Regulatory Compliance in Finance

The final #US Open Banking rule is here. But 1) it took the US 14 years 2) the US payments’ infrastructure lags behind 3) banks object. All in all, a complex picture. Let me try to clarify. The rule – mostly known as Section 1033 of the Dodd-Frank Act – was initially proposed a year ago, but effectively it was 14 years in the making, since the Wall Street Reform and Consumer Protection Act of 2010. What does it do? It wants to help US payments’ infrastructure catch up with other developed countries by regulating open #banking and by introducing stronger privacy and consumer protection rules. Here, in short, the essence of the rule: It forces FS providers to “unlock an individual’s personal financial #data and transfer it to another provider at the consumer’s request for free”. This is what we call open banking, which is nothing more than democratizing access to data via forcing incumbent FS institutions to open their data to FinTechs, at the request of the consumers looking for additional services based on this data. Just to clarify: the US has not invented the wheel here. Open Banking initiatives such as this abound around the globe, with the UK and Europe having launched them many years ago. This is my summary of the main implications: 1.   Despite being market driven for years, legislation was necessary to accelerate the transition to OB and enforce access to data 2.   Banks will have to comply with lots of obligations: APIs, developer portals, stronger data protection, consent and data transparency mechanisms, identity and authorization tools 3.   Which is why some banking associations went as far as challenging the rule by filing a lawsuit in the US District Court 4.   By doing so, banks take a short-sighted approach and don’t recognize that OB can be a significant opportunity to improve their offerings and position themselves closer to their customers (i.e. faster onboarding, better UX, customer dashboards, improved loan origination decisioning) 5.  Fintechs will be able to build new products and services based on the data access 6.  Data access cannot be used for unrelated purposes to the consumer’s request 7.   Card schemes to face competition from direct account payments 8.   Rule to be implemented in phases: bigger FS institutions to comply by 2026, smaller ones by 2030, whereas small banks and credit unions are exempted 9.   Consumer benefits: 1) increased privacy and security 2) consumer protection 3) control of personal financial data 4) easy switch between providers (“FS roaming”). 10.   Increased competition (i.e. better rates via more educated risk decisions based on data access) 11.   Move away from the unorthodox practice of “screen scraping” 12.   Positive impact on the disintermediated instant #payments US landscape by making payment options like ACH and FedNow more popular The journey just started, and it will be a long one. But it’s in the right direction. Opinions: Panagiotis Kriaris

“We are ISO 27001 certified, are we DORA compliant?” Not so fast. ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you're a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down: 1. Regulatory vs. Voluntary Framework ↳ ISO 27001 – A voluntary international standard for information security management. ↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance. 2. Scope and Focus ↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls. ↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity. 3. Key Compliance Gaps 🔸 Incident Reporting ↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard. ↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis. 🔸 Security Testing ↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk. ↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning. 🔸 Third-Party Risk Management: ↳ ISO 27001 – Covers supplier risk but with general security controls. ↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions. 4. How financial institutions and ICT providers can address the delta? ✅ Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you're not still at this stage now that DORA has been mandatory since January 17, 2025.) ✅ Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines. ✅ Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing. ✅ Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA. ✅ Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience. 💡 ISO 27001 is just the tip of the iceberg - beneath the surface lie significant gaps that only DORA addresses. 👇 What’s the biggest challenge in aligning with DORA? Let’s discuss. ♻️ Repost to help someone. 🔔 Follow Amine El Gzouli for more.

