luis Aguilar suggested a number of directions for regulatory reform, including the formation of a "council of regulators." His other proposal, for an "integrated capital markets regulatory body," would merge the SEC, the U.S. Commodity Futures Trading Commission and the Department of Labor's Employee Benefits Security Administration. Such a body would oversee hedge funds, derivatives, commodities and municipal securities.

Read more: "SEC commish, FINRA head: Reform financial services regulations."

More enforcement coming

Deputy Attorney General Dave Ogden also was among those who see a renewed emphasis on "prosecuting financial crimes aggressively" in the months ahead.

Reflecting Ogden's assessment, former U.S. Deputy Attorney General Paul McNulty said that money laundering, fraud and tax issues are also receiving increased enforcement action. McNulty pointed to the requirements of the Sarbanes-Oxley Act (SOX), which mean that more information now must be disclosed and acted upon. Technology for internally exchanging information has also been widely implemented. In a broad sense, the trend has been toward more public disclosure, transparency and international cooperation. McNulty noted that "those factors can easily be applied to other kinds of enforcement."

Read more: "Financial crimes resulting in increased compliance enforcement."

SOX 404(b) will matter

SOX Section 404(a) requires that an assessment regarding the effectiveness of internal controls over financial reporting by a public company's management be submitted with the company's annual report. Section 404(b) requires an auditor's attestation regarding the effectiveness of internal controls. SEC Commissioner Aguilar said that a relevant study was "close to final" at the SEC, and that there was anecdotal evidence that both sections have enabled efficiencies and improved the ability for companies to operate.

"If I was a betting person -- and I do go to Las Vegas once in a while -- I would say companies need to be more familiar with 404(b) than they are now," Anguilar said. In other words, if you haven't had auditors assess the effectiveness of your internal controls recently, now would be a good time to do so.

Looking back: "SOX 404 compliance costs are lower than expected after first year."

FCPA compliance

McNulty observed that enforcement of the Federal Corrupt Practices Act (FCPA) has seen a dramatic increase, including skyrocketing penalties. "Within the past six months, we've seen hundreds of millions" of fines assessed, he said. Citing the SEC, McNulty said that in fact, there has been "more enforcement of FCPA in the past two years than in the past 30 years." He added that money laundering, fraud and tax issues are also receiving increased enforcement action. Compliance officers should expect more enforcement around exports to banned countries. Similarly, new regulations that govern private business, including hedge funds and financial products like derivatives, could extend to foreign activities.

Read more: "FCPA Compliance and FCPA Enforcement: A Look Ahead to 2009 and Beyond."

XBRL compliance deadlines fast approaching

A new SEC filing mandate will affect IT and potentially transform financial reporting. If you're not familiar with the Extensible Business Reporting Language, review's definition for XBRL: "An XML-based computer language for the electronic transmission of business and financial data. The goal of XBRL is to standardize the automation of business intelligence."

The buzzword of the moment among regulators is transparency. In theory, XBRL will allow both investors and regulators to quickly assess the financial health of a company through its filings. You can read a summary of SEC guidance on XBRL compliance in the Interactive Data for Financial Reporting guide. The original rules for XBRL compliance are also available online, in Chapter 6 of the EDGAR Filing Manual. Compliance officers and chief financial officers would be well-advised to be familiar with both, as they will be responsible for assuring that content in SEC XBRL meets all reporting requirements.

Read more: "SEC filings may soon require XBRL -- to your advantage."

Focus on risk management

So-called "check-box compliance" is no longer sufficient in assessing an organization's actual security or vulnerabilities. Auditors examining whether a compliance department has done due diligence will be looking for due diligence on IT controls, policies and procedures that take into account how much risk exists and what has been done to address it.

Read more: "Risk management archives - IT Compliance Advisor."

REACH and RoHS compliance

According to Courtney Bjorlin at, challenges around REACH compliance will transform supply chains. REACH, which stands for Registration, Evaluation, Authorization and restriction of Chemical substances, will regulate the use of hazardous chemicals in products sold in the European Union (EU).

REACH dovetails with the Restriction of Hazardous Substances Directive (RoHS), criteria set by the EU to regulate the use of toxic materials in electrical and electronic devices, systems and toys. Manufacturers must ensure that these toxins are not contained in manufactured goods. has an RoHS compliance FAQ.

Read more: "Challenges around REACH compliance will transform supply chains."

Greenhouse gas compliance

Greenhouse gas regulation and a shift to an economy that regulates carbon output are well under way. In other words, watch that carbon footprint: "Tough, enforceable regulations are coming to govern greenhouse gas and carbon emissions, and there's nothing you can do about it. The challenge for IT is simple, yet daunting: Collect all relevant emissions data and report it to such entities as The Climate Registry."

Such regulation -- and software to mitigate it -- will need to be taken under consideration by compliance officers in the months ahead. If a proposed cap and trade bill passes, understanding (and implementing) compliance requirements for greenhouse gas compliance won't be a theoretical exercise.

Read more: "How a startup is helping to turn carbon footprint management into cost savings."

NERC compliance

The North American Reliability Corporation (NERC) is an international, independent, self-regulatory, not-for-profit organization that oversees the reliability and security of the nation's energy grid. NERC has created Critical Infrastructure Protection Standards to improve physical security and cybersecurity, addressing all relevant vulnerabilities.

If I was a betting person ... I would say companies need to be more familiar with [Sarbanes Oxley section] 404(b) than
they are now.

Luis A. Aguilar
commissionerSecurities and Exchange Commission
NERC regulations affect all bulk power system owners, operators and users, each of whom must comply with approved NERC reliability standards. Each of these entities are required to register with NERC through the appropriate regional entity.

Given expectations for so-called "smart grid" improvements in the United States in coming years, and the widely reported penetration of the energy grid by cyberspies, NERC compliance will be critical to the energy industry.

E-cycling compliance

In the EU, the Waste Electrical and Electronic Equipment Directive works in conjunction with RoHS to mandate targets for the collection, recovery and recycling of electronics and component materials. Expect e-cycling to become a bigger issue in the U.S. this year. States throughout the country are enacting e-cycling and e-waste programs that will affect corporate America. According to the National Electronics Recycling Infrastructure Clearinghouse, 18 states and New York City have enacted mandates as of March, with total compliance costs for the electronics manufacturing industry approaching $100 million annually.

Let us know what you think about the story; email: Alexander B. Howard, Associate Editor

Dig Deeper on Industry-specific requirements for compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.