Regulatory Frameworks and Standards
Expert-defined terms from the Compliance Audit and Assurance course at London School of Planning and Management. Free to read, free to share, paired with a professional course.
Anti‑Money Laundering (AML) – A set of laws, regulations and procedures d… #
Anti‑Money Laundering (AML) – A set of laws, regulations and procedures designed to prevent the generation of income through illegal actions.
Explanation #
AML programs require entities to verify client identities, monitor transactions for unusual patterns, and report suspicious activity to authorities.
Example #
A bank flags a series of cash deposits just below the reporting threshold and files a SAR.
Challenges #
Balancing thorough due‑diligence with customer experience, keeping up with evolving typologies, and managing high compliance costs.
Audit Committee – A sub‑committee of a board of directors responsible for… #
Audit Committee – A sub‑committee of a board of directors responsible for overseeing the integrity of financial reporting and the audit process.
Explanation #
The committee reviews audit plans, assesses auditor independence, and ensures that audit findings are addressed promptly.
Example #
The audit committee reviews the external auditor’s assessment of internal control weaknesses and requests remediation.
Challenges #
Ensuring committee members have sufficient expertise and avoiding conflicts of interest with management.
Audit Trail – A chronological record of all actions taken on a data set o… #
Audit Trail – A chronological record of all actions taken on a data set or system, providing evidence of compliance and accountability.
Explanation #
Audit trails capture who performed an action, when, and what was changed, enabling investigators to reconstruct events.
Example #
An ERP system logs each user’s creation, modification, and deletion of purchase orders.
Challenges #
Managing large volumes of log data, protecting log integrity, and ensuring accessibility for auditors.
Auditor Independence – The freedom of auditors from any relationships or… #
Auditor Independence – The freedom of auditors from any relationships or influences that could impair impartial judgment.
Explanation #
Independence is maintained through rotation policies, prohibitions on non‑audit services, and disclosure of financial interests.
Example #
A firm rotates its audit partner every five years to meet independence requirements.
Challenges #
Balancing client familiarity with independence, and navigating regulatory expectations across jurisdictions.
Basel III – An international regulatory framework for banks, emphasizing… #
Basel III – An international regulatory framework for banks, emphasizing capital adequacy, stress testing, and liquidity standards.
Explanation #
Basel III mandates higher quality capital (Tier 1) and introduces buffers to absorb shocks.
Example #
A bank raises additional common equity to meet the 4.5 % Tier 1 capital requirement.
Challenges #
Implementing complex risk‑weighted asset calculations and meeting divergent national transposition dates.
Business Continuity Planning (BCP) – The process of creating systems of p… #
Business Continuity Planning (BCP) – The process of creating systems of prevention and recovery to enable continuation of critical operations during a disruption.
Explanation #
BCP involves identifying essential functions, establishing backup resources, and testing response procedures.
Example #
A financial services firm maintains a secondary data center that can assume production workloads within two hours of a primary site failure.
Challenges #
Keeping the plan current with technology changes and ensuring employee awareness.
Chief Compliance Officer (CCO) – The senior executive responsible for des… #
Chief Compliance Officer (CCO) – The senior executive responsible for designing, implementing, and monitoring an organization’s compliance program.
Explanation #
The CCO reports to senior management and often the board, overseeing policies, training, and internal investigations.
Example #
The CCO conducts quarterly reviews of anti‑bribery controls and reports findings to the audit committee.
Challenges #
Maintaining authority across business units and staying abreast of rapidly evolving regulations.
Compliance Risk – The risk of legal or regulatory sanctions, financial lo… #
Compliance Risk – The risk of legal or regulatory sanctions, financial loss, or reputational damage arising from failure to comply with applicable laws.
Explanation #
Compliance risk is assessed through gap analyses, monitoring, and control testing.
Example #
A multinational corporation identifies gaps in its sanctions screening process, leading to a remediation plan.
