Regulatory Compliance Consulting

BREAKING! The FDA just released this draft guidance, titled Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations, that aims to provide industry and FDA staff with a Total Product Life Cycle (TPLC) approach for developing, validating, and maintaining AI-enabled medical devices. The guidance is important even in its draft stage in providing more detailed, AI-specific instructions on what regulators expect in marketing submissions; and how developers can control AI bias. What’s new in it? 1) It requests clear explanations of how and why AI is used within the device. 2) It requires sponsors to provide adequate instructions, warnings, and limitations so that users understand the model’s outputs and scope (e.g., whether further tests or clinical judgment are needed). 3) Encourages sponsors to follow standard risk-management procedures; and stresses that misunderstanding or incorrect interpretation of the AI’s output is a major risk factor. 4) Recommends analyzing performance across subgroups to detect potential AI bias (e.g., different performance in underrepresented demographics). 5) Recommends robust testing (e.g., sensitivity, specificity, AUC, PPV/NPV) on datasets that match the intended clinical conditions. 6) Recognizes that AI performance may drift (e.g., as clinical practice changes), therefore sponsors are advised to maintain ongoing monitoring, identify performance deterioration, and enact timely mitigations. 7) Discusses AI-specific security threats (e.g., data poisoning, model inversion/stealing, adversarial inputs) and encourages sponsors to adopt threat modeling and testing (fuzz testing, penetration testing). 8) And proposed for public-facing FDA summaries (e.g., 510(k) Summaries, De Novo decision summaries) to foster user trust and better understanding of the model’s capabilities and limits.

Most MedTech companies treat audits as one-off events. (And it costs a lot more than money) This mindset costs: • Market access • Investor trust • Years of work product • And lots of money    But the biggest cost isn't financial. It's human lives. The ones that depend on life-saving devices that are getting locked out of the market. Not because their technology wasn’t good enough. But because of preventable mistakes. Because they treated compliance as an event. Not a culture. Passing a Notified Body Audit isn’t luck. It’s discipline. It’s daily habits. It’s system-level thinking. Here are 4 ways the best MedTech companies prepare (and how you can too): 1. They build audit-ready systems Your documentation must tell a complete story: • Align QMS to ISO 13485:2016 and MDR Article 10 • Justify risk management with defensible rationales • Show proactive surveillance in PMS reports • Close CAPAs fully with evidence of resolution • Validate claims with clinical performance data 2. They eliminate silent compliance risks Fix problems that quietly undermine audits: • Complete missing risk–benefit rationales • Update and control all key documents • Close gaps in complaint and vigilance logs • Strengthen post-market surveillance • Link CAPAs directly to audit findings 3. They train for audit readiness every day. Turn audit behavior into muscle memory: • Run mock audits and rotate team roles • Train clear, non-speculative auditor responses • Assign scope ownership across all functions • Focus answers — no speculation or improvisation    4. They set up audit execution in advance. Plan logistics that create calm, not chaos: • Prepare a dedicated audit room with indexed files • Assign document fetchers and tech support • Track requests and responses live during audits • Maintain a calm, professional audit environment Here’s the truth: An audit isn’t something you survive. It’s a mirror that reflects how you operate every day. What’s the biggest audit challenge your team is facing right now? ♻️ Find this valuable? Repost for your network. 💡 Follow Bastian Krapinger-Ruether for actionable tips on MedTech compliance and QM.