Weighing You Down: The new Capital Requirements proposed under Basel III Endgame will prove onerous for Banks & Borrowers, alike. Today, I examine the Commercial Real Estate sector since this asset class is highly reliant on banks (and vulnerable) and the CRE market is contending with a huge pending maturity wall. Banks account for ~50% of the CRE debt market, representing the largest collective lender to CRE - this equates to nearly $3T in the U.S. alone. Below, I have constructed a table that very clearly states (my source from various federal documents that include: Note 20.86 on the Basel Framework (BIS) & Page 164 of September 2023 FDIC Proposed Rules notice) how a bank must measure its cash reserve requirements (CRR) for a given loan. Notice the change in risk weightings required for a given LTV. For a given loan, ~+20% higher risk weighted capital will be required that will soon be subject to this new measurement for risk. The bank lender will be required to hold additional capital for a given loan, or alternatively, simply extend less credit when writing a new loan as they apply more conservative detachment points (e.g. $50M loan vs. $100M asset value which is 50% LTV vs 80% LTV previously). If the bank does not want to increase its CRR, it must reduce the amount of credit it extends for a given asset/borrower. The delta is stark; this is a paradigm shift that will crack the door wide open for Private Credit Lenders. Banks will differentiate, take a more discerning eye when extending credit, with greater discipline going forward under Basel III Endgame. The new Basel III Endgame capital guidelines required by federal banking regulators and implemented in 2025 will break down risk-weighted assets by blending what is considered senior-secure risk v. unsecured risk (within a single unitranche loan). Regulators are confident that by imposing stricter capital requirements and more onerous stress tests when reporting liquidity, assets, operations, capital requirements, large banks (30 banks in U.S. with assets greater than $100B) will become less risky and less prone to failure. Banks are with their regulators to push back on Basel III Endgame capital charges; I am sure Banks will find a middle-ground with their regulators, but it will still result in additional and significant costs and more conservative lending practices. Private Credit firms such as Marathon Asset Management will provide a critical role in filling the void, to partner with banks and originate a plethora of investment opportunities that arise: - Mezz debt loans to fill the capital gap as banks roll loans at lower LTVs - Private Credit gaining more market share as banks reduce ABL exposure, for all ABL segments (not just CRE) - Asset Sales by banks - CRT/SRT transactions as private capital allows banks to offload risk - Private Capital & Bank Investment - Management Partnerships The current ratios vs. the proposed ratios are starkly contrasted in this table below:

Most MedTech companies treat audits as one-off events. (And it costs a lot more than money) This mindset costs: • Market access • Investor trust • Years of work product • And lots of money    But the biggest cost isn't financial. It's human lives. The ones that depend on life-saving devices that are getting locked out of the market. Not because their technology wasn’t good enough. But because of preventable mistakes. Because they treated compliance as an event. Not a culture. Passing a Notified Body Audit isn’t luck. It’s discipline. It’s daily habits. It’s system-level thinking. Here are 4 ways the best MedTech companies prepare (and how you can too): 1. They build audit-ready systems Your documentation must tell a complete story: • Align QMS to ISO 13485:2016 and MDR Article 10 • Justify risk management with defensible rationales • Show proactive surveillance in PMS reports • Close CAPAs fully with evidence of resolution • Validate claims with clinical performance data 2. They eliminate silent compliance risks Fix problems that quietly undermine audits: • Complete missing risk–benefit rationales • Update and control all key documents • Close gaps in complaint and vigilance logs • Strengthen post-market surveillance • Link CAPAs directly to audit findings 3. They train for audit readiness every day. Turn audit behavior into muscle memory: • Run mock audits and rotate team roles • Train clear, non-speculative auditor responses • Assign scope ownership across all functions • Focus answers — no speculation or improvisation    4. They set up audit execution in advance. Plan logistics that create calm, not chaos: • Prepare a dedicated audit room with indexed files • Assign document fetchers and tech support • Track requests and responses live during audits • Maintain a calm, professional audit environment Here’s the truth: An audit isn’t something you survive. It’s a mirror that reflects how you operate every day. What’s the biggest audit challenge your team is facing right now? ♻️ Find this valuable? Repost for your network. 💡 Follow Bastian Krapinger-Ruether for actionable tips on MedTech compliance and QM.

ESG Wheel 🌍 ESG has become one of the most discussed concepts in business today, yet its breadth is often underestimated. It encompasses a wide array of interconnected themes that extend across environmental, social, and governance dimensions. When companies approach sustainability strategically, they need to understand ESG not as a label, but as a framework that structures how risks and opportunities are managed across the business. The Environmental dimension reflects how organizations manage their relationship with natural systems. This includes themes such as greenhouse gas reduction, renewable energy adoption, and improvements in resource efficiency. These are fundamental to both competitiveness and resilience. Environmental performance also depends on less visible but equally important topics such as water management, biodiversity conservation, and circular economy integration. Addressing these areas helps companies reduce exposure to ecological and regulatory risks while contributing to global priorities. The Social dimension focuses on people and communities. Beyond compliance, this includes diversity and inclusion, workplace health and safety, and fair wages. These elements directly influence the ability of a company to attract talent and foster innovation. At the same time, issues like workforce development, human rights protections, and community engagement signal how companies create long-term value beyond their immediate operations. They shape trust among employees, consumers, and wider society. The Governance dimension defines the systems that ensure ESG commitments translate into action. Board oversight, accountability, and ethical business conduct are central to decision-making processes that align with sustainable performance. Governance also requires mechanisms such as risk management, internal audits, whistleblower protections, and transparent reporting. These practices build integrity into the organizational structure and provide confidence to stakeholders. Another dimension of governance relates to the integration of ESG into executive incentives and supply chain standards. Linking leadership performance and supplier practices with sustainability objectives creates consistency across the entire business ecosystem. The wide range of themes in ESG demonstrates that sustainability must be approached as an interconnected agenda. Each topic has distinct implications, but they reinforce each other when addressed holistically. Organizations that recognize this interconnectedness can develop strategies that are not just reactive to stakeholder pressure, but proactive in capturing long-term opportunities and mitigating systemic risks. The ESG Wheel highlights how sustainability strategies are strengthened when businesses consider these themes comprehensively, building alignment between environmental stewardship, social impact, and sound governance. #sustainability #business #sustainable #esg