Challenges #
Mapping complex, overlapping regulations and quantifying risk in monetary terms.
Corporate Governance – The system of rules, practices, and processes by w… #
Corporate Governance – The system of rules, practices, and processes by which a company is directed and controlled.
Explanation #
Good governance promotes accountability, fairness, and transparency, influencing compliance culture.
Example #
A board adopts a code of conduct that mandates regular ethics training for all employees.
Challenges #
Aligning governance structures with regulatory expectations and cultural norms.
Data Privacy Regulation – Laws governing the collection, use, storage, an… #
Data Privacy Regulation – Laws governing the collection, use, storage, and disclosure of personal information.
Explanation #
Organizations must obtain consent, provide data subject rights, and implement security safeguards.
Example #
A retailer updates its privacy notice to include GDPR‑required data‑processing clauses.
Challenges #
Managing cross‑border data transfers and reconciling conflicting jurisdictional requirements.
Due Diligence – The investigation and evaluation of a potential business… #
Due Diligence – The investigation and evaluation of a potential business relationship to assess risks and ensure compliance.
Explanation #
Due diligence may cover financial health, regulatory standing, and reputational factors.
Example #
Before acquiring a fintech startup, a bank conducts AML and sanctions screening on the target’s customers.
Challenges #
Accessing reliable data on indirect partners and scaling processes for high‑volume environments.
Enterprise Risk Management (ERM) – A holistic approach to identifying, as… #
Enterprise Risk Management (ERM) – A holistic approach to identifying, assessing, and managing risks across an organization.
Explanation #
ERM integrates compliance, operational, strategic, and financial risks into a unified reporting structure.
Example #
The risk committee reviews a heat map that highlights emerging regulatory threats alongside market volatility.
Challenges #
Breaking down silos, ensuring consistent risk definitions, and aligning risk appetite with business strategy.
Financial Action Task Force (FATF) – An intergovernmental body that sets… #
Financial Action Task Force (FATF) – An intergovernmental body that sets standards to combat money laundering and terrorist financing.
Explanation #
FATF issues recommendations, conducts mutual evaluations, and publishes a list of high‑risk jurisdictions.
Example #
A bank updates its AML policies to incorporate FATF’s latest guidance on virtual asset service providers.
Challenges #
Translating high‑level standards into operational controls and tracking jurisdictional changes.
Financial Reporting Council (FRC) – The UK regulator responsible for prom… #
Financial Reporting Council (FRC) – The UK regulator responsible for promoting high‑quality corporate governance, accounting, and auditing standards.
Explanation #
The FRC issues the UK Corporate Governance Code and monitors compliance through inspections.
Example #
An audit firm undergoes an FRC inspection and receives a “limited assurance” rating, prompting remedial action.
Challenges #
Aligning UK‑specific requirements with global frameworks and managing inspection timelines.
General Data Protection Regulation (GDPR) – The EU regulation that establ… #
General Data Protection Regulation (GDPR) – The EU regulation that establishes a comprehensive data‑protection framework for individuals within the European Economic Area.
Explanation #
GDPR mandates lawful processing bases, data breach notifications within 72 hours, and the appointment of data protection officers where required.
Example #
A SaaS provider conducts a DPIA before launching a new analytics feature that processes EU customer data.
Challenges #
Interpreting ambiguous provisions, handling cross‑border data transfers, and managing substantial fines.
Governance, Risk & Compliance (GRC) – An integrated approach that aligns… #
Governance, Risk & Compliance (GRC) – An integrated approach that aligns governance, risk management, and compliance activities to improve decision‑making.
Explanation #
GRC platforms provide centralized policy repositories, risk registers, and audit workflows.
Example #
An organization uses a GRC tool to track policy acknowledgments, risk assessments, and audit findings in a single dashboard.
Challenges #
Avoiding duplication of effort, ensuring data quality, and achieving executive buy‑in.
