Skills

regulatory-compliance-monitoring

Installation
SKILL.md

Regulatory Compliance Monitoring

Domain Overview

Regulatory compliance monitoring is the continuous, structured process of identifying regulatory developments, assessing their impact on organizational operations, implementing required changes, and reporting compliance status to internal governance bodies and external regulators. The discipline spans the full lifecycle from horizon scanning — detecting proposed rules, final rules, enforcement guidance, and supervisory expectations — through gap analysis, remediation planning, execution, testing, and ongoing surveillance. In 2024, global regulatory fines reached a record $19.3 billion (Corlytics/Fintech Global), with the SEC alone reporting $8.2 billion in financial remedies from 583 enforcement actions. TD Bank's $3.1 billion AML penalty — the largest bank BSA/AML fine in U.S. history — demonstrated that regulators penalize not just substantive violations but systemic failures in compliance monitoring infrastructure itself.

The regulatory landscape has become materially more complex. The DOJ updated its Evaluation of Corporate Compliance Programs (ECCP) in September 2024, adding explicit requirements around AI risk management, whistleblower protection mechanisms, data access for compliance functions, and adequacy of compliance resourcing. FINRA's 2024 and 2025 Annual Regulatory Oversight Reports expanded to 26+ topics, adding crypto asset activity, extended-hours trading supervision, and off-channel communications. The EU AI Act entered into force in August 2024 with provisions phasing in through 2030. Organizations operating across jurisdictions now face an average of 250+ discrete regulatory changes per day globally (Thomson Reuters Regulatory Intelligence estimate), making manual tracking operationally untenable.

Effective regulatory compliance monitoring operates within a governance architecture — typically the Three Lines of Defense model — where first-line business units own compliance execution, second-line compliance and risk functions provide oversight, monitoring, and testing, and third-line internal audit provides independent assurance. ISO 37301:2021 (Compliance Management Systems) provides the international standard framework, requiring organizations to systematically identify compliance obligations, assess compliance risks, establish monitoring controls, and maintain continuous improvement cycles. The standard replaces ISO 19600:2014 and is certifiable, providing external verification of program adequacy.

The discipline requires practitioners to maintain an obligations register (a structured inventory of all applicable laws, regulations, rules, and voluntary commitments), execute regulatory change management workflows, conduct periodic and triggered gap analyses, develop prioritized remediation roadmaps, and produce compliance reporting that satisfies both board-level governance requirements and regulator examination expectations. Failure in any of these components creates enforcement exposure, reputational risk, and — as demonstrated by the OCC's unprecedented asset growth cap on TD Bank — existential operational constraints.

Core Decision Framework

Regulatory Change Triage Matrix

Every identified regulatory development requires classification along two axes before resource allocation:

Applicability Assessment:

  • Direct applicability — the regulation explicitly governs the organization's licensed activities, product lines, or jurisdictional presence
  • Indirect applicability — the regulation affects counterparties, vendors, or market infrastructure the organization depends on
  • Emerging relevance — proposed rules, consultation papers, or enforcement trends that signal future obligations
  • Not applicable — documented determination with reasoning retained for audit trail

Impact Severity Classification:

  • Critical (Tier 1) — requires board/C-suite notification within 48 hours; involves new licensing requirements, material capital/operational changes, or penalties exceeding risk appetite thresholds
  • Significant (Tier 2) — requires policy/procedure amendments, system modifications, or staff retraining within a defined implementation window
  • Moderate (Tier 3) — requires documentation updates, minor process adjustments, or enhanced monitoring parameters
  • Low (Tier 4) — informational tracking only; no current action required but monitored for escalation

Practitioner Logic

Experienced compliance officers apply a risk-weighted approach, not a completionist approach. The critical question is never "are we tracking every regulation?" but rather "are we tracking the right regulations with sufficient depth, and do our gaps have documented rationale?" Regulators — particularly under the DOJ ECCP framework — evaluate whether the compliance program is adequately designed, earnestly implemented, and working in practice. A program that tracks 500 regulatory sources superficially is weaker than one that covers 200 with demonstrated impact analysis, ownership assignment, and implementation verification.

The practitioner sequence follows: Detect → Assess → Assign → Plan → Implement → Test → Report → Archive.