The Dodd-Frank Wall Street Reform and Consumer Protection Act, commonly referred to as Dodd-Frank, is a significant piece of financial reform legislation passed in the United States in 2010. Its primary purpose was to address the vulnerabilities in the financial system that contributed to the 2007-2008 financial crisis and to protect consumers from abusive financial practices. Dodd-Frank introduced a wide range of reforms affecting the financial industry, including regulations on banks, financial institutions, and financial markets. Here are some key provisions and examples of how Dodd-Frank impacted the financial sector: 1. **Regulation of Financial Institutions:**   - **Systemically Important Financial Institutions (SIFIs):** Dodd-Frank designated certain large financial institutions as SIFIs, subjecting them to stricter regulations and oversight. These institutions are considered "too big to fail" because their failure could have systemic consequences. For example, if a SIFI bank is in distress, regulators have the authority to take actions to prevent its collapse. 2. **Consumer Protection:**   - **Consumer Financial Protection Bureau (CFPB):** Dodd-Frank established the CFPB, an independent agency responsible for protecting consumers in financial transactions. The CFPB has the authority to create and enforce rules related to mortgages, credit cards, and other consumer financial products to prevent abusive practices. For example, the CFPB has implemented rules to make mortgage terms and fees more transparent to borrowers. 3. **Derivatives and Trading:**   - **Derivatives Regulation:** Dodd-Frank introduced regulations on over-the-counter (OTC) derivatives markets to increase transparency and reduce risk. For example, it required standardized derivatives to be traded on exchanges or electronic platforms, making pricing and trading data more accessible. 4. **Volcker Rule:**   - The Volcker Rule, a part of Dodd-Frank, restricts proprietary trading by banks. It prohibits banks from making certain types of speculative investments that do not benefit their customers. For example, a bank can no longer engage in proprietary trading of stocks and derivatives for its own profit. 5. **Credit Rating Agencies:**   - Dodd-Frank introduced reforms related to credit rating agencies to reduce conflicts of interest. It aimed to ensure that these agencies provide accurate and impartial credit ratings. For example, credit rating agencies are now subject to greater oversight, and their methodologies are more transparent.