International Financial Reporting Standards (IFRS) – A set of globally ac… #
International Financial Reporting Standards (IFRS) – A set of globally accepted accounting standards developed by the IASB.
Explanation #
IFRS promotes comparability by prescribing recognition, measurement, and disclosure requirements for transactions.
Example #
A multinational adopts IFRS 16 to account for operating leases as right‑of‑use assets on the balance sheet.
Challenges #
Interpreting complex standards, reconciling with local GAAP, and managing transition costs.
Internal Audit – An independent, objective assurance activity designed to… #
Internal Audit – An independent, objective assurance activity designed to add value and improve an organization’s operations.
Explanation #
Internal auditors evaluate controls, assess compliance, and recommend improvements.
Example #
The internal audit function conducts a compliance audit of the firm’s anti‑bribery program, identifying gaps in training.
Challenges #
Maintaining objectivity, securing sufficient resources, and aligning audit plans with strategic risks.
ISO 19600 (Compliance Management Systems) – An international standard pro… #
ISO 19600 (Compliance Management Systems) – An international standard providing guidance for establishing, developing, and maintaining effective compliance management systems.
Explanation #
ISO 19600 emphasizes risk‑based approaches, leadership commitment, and continuous improvement.
Example #
A corporation adopts ISO 19600 principles to structure its compliance policies, monitoring, and reporting processes.
Challenges #
Translating generic guidance into industry‑specific controls and integrating with existing management systems.
ISO 37001 (Anti‑Bribery Management Systems) – A standard that specifies r… #
ISO 37001 (Anti‑Bribery Management Systems) – A standard that specifies requirements for establishing, implementing, maintaining, and improving an anti‑bribery management system.
Explanation #
ISO 37001 requires risk assessments, due‑diligence procedures, training, and a documented anti‑bribery policy.
Example #
A supplier obtains ISO 37001 certification to demonstrate its commitment to ethical conduct to a multinational client.
Challenges #
Ensuring cultural change, monitoring third‑party compliance, and sustaining documentation.
Know Your Customer (KYC) – The process of verifying the identity of clien… #
Know Your Customer (KYC) – The process of verifying the identity of clients to assess risk and prevent illegal activities.
Explanation #
KYC involves collecting identification documents, understanding the purpose of the relationship, and ongoing monitoring.
Example #
A brokerage requires a new client to submit a passport, proof of address, and source‑of‑wealth documentation.
Challenges #
Balancing thoroughness with onboarding speed and handling high‑volume digital onboarding.
Legal Hold – A directive to preserve electronically stored information (E… #
Legal Hold – A directive to preserve electronically stored information (ESI) that may be relevant to litigation or regulatory investigations.
Explanation #
Legal holds suspend routine data deletion and require custodians to retain relevant files.
Example #
Upon receipt of a subpoena, the compliance team issues a legal hold on all email communications related to the matter.
Challenges #
Identifying all relevant data sources, ensuring employee compliance, and managing storage costs.
Liquidity Coverage Ratio (LCR) – A Basel III metric requiring banks to ho… #
Liquidity Coverage Ratio (LCR) – A Basel III metric requiring banks to hold enough high‑quality liquid assets to survive a 30‑day stress scenario.
Explanation #
The LCR is calculated as the stock of Level 1 assets divided by net cash outflows over 30 days.
Example #
A bank maintains a buffer of government securities to meet the 100 % LCR requirement.
Challenges #
Forecasting cash flows under stress and optimizing asset composition without sacrificing profitability.
Money Laundering Reporting Officer (MLRO) – The senior individual respons… #
Money Laundering Reporting Officer (MLRO) – The senior individual responsible for overseeing an organization’s AML program and reporting suspicious activity.
Explanation #
The MLRO ensures policies are implemented, staff are trained, and SARs are filed timely.
Example #
The MLRO reviews flagged transactions and authorizes filing of a SAR with the financial intelligence unit.