Step-by-Step Process

Step 1: Establish Regulatory Universe and Obligations Register

Build and maintain a comprehensive inventory of all applicable regulations, mapped to:

  • Specific business units, products, and geographic jurisdictions affected
  • Internal policies, procedures, and controls that implement each obligation
  • Designated obligation owners (by name and role, not department alone)
  • Regulatory effective dates, phase-in schedules, and filing deadlines
  • Source regulatory body and authoritative document references

The obligations register is the foundational data layer. Without it, gap analysis and change management lack a baseline. Per ISO 37301:2021 Section 4.5, the organization "shall systematically identify its compliance obligations resulting from its activities, products and services, and assess their impact on its operations."

Step 2: Conduct Regulatory Horizon Scanning

Implement systematic monitoring across three time horizons:

  • Immediate (0-90 days): Final rules, effective dates, enforcement actions, examination priorities, no-action letters, and supervisory guidance
  • Near-term (90 days - 12 months): Proposed rules, notice-and-comment periods, consultation papers, and legislative committee activity
  • Strategic (12+ months): Legislative proposals, international regulatory convergence trends, industry working group outputs, and enforcement pattern analysis

Sources include Federal Register notices, regulator RSS feeds, FINRA Regulatory Notices, SEC Staff Bulletins, OCC Bulletins, CFPB Supervisory Highlights, FinCEN Advisories, and equivalent non-U.S. authorities. Automated RegTech platforms filter by jurisdiction, topic taxonomy, and entity type to reduce noise.

Step 3: Perform Impact Assessment

For each applicable regulatory change:

  • Map the new or amended requirement against existing obligations register entries
  • Identify specific control gaps — where current policies, procedures, systems, or training do not satisfy the new requirement
  • Quantify implementation effort (person-hours, system changes, vendor dependencies, budget)
  • Assess enforcement risk — consider the regulator's examination priorities, recent enforcement actions in the area, and stated penalty frameworks
  • Document the assessment methodology, participants, and conclusions

Step 4: Execute Gap Analysis

Conduct structured comparison between current-state compliance posture and target-state requirements:

  • Control mapping: For each new obligation element, identify existing controls and rate them as Compliant, Partially Compliant, or Non-Compliant
  • Root cause analysis: For each gap, determine whether the deficiency stems from policy absence, procedural weakness, system limitation, training gap, or resource constraint
  • Materiality scoring: Rate each gap on a severity matrix (likelihood of detection × magnitude of regulatory consequence)
  • Dependency identification: Flag gaps requiring cross-functional coordination, vendor changes, or board-level approval

Step 5: Develop Implementation Plan

Construct a prioritized remediation roadmap:

  • Sequence actions by regulatory deadline, enforcement risk, and dependency chain
  • Assign specific owners with documented acceptance of accountability
  • Define measurable milestones and completion criteria (not just "update policy" but "policy revised, approved by CCO, distributed to affected staff, training completed, attestation collected")
  • Establish escalation triggers for delays, scope changes, or resource conflicts
  • Budget for implementation costs including technology, external counsel, training, and potential interim risk-acceptance periods

Step 6: Implement Changes and Conduct Testing

Execute the remediation plan with embedded quality controls:

  • First-line implementation — business units modify processes, update systems, retrain staff
  • Second-line verification — compliance function conducts independent testing to confirm implementation effectiveness, not just completion
  • Testing methodologies include transaction testing, sample review, process walkthroughs, and automated control monitoring
  • Document all implementation evidence for regulatory examination readiness

Step 7: Compliance Reporting

Produce layered reporting for distinct audiences:

  • Board/Audit Committee: Quarterly dashboard showing regulatory change volume, open gaps by severity, implementation status against deadlines, emerging regulatory risks, and resource adequacy assessment
  • Senior Management: Monthly operational reports with specific gap remediation progress, testing results, and escalated issues
  • Regulators: Examination-ready documentation packages, self-assessment results, and any required periodic filings (e.g., FINRA annual compliance certifications under Rule 3120, SEC Rule 38a-1 annual reviews)
  • Audit Trail: Complete chronological record of detection, assessment, implementation, and testing for each regulatory change

Step 8: Continuous Improvement

  • Conduct post-implementation reviews for significant regulatory changes
  • Track metrics: mean time from detection to implementation, gap closure rates, testing deficiency rates, regulatory examination findings
  • Benchmark against industry peers and regulatory expectations
  • Update the compliance monitoring framework based on lessons learned, regulatory feedback, and evolving risk profile