𝗛𝗲𝗿𝗲'𝘀 𝗺𝘆 𝟳-𝘀𝘁𝗲𝗽 𝗽𝗹𝗮𝘆𝗯𝗼𝗼𝗸 𝗳𝗼𝗿 𝗲𝗻𝘀𝘂𝗿𝗶𝗻𝗴 𝘀𝗺𝗼𝗼𝘁𝗵 𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗼𝗿𝘆 𝘀𝘂𝗯𝗺𝗶𝘀𝘀𝗶𝗼𝗻𝘀 𝘁𝗵𝗮𝘁 𝗜'𝘃𝗲 𝗿𝗲𝗳𝗶𝗻𝗲𝗱 𝗼𝘃𝗲𝗿 𝘆𝗲𝗮𝗿𝘀 𝗶𝗻 𝘁𝗵𝗲 𝗠𝗲𝗱𝗧𝗲𝗰𝗵 𝗾𝘂𝗮𝗹𝗶𝘁𝘆 𝗮𝗻𝗱 𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗼𝗿𝘆 𝘀𝗽𝗮𝗰𝗲: 𝟭. 𝗦𝘁𝗮𝗿𝘁 𝘄𝗶𝘁𝗵 𝘁𝗵𝗲 𝗲𝗻𝗱 𝗶𝗻 𝗺𝗶𝗻𝗱 - 𝟭𝟴-𝟮𝟰 𝗺𝗼𝗻𝘁𝗵𝘀 𝗯𝗲𝗳𝗼𝗿𝗲 𝘀𝘂𝗯𝗺𝗶𝘀𝘀𝗶𝗼𝗻 • Map your regulatory strategy to your commercial goals • Identify your regulatory pathway early (510(k), De Novo, PMA) • Build testing protocols based on predicate devices when applicable 𝟮. 𝗗𝗲𝘀𝗶𝗴𝗻 𝘆𝗼𝘂𝗿 𝗤𝘂𝗮𝗹𝗶𝘁𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗦𝘆𝘀𝘁𝗲𝗺 𝗳𝗼𝗿 𝗲𝗳𝗳𝗶𝗰𝗶𝗲𝗻𝗰𝘆 • Implement ISO 13485 principles from day one • Focus on the 7 critical SOPs that impact submissions most • Avoid the common trap of documentation overload (I've seen startups with 200+ SOPs when 35-40 would suffice) 𝟯. 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗲 𝘆𝗼𝘂𝗿 𝘁𝗲𝘀𝘁𝗶𝗻𝗴 𝗺𝗲𝘁𝗵𝗼𝗱𝗼𝗹𝗼𝗴𝘆 𝗯𝗲𝗳𝗼𝗿𝗲 𝗲𝘅𝗲𝗰𝘂𝘁𝗶𝗻𝗴 • Pre-validate test methods with 3-5 pilot runs • Engage with testing labs that have FDA submission experience • Document protocol deviations properly (we found 63% of submissions get delayed due to inadequate deviation management) 𝟰. 𝗟𝗲𝘃𝗲𝗿𝗮𝗴𝗲 𝗽𝗿𝗲-𝘀𝘂𝗯𝗺𝗶𝘀𝘀𝗶𝗼𝗻 𝗺𝗲𝗲𝘁𝗶𝗻𝗴𝘀 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗰𝗮𝗹𝗹𝘆 • Schedule Q-Sub meetings 9-12 months before planned submission • Prepare focused questions (limit to a few critical issues) • Follow up with written summaries within the allocated time 𝟱. 𝗕𝘂𝗶𝗹𝗱 𝗮 𝘀𝘂𝗯𝗺𝗶𝘀𝘀𝗶𝗼𝗻 "𝘄𝗮𝗿 𝗿𝗼𝗼𝗺" • Assemble cross-functional team (R&D, Clinical, Quality, Regulatory) • Create submission trackers with accountability metrics • Hold twice-weekly stand-ups in the 90 days before submission 𝟲. 𝗖𝗼𝗻𝗱𝘂𝗰𝘁 𝘁𝗵𝗶𝗿𝗱-𝗽𝗮𝗿𝘁𝘆 𝘀𝘂𝗯𝗺𝗶𝘀𝘀𝗶𝗼𝗻 𝗿𝗲𝘃𝗶𝗲𝘄 • Have external experts review 100% of your technical documentation • Use submission management platforms like RADAR or MasterControl • Schedule review 45-60 days before planned submission date 𝟳. 𝗣𝗿𝗲𝗽𝗮𝗿𝗲 𝗳𝗼𝗿 𝗶𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗿𝗲𝘃𝗶𝗲𝘄 • Anticipate FDA questions with "pre-mortem" analysis • Have subject matter experts on standby during review period • Create response templates for common deficiency categories I learned these lessons the hard way. Early in my career I worked at a company where we had three submissions rejected due to inconsistent test data formatting. Now we use standardized data presentation templates that have cut our Additional Information requests by 72%. 𝗧𝗔𝗞𝗘𝗔𝗪𝗔𝗬: Regulatory success is about methodical preparation and strategic execution. The companies that view regulatory as a strategic function rather than a compliance burden consistently outperform their peers in time-to-market by an average of 7 months If you're preparing for an FDA submission in the next 12-18 months, I'd be happy to share our pre-submission checklist. Just message me directly

Well, it's now official. The U.S. Securities and Exchange Commission (SEC) just put out this press release. SEC registrants (any company that files documents with the SEC) must: 1) Disclose any #cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. This is due four business days after it is determined that a cybersecurity incident is material. 2) Describe their processes, if any, for assessing, identifying, and managing material #risks from cybersecurity threats, as well as reasonably likely material effects of risks from cybersecurity #threats and previous cybersecurity incidents. 3) Describe the #board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. The 2nd and 3rd disclosures will be required in a registrant's annual report, due beginning with fiscal years ending on or after December 15, 2023.