Challenges #
Maintaining expertise in emerging laundering techniques and handling high‑volume alerts.
Non‑Financial Reporting (NFR) – Disclosure of environmental, social, and… #
Non‑Financial Reporting (NFR) – Disclosure of environmental, social, and governance (ESG) information, often required by regulators or investors.
Explanation #
NFR provides insight into a company’s ESG performance, risk management, and long‑term value creation.
Example #
A listed company publishes an annual ESG report following the EU Non‑Financial Reporting Directive.
Challenges #
Selecting material metrics, ensuring data reliability, and meeting diverse stakeholder expectations.
Operational Risk – The risk of loss resulting from inadequate or failed i… #
Operational Risk – The risk of loss resulting from inadequate or failed internal processes, people, systems, or external events.
Explanation #
Operational risk includes fraud, system failures, and supply‑chain disruptions.
Example #
A bank experiences a system outage that prevents transaction processing, leading to reputational damage.
Challenges #
Quantifying risk exposure and integrating operational risk into enterprise‑wide risk frameworks.
Outsourcing Risk Management – The process of identifying and mitigating r… #
Outsourcing Risk Management – The process of identifying and mitigating risks associated with delegating functions to third‑party service providers.
Explanation #
Controls include contractual clauses, performance monitoring, and periodic audits.
Example #
A financial institution conducts an annual audit of its cloud service provider’s security controls.
Challenges #
Ensuring consistent oversight across multiple jurisdictions and addressing data sovereignty concerns.
PCI DSS (Payment Card Industry Data Security Standard) – A set of securit… #
PCI DSS (Payment Card Industry Data Security Standard) – A set of security standards designed to protect cardholder data during processing, storage, and transmission.
Explanation #
PCI DSS requires firewalls, encryption, access controls, and regular vulnerability scanning.
Example #
A retailer undergoes a quarterly PCI DSS assessment and implements tokenization for stored card numbers.
Challenges #
Maintaining compliance across multiple acquisition channels and adapting to evolving threat landscapes.
Regulatory Impact Assessment (RIA) – A systematic analysis of the potenti… #
Regulatory Impact Assessment (RIA) – A systematic analysis of the potential effects of a proposed regulation on stakeholders and the economy.
Explanation #
RIAs help legislators balance objectives against compliance burdens.
Example #
A government agency publishes an RIA evaluating the impact of new AML reporting thresholds on financial institutions.
Challenges #
Gathering reliable data, forecasting indirect effects, and ensuring transparent stakeholder consultation.
Regulatory Sandbox – A controlled environment that allows firms to test i… #
Regulatory Sandbox – A controlled environment that allows firms to test innovative products or services under regulator supervision.
Explanation #
Participants receive temporary exemptions from certain rules while complying with monitoring requirements.
Example #
A blockchain startup participates in a sandbox to pilot a cross‑border payment solution while regulators monitor AML controls.
Challenges #
Defining appropriate scope, managing data confidentiality, and transitioning successful pilots to full compliance.
Risk Appetite – The amount and type of risk an organization is willing to… #
Risk Appetite – The amount and type of risk an organization is willing to pursue or retain in pursuit of its objectives.
Explanation #
Risk appetite is articulated by senior leadership and reflected in policies, limits, and performance metrics.
Example #
A bank sets a risk appetite for credit exposure at 5 % of its capital base.
Challenges #
Translating qualitative statements into quantitative limits and ensuring alignment across business units.
Risk Assessment – The systematic process of identifying, analyzing, and e… #
Risk Assessment – The systematic process of identifying, analyzing, and evaluating risks to determine their significance.
Explanation #
Assessments consider likelihood, impact, and existing controls to prioritize mitigation actions.
Example #
An internal audit team conducts a risk assessment of the procurement function, identifying fraud risk as high.
Challenges #
Maintaining up‑to‑date risk data and avoiding assessment fatigue.