Evaluation Criteria

Program Maturity Assessment (5 Levels)

Level Description Key Indicators
1 — Ad Hoc Reactive, individual-dependent No obligations register; manual tracking; gaps discovered in examinations
2 — Developing Basic processes exist Partial obligations register; irregular scanning; gap analysis performed only pre-audit
3 — Defined Standardized workflow Complete obligations register; systematic scanning; documented gap analysis process; regular reporting
4 — Managed Metrics-driven KPIs tracked; implementation timelines measured; testing integrated; board reporting established
5 — Optimized Predictive and adaptive Automated RegTech integration; predictive analytics on regulatory trends; continuous monitoring with real-time dashboards; proactive engagement with regulators

Key Performance Indicators

  • Regulatory change detection latency (days from publication to organizational awareness)
  • Gap assessment completion rate within SLA (target: 95%+ for Tier 1 and Tier 2 changes)
  • Implementation completion rate by regulatory deadline (target: 100% for mandatory deadlines)
  • Compliance testing deficiency rate (target: <5% of controls tested)
  • Regulatory examination findings attributable to monitoring failures (target: zero)
  • Obligations register accuracy (validated through annual comprehensive review)

Red Flags & Edge Cases

  1. Orphaned obligations after reorganization: Following M&A activity or internal restructuring, obligation ownership transfers are missed. The DOJ ECCP (September 2024 update) explicitly addresses post-acquisition compliance integration — prosecutors evaluate whether companies "track and address the compliance-related aspects of acquisitions." The OFAC enforcement action against C.H. Robinson ($257,690) specifically cited failure to integrate acquired subsidiaries' compliance systems.

  2. Off-channel communications blind spot: SEC and CFTC imposed over $2.5 billion in cumulative fines through 2024 for failures to monitor employee communications on personal devices, WhatsApp, Signal, and unapproved messaging platforms. Compliance monitoring programs that track only approved channels create a false sense of surveillance coverage.

  3. Regulatory change velocity overwhelming manual processes: Organizations relying on spreadsheet-based tracking cannot maintain pace with 250+ daily global regulatory changes. The Corlytics 2024 enforcement data shows monitoring infrastructure failures — not substantive violations — driving an increasing share of penalties.

  4. Gap analysis without root cause differentiation: Identifying that a control is "non-compliant" without distinguishing between policy absence, procedural weakness, system limitation, and training deficiency produces generic remediation plans that fail to close gaps permanently. The gap recurs at the next assessment cycle.

  5. Compliance monitoring that excludes third-party and vendor obligations: The DOJ's 2024 ECCP update emphasizes continuous third-party due diligence. OFAC sanctions enforcement actions repeatedly cite organizations that failed to extend compliance monitoring to subsidiary and vendor operations.

  6. Single-jurisdiction bias in multinational operations: Monitoring only home-jurisdiction regulations while operating across borders. The EU AI Act's extraterritorial reach (applying to non-EU entities placing AI systems on the EU market) caught multiple U.S. firms unprepared in 2024.

  7. Conflating compliance monitoring with compliance testing: Monitoring tracks regulatory developments and assesses applicability. Testing verifies that implemented controls actually work. Programs that equate "we updated the policy" with "we are compliant" fail the DOJ ECCP "working in practice" standard.

  8. Board reporting that obscures risk: Dashboard metrics showing "95% compliant" without disclosing that the remaining 5% includes Tier 1 critical gaps creates false assurance. The OCC's Heightened Standards (12 CFR Part 30, Appendix D) require boards of large national banks to receive compliance risk information "sufficient to allow the board to provide credible challenge."

  9. Effective-date miscalculation on phased regulations: Complex regulations (EU AI Act, Basel III Endgame, SEC Climate Disclosure) have multi-year phase-in schedules with different provisions taking effect at different dates. Treating the final compliance date as the only deadline ignores interim requirements.

  10. Self-reporting calculus failure: FINRA Rule 4530 requires self-reporting in certain circumstances, and the SEC's 2024 enforcement results showed dramatically reduced penalties for entities that self-reported and cooperated. Organizations that discover violations through monitoring but delay self-reporting face compounded penalties and loss of cooperation credit.