The evolution of Environmental, Social, and Governance (ESG) criteria globally can be traced to the ethical investment movements of the 1960s and 1970s, where investors began excluding industries like tobacco and weapons. However, the formal ESG framework emerged in 2004 with the UN's "Who Cares Wins" report, linking ESG issues to corporate financial performance. The subsequent launch of the UN Principles for Responsible Investment (PRI) in 2006 accelerated ESG's global adoption. Key Milestones in the History of ESG: - 1980s-1990s: Socially responsible investing gained momentum, with boycotts of companies complicit in apartheid and environmental degradation. - 2004-2006: The UN's "Who Cares Wins" and the PRI were pivotal, formalizing ESG considerations for investors. - 2015: The Paris Agreement and the UN Sustainable Development Goals (SDGs) cemented sustainability and social responsibility as global priorities. - 2020: The pandemic amplified focus on the "S" (social) in ESG, with increased scrutiny of labour practices, health, and equity in supply chains. Global Regulatory Advancements in the ESG Landscape: - EU: The 2018 EU Action Plan on Sustainable Finance introduced the EU Taxonomy, a tool to classify sustainable activities, and the Sustainable Finance Disclosure Regulation (SFDR) to enhance transparency in ESG reporting. - US: The SEC's 2022 proposals for mandatory climate risk disclosures highlight growing regulatory attention. - Global: Many countries, including Japan, Canada, and the UK, have adopted frameworks requiring ESG disclosures to foster sustainability. India's Path to ESG Transformation: India has witnessed significant progress in ESG. The 2013 Companies Act made corporate social responsibility (CSR) mandatory for certain firms, a major step in aligning corporate governance with societal goals. In 2021, the Securities and Exchange Board of India (SEBI) introduced the Business Responsibility and Sustainability Report (BRSR), making ESG disclosures mandatory for the top 1,000 listed companies starting in FY23. This move mirrors global trends and aims to improve transparency and investor decision-making. Why Investors Prioritize ESG: Investors increasingly prioritize ESG due to its role in risk management, long-term value creation, and alignment with societal expectations. ESG-compliant companies tend to show resilience, particularly in volatile markets. Moreover, regulatory pressures and growing evidence of the financial benefits of strong ESG practices are driving institutional investors toward ESG. In India, increased awareness of sustainability and social issues is pushing investors to favour companies that adhere to ESG norms. #ESG #Investors #regulatory Contribution by Shrenie Vakharia ANB Legal

All international and corporate tax compliance forms that pertain to U.S. taxpayers with foreign investments, operations, or entities. 📌 1. Form 5471 – Information Return of U.S. Persons With Respect to Certain Foreign Corporations Who files? U.S. citizens, residents, and domestic corporations that are officers, directors, or shareholders in certain foreign corporations. Purpose: To report ownership and financial information of Controlled Foreign Corporations (CFCs). Key Focus: Subpart F income, Global Intangible Low-Taxed Income (GILTI), previously taxed earnings, and related-party transactions. Penalty for non-filing: $10,000 per year, per form. 📌 2. Form 8858 – Information Return of U.S. Persons With Respect to Foreign Disregarded Entities (FDEs) and Foreign Branches Who files? U.S. persons (individuals or companies) that own foreign disregarded entities (FDEs) or operate foreign branches. Purpose: To provide financial info of the FDE/foreign branch to ensure proper U.S. taxation. Key Focus: Balance sheet, income statement, transactions with related parties, and foreign tax reporting. Special Note: Often attached to Form 5471 or 8865 if the FDE is owned by a foreign corporation/partnership. 📌 3. Form 8865 – Return of U.S. Persons With Respect to Certain Foreign Partnerships U.S. persons who own an interest in a foreign partnership (ownership thresholds apply). Purpose: To report income, deductions, and transactions of the foreign partnership. Key Focus: Similar to 1065 (domestic partnership return) but for foreign partnerships. Includes transfer of property to partnerships and reportable transactions. Penalty for non-filing: $10,000 per year, per form. 📌 4. Form 8621 – Information Return by a Shareholder of a Passive Foreign Investment Company (PFIC) U.S. persons who are direct or indirect shareholders of a PFIC. Purpose: To prevent deferral of U.S. tax on passive income held offshore. Key Focus: PFIC inclusions under excess distribution rules, QEF (Qualified Electing Fund) election, or Mark-to-Market election. Common Trigger: Foreign mutual funds often qualify as PFICs. 📌 5. Form 926 – U.S. persons who transfer cash or property to a foreign corporation and meet certain ownership thresholds. Purpose: To report outbound transfers of property that could avoid U.S. tax recognition. Key Focus: Ensures compliance with IRC §367 (outbound transfers of appreciated property). Example: If a U.S. company contributes IP or machinery to a foreign subsidiary. 📌 6. Form 1120-F – Foreign corporations engaged in U.S. trade or business or with U.S.-sourced income. Purpose: To report income, deductions, credits, and U.S. tax liability of foreign corporations. Key Focus: Effectively Connected Income (ECI), Fixed or Determinable Annual or Periodical (FDAP) income, branch profits tax, and treaty-based return positions. Special Note: Even if the foreign corporation claims no U.S. taxable income, filing is often required to protect treaty benefits.