Risk Register – A documented list of identified risks, including their de… #
Risk Register – A documented list of identified risks, including their description, assessment, owners, and mitigation actions.
Explanation #
The register serves as a central repository for tracking risk status over time.
Example #
The risk register shows a pending remediation plan for inadequate AML transaction monitoring.
Challenges #
Keeping entries current and ensuring accountability for remediation.
Sanctions Compliance – The adherence to trade and financial restrictions… #
Sanctions Compliance – The adherence to trade and financial restrictions imposed by governments or international bodies.
Explanation #
Compliance involves screening customers and transactions against sanctions lists and implementing blocking or denial procedures.
Example #
A bank blocks a wire transfer to a jurisdiction listed under OFAC’s Specially Designated Nationals program.
Challenges #
Managing dynamic list updates, handling false positives, and addressing cross‑border transaction complexities.
Segregation of Duties (SoD) – A control principle that distributes respon… #
Segregation of Duties (SoD) – A control principle that distributes responsibilities among different individuals to reduce risk of error or fraud.
Explanation #
SoD ensures that no single person can both initiate and authorize a transaction.
Example #
In an ERP system, the user who creates a vendor cannot also approve payments to that vendor.
Challenges #
Balancing SoD with operational efficiency and adapting controls to automated processes.
Service Level Agreement (SLA) – A contract that defines the expected leve… #
Service Level Agreement (SLA) – A contract that defines the expected level of service between a provider and a client, often including performance metrics.
Explanation #
SLAs may specify uptime, response times, and reporting requirements, forming part of compliance monitoring.
Example #
A cloud provider guarantees 99.9 % availability, with penalties for breach of the SLA.
Challenges #
Aligning SLA terms with regulatory obligations and verifying compliance through audits.
Significant Risk – A risk that could materially affect the achievement of… #
Significant Risk – A risk that could materially affect the achievement of an organization’s strategic objectives.
Explanation #
Significant risks receive heightened oversight, often reported to the board or audit committee.
Example #
A financial institution identifies cyber‑attack risk as significant due to potential data breach and regulatory penalties.
Challenges #
Determining materiality thresholds and ensuring timely escalation.
Stakeholder Engagement – The process of involving individuals or groups a… #
Stakeholder Engagement – The process of involving individuals or groups affected by or interested in an organization’s activities.
Explanation #
Effective engagement gathers feedback, builds trust, and informs risk management.
Example #
A company conducts a public consultation on its climate‑change strategy to incorporate community concerns.
Challenges #
Balancing diverse interests and maintaining transparent communication.
Strategic Risk – The risk that arises from the fundamental decisions that… #
Strategic Risk – The risk that arises from the fundamental decisions that shape an organization’s direction and objectives.
Explanation #
Strategic risks include market entry, product launches, and mergers.
Example #
A bank’s decision to expand into a new geographic market exposes it to unfamiliar regulatory regimes.
Challenges #
Forecasting long‑term impacts and integrating strategic risk into day‑to‑day operations.
Stress Testing – A simulation technique used to evaluate the resilience o… #
Stress Testing – A simulation technique used to evaluate the resilience of a financial institution under adverse conditions.
Explanation #
Tests may involve macroeconomic shocks, market volatility, or liquidity squeezes.
Example #
A bank conducts a stress test assuming a 30 % decline in equity prices and assesses capital adequacy.
Challenges #
Selecting realistic scenarios and ensuring data quality for accurate modeling.
Sustainable Finance Disclosure Regulation (SFDR) – An EU regulation requi… #
Sustainable Finance Disclosure Regulation (SFDR) – An EU regulation requiring financial market participants to disclose sustainability‑related information.
Explanation #
SFDR mandates transparency on investment decisions, sustainability risks, and adverse impacts.
Example #
An asset manager publishes a pre‑contractual statement outlining how ESG factors are integrated into portfolio selection.
Challenges #
Interpreting ambiguous taxonomy definitions and aligning disclosures with other ESG frameworks.