  11. AI governance gap in compliance programs: The DOJ ECCP September 2024 update explicitly asks prosecutors to evaluate whether companies assess "the potential impact of [AI] on their ability to comply with criminal law" and whether "the compliance function [has] adequate access to and the ability to use relevant data sources." Compliance programs without AI risk assessment frameworks now have a documented deficiency under DOJ standards.

  12. Retroactive regulation interpretation risk: Regulators may issue guidance interpreting existing rules more strictly without formal rulemaking (e.g., SEC Staff Accounting Bulletins on crypto custody). Monitoring programs limited to final rules and proposed rules miss these informal but enforceable interpretive shifts.

Common Mistakes

  1. Building the obligations register once and treating it as static. Regulatory environments produce continuous change. Organizations that built their register during initial program setup but lack a process for ongoing maintenance discover critical gaps — sometimes during examinations. MetricStream and Riskonnect both identify this as the single most common program failure.

  2. Assigning compliance monitoring exclusively to the legal or compliance department. The Three Lines of Defense model requires first-line business unit engagement. Programs where compliance "owns" monitoring while business units passively await instructions consistently produce implementation failures because the people closest to operations are excluded from impact assessment.

  3. Prioritizing quantity of sources over quality of analysis. Subscribing to 30 regulatory feeds but lacking the analytical capacity to triage, assess, and route findings creates information overload without risk reduction. Mature programs apply filtering criteria — by entity type, jurisdiction, product line, and materiality threshold — before human review.

  4. Conducting gap analysis as a point-in-time exercise before audits. MHA Consulting identifies this pattern: organizations perform gap analysis pre-audit, remediate findings, then abandon the process until the next audit cycle. This reactive cadence guarantees that gaps accumulate between assessments. Best practice requires at minimum semi-annual assessments for developing programs and annual assessments for mature programs, with triggered assessments for material regulatory changes.

  5. Treating all gaps with equal priority. Resources are finite. Organizations that attempt to close every gap simultaneously — regardless of enforcement risk, regulatory deadline, or business impact — spread effort too thin and miss critical deadlines. Risk-weighted prioritization is non-negotiable.

  6. Implementation plans without measurable completion criteria. "Update the AML policy" is not a completion milestone. "AML policy revised to incorporate FinCEN's updated CDD requirements, approved by BSA Officer, published to intranet, training delivered to all covered employees, and attestation collected with 98% completion rate" is a completion milestone.

  7. Failing to test implemented changes independently. The distinction between implementation and verification is fundamental. A policy may be written and distributed but not followed. A system control may be configured but not functioning. Second-line independent testing — transaction sampling, process walkthroughs, automated monitoring — validates that the change works in practice.

  8. Underinvesting in compliance monitoring technology. The TD Bank enforcement explicitly noted that the bank "starved its compliance program of the resources it needed" despite rising profits. Regulators across agencies now evaluate compliance resourcing as a standalone factor. The DOJ ECCP 2024 update instructs prosecutors to consider "whether the compliance and relevant control functions' resources [are] proportionate to the organization's risk profile."

Regulatory & Compliance Requirements

Primary Standards and Frameworks

Reference Scope Key Requirements
ISO 37301:2021 International CMS standard Systematic obligation identification, compliance risk assessment, monitoring controls, management review, continuous improvement (Sections 4.5, 8.2, 9.1, 10.2)
DOJ ECCP (Sept 2024) U.S. corporate compliance evaluation Design adequacy, earnest implementation, working in practice; AI risk management, whistleblower mechanisms, data access, resourcing adequacy
FINRA Rules 3110/3120 Broker-dealer supervision Written supervisory procedures (3110); annual compliance report to CEO certifying supervisory systems and written procedures testing (3120)
SEC Rule 38a-1 Investment company compliance Designation of CCO, annual compliance review, board reporting of material compliance matters
OCC Heightened Standards (12 CFR 30 App. D) Large national banks Three lines of defense, independent compliance risk management, board and management compliance risk oversight
BSA/AML (31 USC 5311-5332) Financial institutions AML program with internal controls, independent testing, designated BSA officer, ongoing training, risk-based CDD
SOX Section 404 Public companies Management assessment and external audit of internal controls over financial reporting
OFAC Framework Guidelines (May 2019) All U.S. persons Five pillars: management commitment, risk assessment, internal controls, testing/audit, training
EU AI Act (Reg. 2024/1689) AI system providers/deployers Risk-based classification, conformity assessments, post-market monitoring, compliance documentation
GDPR (Reg. 2016/679) Personal data processors/controllers Data protection impact assessments, records of processing, DPO designation, breach notification within 72 hours

