One of the hardest parts of the compliance field is knowing what it is that you have to comply with. It's not as if you sit at your desk and somebody says, "Here's a book of all the laws that you need to make sure this organization complies with. Okay?" It's a problem of knowing what you don't know, and that's a tough one to get through. So let's take an example. Imagine you're heading a small startup company that's selling smart bulbs to a new connected energy platform. You sell the products to your website, and you collect credit card payments to do that. You have 50 employees who work on development, testing, and marketing, and the manufacturing is done through a vendor that you've contracted with in another country. What do you have to comply with? Far more importantly, how do you know what you have to comply with? Well, what's your first guess when it comes to a legal requirement? Let's take it from the beginning. You know you have employees, so the startup is going to have to ensure that it hires only those eligible to work in the United States, that it maintains current I9 forms for all employees under the Immigration Reform and Control Act. If the company's conducting background checks, it has to comply with the requirements of the Fair Credit Reporting Act. When it comes to salary, the startup has to pay employees minimum wage, and follow overtime, and child labor standards to comply with the Fair Labor Standards Act. The Equal Pay Act dictates that male and female employees in the same roles have to be paid the same wage. The IRS's Federal Tax Code requires that the startup withhold and pay the federal government a percentage of the employee's wages. So you can see, even just looking at employees, that there are a number of laws that come into play. Startups can't discriminate against employees according to the Americans with Disabilities Act and the Age Discrimination Act, among others. Also, it has to ensure a safe working environment under the Occupational Health and Safety Act. Finally, the employees are entitled to certain benefits. The startup has to offer family and medical leave under the Family and Medical Leave Act, and health insurance options under the Affordable Care Act. The company must also pay for unemployment insurance for each employee. So you can tell that even in this one example of employees, there are a number of laws that come into play. Also, you're taking in payments from customers. This triggers a whole new set of requirements from the payment card industry. The requirements are actually industry standards not laws, but the Payment Card Industry has compliance requirements for collecting, and maintaining, and sharing credit card data. Only some payment processing firms are approved, otherwise, major financial penalties and possible removal of rights to collect such payments could apply. We also said in this example that you have a vendor that's helping to manufacture products. Well, if the head of compliance conducted some research, he or she might find that there are compliance requirements related to working with the manufacturing vendor. There may be prohibitions on sharing technology with foreign countries under export control laws, and the company will have to honor these prohibitions and follow the customs and import process laid out by the US Customs and Border Protection. The startup also must comply with the required tariff requirements and applicable safety standards for electronics under the FCC, and depending on the imported products are made of, the company might also have to consider state restrictions on potentially hazardous substances and with a conflict minerals provision under the Dodd-Frank Act. So you can see, just going through at the surface level, we have a few, maybe dozen laws that could apply to the small startup company. So here's a question: Are you done? And how do you know if you're done? Have you exhausted all of the possible rules that could apply and all of the ways your organization could get into some sort of trouble? We'll talk about those troubles later in the course. But how do you know what you don't know? This is an imperfect situation. This is not a science. But they're often outside lawyers with certain areas of expertise, maybe employment lawyers, or export controls lawyers, or information security professionals that can help get an organization the lay of the land of what rules apply. Another great resource is the Small Business Administration which is a federal agency that can help small businesses, startups or otherwise, understand what rules apply and provide some guidance as to how to comply with them. It's quite common and very helpful in the compliance industry to go to that type of resource. You also, if you've got the resources, could go through a mock audit, which is something growing very much in industries, where consultants will come in and conduct a review to determine if you've identified for all the activities you're involved in, whether you know the right federal, state, local, international, or industry standards that may apply. Knowing what you don't know requires a proactive approach. It requires engaging with experts and regularly asking what else? What other requirements apply to what we're doing?