Third‑Party Risk Management (TPRM) – The discipline of assessing and miti… #
Third‑Party Risk Management (TPRM) – The discipline of assessing and mitigating risks associated with external vendors and service providers.
Explanation #
TPRM includes contract reviews, security assessments, and ongoing monitoring.
Example #
A bank requires its payment processor to undergo an annual SOC 2 audit as part of the TPRM program.
Challenges #
Scaling assessments across numerous suppliers and maintaining visibility into subcontractor risk.
Transaction Monitoring – The automated analysis of financial transactions… #
Transaction Monitoring – The automated analysis of financial transactions to detect suspicious patterns indicative of money laundering or fraud.
Explanation #
Monitoring systems apply rules, thresholds, and machine‑learning models to flag anomalies.
Example #
An alert is generated when a customer’s transaction volume spikes 10‑fold within a short period.
Challenges #
Reducing false‑positive rates while preserving detection effectiveness.
United Nations Sanctions (UNSC) – International measures imposed by the U… #
United Nations Sanctions (UNSC) – International measures imposed by the UN Security Council to address threats to peace and security.
Explanation #
UNSC sanctions may target individuals, entities, or entire sectors, requiring global compliance.
Example #
A multinational bank blocks transactions involving a listed terrorist organization under UNSC resolution 1373.
Challenges #
Coordinating compliance across jurisdictions with differing enforcement mechanisms.
United Kingdom Bribery Act (UKBA) – A comprehensive anti‑bribery law that… #
United Kingdom Bribery Act (UKBA) – A comprehensive anti‑bribery law that criminalizes bribery, facilitation payments, and failure to prevent bribery.
Explanation #
The Act imposes strict liability on companies that do not have “adequate procedures” to prevent bribery.
Example #
A corporation implements a robust anti‑bribery policy, conducts training, and performs risk assessments to satisfy UKBA requirements.
Challenges #
Demonstrating procedural adequacy and managing global subsidiaries with differing cultural norms.
Value‑at‑Risk (VaR) – A statistical technique used to measure the potenti… #
Value‑at‑Risk (VaR) – A statistical technique used to measure the potential loss in a portfolio over a defined period for a given confidence level.
Explanation #
VaR helps quantify market risk and informs capital allocation.
Example #
An investment firm calculates a 1‑day 99 % VaR of $5 million for its trading book.
Challenges #
Model risk, assumptions about normal distribution, and failure to capture tail events.
Voluntary Disclosure – The proactive reporting by an organization of non‑… #
Voluntary Disclosure – The proactive reporting by an organization of non‑compliance or breaches to regulators, often seeking mitigation of penalties.
Explanation #
Voluntary disclosures can lead to reduced fines and favorable settlement terms.
Example #
A bank discovers a data breach and voluntarily notifies the data protection authority, outlining corrective actions.
Challenges #
Assessing the timing of disclosure and managing reputational impact.
Whistleblower Protection – Legal safeguards that encourage employees to r… #
Whistleblower Protection – Legal safeguards that encourage employees to report wrongdoing without fear of retaliation.
Explanation #
Protections may include anonymity, anti‑retaliation policies, and potential rewards.
Example #
A firm establishes a secure online portal for whistleblowers and adopts a policy prohibiting any adverse employment actions against reporters.
Challenges #
Ensuring confidentiality, investigating claims impartially, and fostering trust in the reporting mechanism.
Zero‑Based Budgeting (ZBB) – A budgeting method that starts from a “zero… #
Zero‑Based Budgeting (ZBB) – A budgeting method that starts from a “zero base” each period, requiring justification for all expenses.
Explanation #
ZBB promotes cost discipline and aligns spending with strategic priorities.
Example #
A department prepares a ZBB submission, outlining each line item and its expected ROI before receiving funding.
Challenges #
Resource intensity, potential disruption to ongoing operations, and resistance from staff accustomed to incremental budgeting.