Industry Legislation Key

Non-compliance is rarely an option.

On this page is digested information on some of the more notable pieces of legislation affecting records and asset management.

Have a suggestion on others we should add?

Click here to submit your recommendation.

  • Sarbanes-Oxley (SOX)
  • Health Insurance Portability & Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLB)
  • Fair And Accurate Credit Transaction Act (FACTA)

Sarbanes-Oxley (SOX)

On July 30, 2002, President Bush signed the Sarbanes-Oxley Act (SOX) of 2002 into law. The Act – which applies in general to publicly held companies and their audit firms – dramatically affects the accounting profession and impacts not just the largest accounting firms, but any CPA actively working as an auditor of, or for, a publicly traded company. Provisions of SOX detail criminal and civil penalties for noncompliance, certification of internal auditing, and increased financial disclosure.

Section 404, effective in 2006, requires that all annual financial reports must include an Internal Control Report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported and this must be reported to the SEC.

Health Insurance Portability & Accountability Act (HIPAA)

It is Public Law 104-191. This Act amended the Internal Revenue Service Code of 1986. It includes a section, Title II, entitled Administrative Simplification, requiring improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards.

HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure standardization of electronic patient health, administrative and financial data; requires unique health identifiers for individuals, employers, health plans and health care providers; and security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present or future.

This law made sweeping changes in the way most healthcare transaction and administrative information systems are handled.

Click here for information about this act.

Gramm-Leach-Bliley Act (GLB)

The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.

The Financial Privacy Rule and the Safeguards Rule apply to “financial institutions,” which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional “financial institutions” are regulated by the FTC. For more information on the types of financial activities covered, click here.

The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. For a summary overview of the Financial Privacy Rule, see In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act.

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions “such as credit reporting agencies” that receive customer information from other financial institutions.

Fair And Accurate Credit Transaction Act (FACTA)

The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. (Pub. L. 108-159, 111 Stat. 1952). It also requires any businesses who possess or maintains, for a business purpose,

Consumer information derived from consumer reports. The Act requires that any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose, properly dispose of any such information or compilation.

More information click here.


Basel II is an international initiative that requires financial services companies to have a more risk sensitive framework for the assessment of regulatory capital.

The Basel Accord defines regulatory guidelines for international banking. Basel II incorporates substantial changes in the guidelines in several areas, and makes operational risk a new requirement. For banks to comply with Basel II and take full advantage of its reduced capital allocation requirements, they need a comprehensive operational risk management framework and processes in place within their companies

The planned implementation date for Basel II is December 2006 with parallel running from January 2006. Banks, academics and politicians, particularly in the USA are demanding changes to the draft rules, which they believe are too complex, overly prescriptive and costly. These changes may in turn cause delays to the implementation of the final Accord.