In a landscape defined by extraterritorial enforcement, third-party exposure, and ethical accountability, the 2022 Overview of Anti-Corruption Compliance Standards and Guidelines (International Anti-Corruption Academy) is a landmark reference—both in scope and operational relevance. Authored by Dr. Eduard Ivanov, this comprehensive synthesis brings together over 60 internationally recognized instruments from the UN, OECD, ISO, FATF, World Bank, ICC, TI, and regional authorities such as the AFA, DoJ, and SFO. 1. From Legal Minimums to Governance-Driven Integrity: The document reinforces that modern anti-corruption programmes must be more than legally compliant—they must be governance-anchored. Sections on “tone from the top,” shareholder accountability, and “tone from the middle” move beyond checkbox exercises and place cultural leadership at the core. Notably, guidance from ISO 37001 and the French AFA requires that senior management not only endorse, but visibly operationalize #anticorruption expectations—with documentation and periodic review by governing bodies. 2. Third-Party Due Diligence and Lifecycle Risk Management: One of the most technically rich sections is the deep dive into #thirdpartyrisk—spanning control, influence, beneficial ownership, sanctions exposure, and reputational impact. It outlines how due diligence must be integrated across onboarding, contracting, monitoring, and offboarding. 3. Benchmarking and Programme Evaluation Are Not Optional: Benchmarking is no longer a luxury for global firms—it is essential to demonstrate effectiveness to regulators. This document cites methodologies from Deloitte, EY, NAVEX, PwC, and academic institutions, calling for comparative maturity assessments and defensible performance indicators (e.g., hotline usage, risk mapping refresh cycles, policy training rates, third-party rejection metrics). 4. Regulatory Intelligence Is Now Embedded in Compliance Design: The overview brings together enforcement expectations across jurisdictions—Sapin II, the UK Bribery Act, FCPA, and FATF standards—showcasing how laws with extraterritorial effect (e.g., U.S. and UK regimes) apply even to unregulated entities through third-party exposure 5. Underserved Areas Now Elevated: Conflicts of Interest, Sponsorship, Gifts, M&A The document fills longstanding gaps in international guidance on: • Conflicts of interest: ICC and UNODC now offer structured prevention and management models. • Charitable donations and political contributions: separated from standard expense controls, with dedicated transparency measures. • Mergers & Acquisitions: guidance from the Wolfsberg Group and FCPA points to pre-acquisition due diligence, post-deal integration audits, and compliance clause triggers in deals #compliance #regulatory #financialcrime #risks

UK financial regulation is at a pivotal inflection point in 2025, as the Government and regulators embrace a growth-focused agenda. This shift opens up unique opportunities for firms to actively shape regulatory change. However, firms will also face significant challenges, including navigating outcomes-based regulatory approaches, managing complex risks that evolve rapidly, and optimizing cost efficiency in an ever-changing landscape. In this dynamic environment, firms must harness technology and AI to drive efficiencies, deliver positive regulatory outcomes, and strengthen their human capabilities to make value-added judgements and provide oversight on technological transformation. Our latest #EY report delves into what to expect in the evolving regulatory landscape and highlights the strategic approach firms can adopt to stay ahead of these challenges. 🔑 𝗞𝗲𝘆 𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗼𝗿𝘆 𝘁𝗵𝗲𝗺𝗲𝘀 𝗳𝗼𝗿 𝟮𝟬𝟮𝟱: 📈 𝗚𝗿𝗼𝘄𝘁𝗵 - Regulatory focus shifts towards economic growth, offering opportunities for firms to shape regulations and drive efficiencies while maintaining high standards. 🤖 𝗗𝗮𝘁𝗮, 𝗧𝗲𝗰𝗵𝗻𝗼𝗹𝗼𝗴𝘆 & 𝗔𝗜 - Leveraging AI and digital tools to reduce compliance costs, improve regulatory outcomes, and enhance data management for better decision-making. 💡 𝗖𝗼𝗻𝘀𝘂𝗺𝗲𝗿 𝗱𝘂𝘁𝘆 & 𝗳𝗮𝗶𝗿 𝘃𝗮𝗹𝘂𝗲 - Focus on fair value and protecting vulnerable customers, with increased scrutiny on governance and accessibility. 🏛️ 𝗚𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 & 𝗿𝗶𝘀𝗸 𝗰𝘂𝗹𝘁𝘂𝗿𝗲 - Strengthening risk culture, empowering staff for complex decisions, and ensuring boards effectively meet evolving regulatory expectations. 💼 𝗙𝗶𝗻𝗮𝗻𝗰𝗶𝗮𝗹 𝗖𝗿𝗶𝗺𝗲 - Intensifying efforts to combat fraud, money laundering, and ensuring robust financial crime controls, including monitoring of payment delays and sanctions. 🔒 𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗿𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲 - Meeting operational resilience deadlines, investing in risk management and infrastructure to safeguard against disruptions and build customer trust. 🏦 𝗙𝗶𝗻𝗮𝗻𝗰𝗶𝗮𝗹 𝘀𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆 - Addressing key prudential reforms such as Basel 3.1 and Solvency UK and manage exposures to non-bank financial institutions (NBFIs). By adopting a strategic approach, firms can shape the future of regulation, focus on AI innovation, and embed outcomes-based regulation into their broader corporate strategy, all while managing evolving risks and delivering strong business growth. #UKRegulation #FinancialServices #AI #EconomicGrowth #Compliance #TechInnovation #RiskManagement #Governance #FinancialStability Christopher Woolard CBE, Karl Meekings, Maureen L. Do Rego, Saket Chitlangia, Amal Shah, CFA, Karan Chowdhary, Siddhant Garg, Ankit Srivastava