Key Regulatory Filing and Reporting Deadlines

  • FINRA Rule 3120 annual compliance report — due annually per firm's cycle
  • SEC Form ADV annual amendment — within 90 days of fiscal year-end
  • BSA/AML independent testing — annually (or biennially for qualifying smaller institutions per FINRA Rule 3310(c))
  • SOX Section 404 management assessment — filed with annual 10-K
  • OFAC risk assessment — updated annually or upon material business changes
  • SAR filings — within 30 days of detection (with 30-day extension if suspect not identified)

Terminology

  1. Obligations Register: A structured, continuously maintained inventory of all laws, regulations, rules, standards, and voluntary commitments applicable to the organization, mapped to responsible owners, implementing controls, and affected business units. The foundational data layer for all compliance monitoring activity.

  2. Regulatory Horizon Scanning: The systematic process of monitoring legislative bodies, regulators, standard-setters, and enforcement agencies to identify upcoming regulatory changes before they become binding. Distinguished from reactive tracking by its forward-looking time horizon.

  3. Gap Analysis: A structured comparison of current organizational practices, policies, and controls against the requirements of a specific regulation or standard, producing a finding of Compliant, Partially Compliant, or Non-Compliant for each requirement element, with root cause classification.

  4. Regulatory Change Management (RCM): The end-to-end workflow for receiving, triaging, assessing, assigning, implementing, testing, and closing regulatory changes — from initial detection through verified compliance.

  5. Three Lines of Defense (3LoD): Governance framework where first-line (business operations) owns risk and compliance execution, second-line (compliance/risk functions) provides oversight, policy, monitoring, and testing, and third-line (internal audit) provides independent assurance. Updated by IIA in 2020 as the "Three Lines Model."

  6. Control Mapping: The process of linking specific regulatory requirements to the internal controls (policies, procedures, system configurations, manual checks) designed to satisfy those requirements, enabling gap identification when regulations change.

  7. Materiality Threshold: The quantitative or qualitative boundary above which a compliance gap, regulatory change, or risk exposure requires escalated governance attention, board notification, or accelerated remediation.

  8. RegTech: Technology solutions — including AI-powered monitoring, automated obligation parsing, workflow management, and control testing tools — that enable scalable regulatory compliance monitoring. Adoption is increasingly a regulatory expectation, not merely a convenience.

  9. Compliance Testing: Independent verification that implemented controls are operating effectively, distinct from compliance monitoring (which tracks regulatory developments). Includes transaction testing, sample review, automated monitoring, and process walkthroughs.

  10. Risk Appetite Statement: Board-approved articulation of the types and levels of risk the organization is willing to accept, providing the framework for compliance gap prioritization and resource allocation decisions.

  11. Enforcement Action Trend Analysis: The practice of monitoring enforcement outcomes — including penalty amounts, violation types, aggravating/mitigating factors, and cooperation credit — to predict regulatory examination focus areas and calibrate internal monitoring priorities.

  12. Self-Reporting Obligation: Regulatory requirements (e.g., FINRA Rule 4530, OFAC voluntary self-disclosure) mandating or incentivizing disclosure of discovered violations. Compliance monitoring programs must include protocols for escalating discovered violations to counsel for self-reporting evaluation.

  13. Supervisory Expectations: Non-binding but practically enforceable guidance issued through examination manuals, staff bulletins, supervisory highlights, and speeches that signal how regulators interpret existing rules. Missing these signals is a common monitoring failure.

  14. Implementation Verification Testing (IVT): Targeted testing conducted specifically to confirm that a newly implemented regulatory change has been operationalized correctly, performed within a defined window after implementation before transitioning to ongoing monitoring.

  15. Compliance Risk Assessment (CRA): Periodic, enterprise-wide evaluation of inherent compliance risk across all regulatory obligations, products, geographies, and business activities, informing monitoring intensity, testing frequency, and resource allocation.

  16. Remediation Roadmap: A prioritized, time-bound, owner-assigned action plan for closing identified compliance gaps, including specific milestones, completion criteria, dependency mapping, and escalation triggers.