Remember that two-week interregnum when Rohit Chopra remained at the CFPB after President Trump took office? While many assumed he’d be gone on Day One, Rohit stayed just long enough to finish one last piece of work. On his way out, Chopra left behind a parting gift: a playbook for states to enforce consumer protection laws if federal supervision went dark. Think of it as a blueprint for state attorneys general: How to assemble your own CFPB. And now? Construction is underway. Rohit is back—this time with a coalition of 21 state AGs behind him. A few days ago, the Democratic Attorneys General Association tapped Chopra to lead a new consumer protection working group. The roster includes AGs from California, New York, Massachusetts, Maryland, Illinois, Pennsylvania, Michigan, and more. Functionally, Chopra is now the shadow director of a decentralized, multi-state regulatory perimeter. Not one CFPB, but many. New Jersey is the latest state to operationalize the Chopra roadmap. Its new disparate impact rules are the most comprehensive in the country. They are also unmistakably about AI. The states are sharing data, experts, and market intelligence at the very moment when more consumer decisions than ever are being made by AI systems. Chopra and his state-level coalition are taking direct aim at conventional credit scores too. The New Jersey framework treats rigid credit score thresholds as high-risk compliance triggers. If a lender denies everyone below a 600 score, regulators might ask: Why not adopt a less discriminatory alternative—like cash-flow-based underwriting—to uncover creditworthy applicants that your rigid cutoff overlooked? And New Jersey isn’t an outlier. That same 21-state coalition is formally opposing federal efforts to weaken disparate impact protections. Massachusetts levied a $2.5M penalty in an AI underwriting case this summer. California and New York are ramping up probes. In practice, this shifts the center of gravity from one national cop on the beat to dozens of state enforcers, each with their own priorities, politics, and theories of AI liability. As AI scales decision-making, states are scaling oversight. For lenders, this operational reality means your models, decisions, and AI-driven workflows may now be tested not once in Washington, but many times—in Trenton, Sacramento, Albany, Boston, Annapolis, and beyond. So what should you be doing now? 1️⃣ Design and build for state-level scrutiny. Prepare to defend your strategies against novel legal arguments designed to win headlines. 2️⃣ Simulate consumer outcomes across different score cutoffs, credit policies and data sources. 3️⃣ Document the alternatives you considered—especially the less discriminatory ones. 4️⃣ Consider cash-flow underwriting and other modern approaches regulators increasingly view as viable alternatives. The federal retreat from lending supervision is real. The enforcement vacuum is not. Are you ready for Rohit 2.0?

$632,500 for making consumer privacy rights too difficult to exercise. That’s the fine Honda received from the California Privacy Protection Agency (CPPA). It’s a wake-up call for companies still treating privacy rights as a checkbox exercise. It’s also something I’ve seen repeatedly in privacy assessments - companies making it unreasonably difficult for consumers to exercise their privacy rights. Here are some areas regulators flagged: ❗ Requiring up to 8 fields of information just to opt out (excessive!) ❗ Creating a convoluted submission process for privacy rights requests ❗ Consumers had to directly confirm they authorized an agent to submit a request to opt out of sale/sharing or request to limit (illegal under CCPA) ❗ Failing to train employees handling privacy requests ❗ Ignoring Global Privacy Control (GPC) signals ❗ Creating multiple steps to opt out while enabling one-click opt ins ❗ Sharing data with vendors without proper documentation The lesson? Privacy rights must be PRACTICALLY accessible, not just technically available. Is your company vulnerable to similar issues? Ask: ✅ Can consumers opt out in 2 steps or fewer? ✅ Does your site recognize GPC signals? ✅ Do you have contracts with all vendors covering CCPA obligations? ✅ Is your team trained to process all types of privacy requests? ✅ Is opting out just as simple as opting in? I'm seeing regulators across states increasingly focus on the how, not just the what of privacy compliance. The days of hiding opt-out buttons or creating friction-filled privacy request processes are over. Make it easier for people to exercise their privacy rights. What's been your experience with consumer privacy rights implementations? Have you seen examples of companies doing this particularly well (or poorly)? Read more about the critical compliance areas companies should review in my latest article for the IAPP: https://lnkd.in/e4aH7Qna

The DOJ consistently says that compliance programs should be effective, data-driven, and focused on whether employees are actually learning. Yet... The standard training "data" is literally just completion data! Imagine if I asked a revenue leader how their sales team was doing and the leader said, "100% of our sales reps came to work today." I'd be furious! How can I assess effectiveness if all I have is an attendance list? Compliance leaders I chat with want to move to a data-driven approach but change management is hard, especially with clunky tech. Plus, it's tricky to know where to start– you often can't go from 0 to 60 in a quarter. In case this serves as inspiration, here are a few things Ethena customers are doing to make their compliance programs data-driven and learning-focused: 1. Employee-driven learning: One customer is asking, at the beginning of their code of conduct training, "Which topic do you want to learn more about?" and then offering a list. Employees get different training based on their selection...and no, "No training pls!" is not an option. The compliance team gets to see what issues are top of mind and then they can focus on those topics throughout the year. 2. Targeted training: Another customer is asking, "How confident are you raising bribery concerns in your team," and then analyzing the data based on department and country. They've identified the top 10 teams they are focusing their ABAC training and communications on, because prioritization is key. You don't need to move from the traditional, completion-focused model to a data-driven program all at once. But take incremental steps to layer on data that surfaces risks and lets you prioritize your efforts. And your vendor should be your thought partner, not the obstacle, in this journey! I've seen Ethena's team work magic in terms of navigating concerns like PII and LMS limitations – it can be done!

Regulatory Harmonics In today's fast-paced world of Fintech, understanding the intricate interplay between innovation and regulation is paramount Excellent One from Varanium Capital Advisors Private Limited | Vikram Pandya | Aparajit Bhandarkar Comprehensive report delves deep into recent advancements and upcoming rules shaping the Fintech landscape, providing invaluable insights for industry stakeholders, policymakers, and investors alike. From emerging trends to regulatory nuances, our report offers a nuanced understanding of the regulatory dynamics impacting businesses in this ever-evolving sector💡A must-read for industry stakeholders, policymakers, and investors seeking a nuanced understanding of the regulatory dynamics impacting businesses.  Outstanding Outline - 1. Lending   o Digital Lending  o Lending–Other Key Updates  Recognition of NPA   Fair Practice Code   Increase in Risk Weight for Consumer Credit 2. Investments  o Online Bond Platform Providers  o Algorithmic Trading  o Family Investment Funds o Social Stock Exchange  o Fractional Investments  o Investment in AIFs •   o AIFs and AMCs – Other Key Updates 3.Banking  o Green Deposits  o Outsourcing of Information Technology  o Outsourcing of Financial Services 4. Insurance  o Surety Bonds  o Composite License  o Managing General Agencies  o Surety Bonds  o Expense of Management – Intermediary Commission  o Corporate Agents 5. Payments  o Card Regulations   Prepaid Instruments   Card Tokenisation   Co-Branding Arrangements   Card Network Portability  o Payment Aggregators and Payment Gateways  o Payment Regulations on Cross Border Remittance in India   Licensing Requirement   Forex Correspondents   Permissible Route for Remittances  o Payments – Other Key Updates   TCS on remittances   UPI payment for foreign travellers   Bharat Bill Payment   System Wire Transfers   Central Bank Digital Currencies  o Payment Aggregator – Cross Border Guidelines  o Payments – Global Regulatory Benchmarking 6. Data Protection  o Data Protection – Global Legislation Benchmarking 7. Miscellaneous Developments  o Regulating Dark Patterns  o Green Credit Rules, 2023 and Carbon Credit Trading Scheme, 2023  o National Deeptech Start-up Policy o Framework for Connecting Lending  o Framework on Web Aggregators of Loan Products o Deepfake Regulations  o Neo Banks  o Asset Tokenisation  o Regulating Finfluencers  o Retail Invoice Discounting 8. Regulatory Support and Innovation  o Innovations in Lending - Public Tech Platform for Frictionless Credit  o National Health Claims Exchange   o Fintech Repository  o Cloud Facility  o Regulatory Sandbox Mechanisms  o Sandbox – Global Regulatory Benchmarking  Don't miss out on this essential resource! Dive into the report today to stay ahead of the curve and navigate the complexities of the Fintech regulatory environment with confidence. #Fintech #Regulation #Innovation #Finance #Insights #ReportLaunch #StayInformed