  17. Regulatory Inventory (LRR Inventory): The law, rule, and regulation inventory — a comprehensive catalog of external requirements often maintained in GRC platforms, serving as the source of truth for the obligations register. KPMG's RCM framework distinguishes this as the first workstream in regulatory change management transformation.

  18. Cooperation Credit: Reduction in regulatory penalties granted when organizations voluntarily disclose violations, cooperate with investigations, and demonstrate proactive remediation. SEC FY2024 enforcement results showed significantly reduced penalties for cooperating entities.

  19. Examination Readiness: The state of documentary and operational preparedness for regulatory examination, requiring complete audit trails, current policies, evidence of testing, and accessible compliance reporting.

  20. Sunset Provisions: Regulatory requirements with built-in expiration dates or periodic reauthorization requirements that compliance monitoring must track to avoid both premature abandonment and unnecessary continued compliance.

  21. Cross-Jurisdictional Conflict: Situations where compliance obligations from different regulators or jurisdictions contradict each other (e.g., EU GDPR data localization vs. U.S. subpoena authority), requiring documented resolution frameworks.

  22. Proactive Compliance Ratio: The proportion of compliance activity dedicated to forward-looking monitoring, gap prevention, and regulatory engagement versus reactive remediation of discovered deficiencies. Best-in-class programs target 60%+ proactive activity (per Visbanking industry benchmark data).

Quality Checklist

  • Obligations register exists, is comprehensive, includes all applicable jurisdictions, and has been validated within the past 12 months
  • Regulatory horizon scanning covers all three time horizons (immediate, near-term, strategic) with documented source coverage
  • Each regulatory change in the monitoring pipeline has a documented applicability determination with rationale
  • Impact assessments for Tier 1 and Tier 2 changes include specific gap identification, root cause analysis, and remediation cost estimates
  • Every identified gap has a designated owner (individual, not department) with documented acceptance of accountability
  • Implementation plans contain measurable completion criteria — not just task descriptions — with specific deadlines
  • Second-line independent testing is conducted for all implemented regulatory changes, with results documented and deficiencies tracked to closure
  • Board/audit committee receives at minimum quarterly compliance monitoring reports that disclose both aggregate metrics and specific material gaps
  • Compliance monitoring program has been assessed against DOJ ECCP criteria (design, implementation, effectiveness) within the past 12 months
  • Self-reporting protocols exist and have been communicated to compliance staff, including escalation timelines and counsel engagement requirements
  • Third-party and vendor compliance obligations are included in monitoring scope, with contractual compliance requirements and periodic verification
  • AI and emerging technology usage has been inventoried and assessed for compliance risk per DOJ ECCP September 2024 guidance
  • Regulatory change detection-to-assessment latency is measured, reported, and within acceptable SLA thresholds
  • The compliance monitoring program's technology, staffing, and budget adequacy has been assessed and documented relative to the organization's risk profile
  • Post-implementation reviews are conducted for material regulatory changes, with lessons learned incorporated into process improvements