5 Operational Metrics to Check if Your GRC Program isn't Compliance Theatre Everyone has a GRC program that looks great 3 weeks per year. That works for some time but once your program is out of the honeymoon phase, you need to do something about it. Here are 5 hard metrics to help you separate real GRC programs from compliance theatre: 1. Mean Time to Remediation (MTTR) 📉 Not just how many findings you have, but how fast they get FIXED. If your average remediation time is measured in geological eras instead of days, you've built a museum of vulnerabilities, not a security program. "We'll fix it after this sprint" shouldn't mean "after the heat death of the universe." 2. Cross-Team NPS Score 📊 Ask engineering, product and sales teams: "On a scale of 1-10, how much does GRC help vs. hinder your work?" If your score is close to Arctic temperatures, congratulations – you've created a program that engineers actively avoid like security awareness training from 2023. 3. Evidence Collection Automation Percentage 🤖 What percentage of your evidence is collected through APIs vs. screenshots? If you're still sending "friendly reminders" for screenshots in 2025, you're operating a digital paperwork sweatshop with slightly better coffee. 4. Risk-to-Remediation Ratio 📈 How many risks in your register have actually resulted in implemented fixes vs. eternal "monitoring until next review"? If your risk acceptance rate matches your deployment frequency, you're running an expensive vulnerability documentation service. 5. Random Audit Readiness Score 🎯 Give yourself 24 hours to produce evidence for 10 random controls without warning. Score from 0-100%. If your score is perfect during scheduled audits but drops faster than the stock market today after a random check, you've mastered compliance theatre, not security. A GRC program can have perfect documentation and still provide very limited security value. What must-have GRC metrics do YOU use to ensure your program delivers more than just paperwork? Let me know! #GRCEngineering #SecurityCompliance #MetricsThatMatter

RESPECT AT WORK | Compliance-based harassment, bullying and discrimination training typically involves defining and providing examples of prohibited potential unlawful and criminal behaviours. Not surprisingly, while this approach transfers knowledge, it does little to prevent those behaviours. Many participants fail to connect cognitively or emotionally with the content because they don't feel it's relevant to their behaviour or their experience. Other participants feel powerless to effect change in others' behaviours. Also, we know that learning and behavioural change are more likely when individuals feel they are part of the solution and not the problem—telling learners what they can do rather than what they can't. Effective respectful workplace behaviour training focuses on the underlying stereotypes and biases that devalue some individuals and groups relative to others and transfers skills for identifying and disrupting harmful beliefs whether they manifest as unconscious biases, casual sexism and racism, subtle slights of exclusion, or prohibited behaviours. While not all employees will experience or witness unlawful and criminal behaviours at work, most employees experience or witness everyday biases. When these lower-level harms are left unchecked, the harmful stereotypes and beliefs that underpin them are perpetuated. These are the same beliefs and attitudes that underpin more serious harm. The negative stereotypes that devalue women, diverse genders, or diverse sexualities that underpin a sexist or homophobic joke are the same negative stereotypes that underpin gendered and sexual violence. When employees are empowered to disrupt everyday biases, they become powerful change agents for preventing more serious harm. We support employers in preventing workplace misconduct through workplace culture reviews, risk assessment, learning and development, and employee focus groups. Email info@cultureplusconsulting.com for further information. Additional resources: Why employers need to step up: https://lnkd.in/gkNg_46R A checklist for boards: https://lnkd.in/gP8TMBzX Leadership considerations: https://lnkd.in/gFB7CvDe Identifying risks: https://lnkd.in/gvVYrDUy Managing risks: https://lnkd.in/gKSpxQu5 Evidence-based training: https://lnkd.in/gUN8cwTd and https://lnkd.in/gFB7CvDe Trauma-informed grievance processes: https://lnkd.in/gP5Z5pcc