References

  1. SEC Press Release 2024-186, "SEC Announces Enforcement Results for Fiscal Year 2024" — https://www.sec.gov/newsroom/press-releases/2024-186
  2. Fintech Global, "Global regulatory fines soar to record-breaking $19.3bn in 2024" — https://fintech.global/2025/02/19/global-regulatory-fines-soar-to-record-breaking-19-3bn-in-2024/
  3. Skadden, "Key Updates to the DOJ's Evaluation of Corporate Compliance Programs" (Oct 2024) — https://www.skadden.com/insights/publications/2024/09/key-updates-to-the-dojs-evaluation-of-corporate-compliance-programs
  4. Harvard Law School Forum on Corporate Governance, "Key Updates to the DOJ's ECCP" — https://corpgov.law.harvard.edu/2024/10/07/key-updates-to-the-dojs-evaluation-of-corporate-compliance-programs/
  5. FINRA, "2024 Annual Regulatory Oversight Report" — https://www.finra.org/sites/default/files/2024-01/2024-annual-regulatory-oversight-report.pdf
  6. FINRA, "2026 Annual Regulatory Oversight Report" — https://www.finra.org/sites/default/files/2025-12/2026-annual-regulatory-oversight-report.pdf
  7. Carlton Fields, "FINRA Issues 2024 Annual Regulatory Oversight Report" — https://www.carltonfields.com/insights/publications/2024/finra-2024-annual-regulatory-oversight-report
  8. American Banker, "Top enforcement actions against banks in 2024" — https://www.americanbanker.com/list/top-enforcement-actions-against-banks-in-2024
  9. Smarsh, "2024 Regulatory Enforcement: A Year of Transformation" — https://www.smarsh.com/blog/thought-leadership/2024-regulatory-enforcement-a-year-of-transformation
  10. Dickinson Wright / Law360, "5 Notable Anti-Money Laundering Actions From 2024" — https://www.dickinson-wright.com/-/media/files/news/2025/01/law360--notable-antimoney-laundering-actions-2024.pdf
  11. Morrison Foerster, "U.S. Sanctions Enforcement: 2024 Lessons Learned" — https://www.mofo.com/resources/insights/250424-u-s-sanctions-enforcement-2024-lessons-learned
  12. OCC, "Enforcement Actions for December 2024" — https://www.occ.treas.gov/news-issuances/news-releases/2024/nr-occ-2024-138.html
  13. ISO, "ISO 37301:2021 Compliance Management Systems FAQs" — https://committee.iso.org/files/live/sites/tc309/files/FAQ%2037301/ISO%2037301%20FAQs%2C%20May%202022.pdf
  14. MetricStream, "What is Regulatory Change Management?" — https://www.metricstream.com/learn/what-is-regulatory-change-management.html
  15. Diligent, "Regulatory Change Management: A Step-by-Step Guide" — https://www.diligent.com/resources/blog/regulatory-change-management
  16. Riskonnect, "How a Digital Obligations Register Can Boost Compliance Efforts" — https://riskonnect.com/compliance/how-a-digital-obligations-register-can-boost-compliance-efforts/
  17. KPMG, "Regulatory Change Management Enhancement and Transformation" — https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2020/12/regulatory-change-management-enhancement-and-transformation.pdf
  18. Deloitte, "Modernizing the Three Lines of Defense Model" — https://www.deloitte.com/us/en/services/consulting/articles/modernizing-the-three-lines-of-defense-model.html
  19. Ncontracts, "2024 Regulatory Expectations and Enforcement Actions Recap" — https://www.ncontracts.com/nsight-blog/2024-regulatory-expectations-and-enforcement-actions-recap
  20. Ncontracts, "What Are the Three Lines of Defense in a Compliance Management System?" — https://www.ncontracts.com/nsight-blog/what-are-the-three-lines-of-defense-in-a-compliance-management-system
  21. VIXIO, "Regulatory Horizon Scanning: How to Do It" — https://www.vixio.com/blog/regulatory-horizon-scanning
  22. GAN Integrity, "The DOJ's 2024 Updates to Corporate Compliance Program Guidance" — https://www.ganintegrity.com/resources/blog/the-dojs-2024-updates-to-corporate-compliance-program-guidance/
  23. Comply, "SEC Enforcement Activity Reaches a Record $8.2 Billion in FY 2024" — https://www.comply.com/resource/what-went-wrong-sec-reports-a-record-8-2-billion-in-financial-remedies-from-fy-2024/
  24. JJCC Group, "Regulatory Compliance and Gap Analysis: A 5-Step Guide" — https://jjccgroup.org/compliance-gap-analysis-guide/
  25. Learning Pool, "From 2024 to 2025: Key Regulatory Insights for Compliance Leaders" — https://learningpool.com/blog/from-2024-to-2025-key-regulatory-insights-for-compliance-leaders
  26. MHA Consulting, "Compliance Gap Analysis: Identify and Fix Issues" — https://mha-it.com/blog/compliance-gap-analysis
  27. IRM, "Horizon Scanning: A Practitioner's Guide" — https://www.theirm.org/media/7423/horizon-scanning_final2-1.pdf
  28. OnCourse Learning, "2025 Regulatory Compliance Updates for Banks & Credit Unions" — https://www.oncourselearning.com/resources/2025-regulatory-compliance-updates-for-banks-and-credit-unions
Related skills

More from open-gitagent/enterprise-skills

Installs
1
Repository
open-gitagent/e…e-skills
GitHub Stars
1
First Seen
Apr 5, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykWarn