Regulatory Agencies Inventory and Attributes

Description — The governance character of this regulatory body — classified by the nature of its authority and the source of its regulatory power. The governing test is consequence, not legal form: classify based on whether non-compliance creates legal, financial, operational, or market-access consequences for the enterprise, not based on whether the body is technically a government entity.

Benefit(s) — Enables portfolio-level analysis of the regulatory landscape by governance type. Distinguishes agencies whose requirements carry statutory legal force from those whose requirements carry market-access consequences — different consequences require different compliance governance approaches.

Source — Manual.

Examples — Government, Quasi-Governmental / SRO, Supranational, Standards Body, Industry Self-Regulatory

Notes — Valid values: Government (statutory government body with direct legislative authority — federal, national, state, provincial, regional, or local); Quasi-Governmental / SRO (non-government body granted regulatory authority by statute or government delegation — e.g., FINRA, PCAOB); Supranational (body operating above the nation-state level with authority over member countries — e.g., European Union, Basel Committee, IOSCO); Standards Body (organization that publishes standards adopted as de facto or mandatory requirements — e.g., ISO, NIST, IETF); Industry Self-Regulatory (body whose requirements govern market access without statutory backing — e.g., PCI Security Standards Council, SWIFT, IATA). When a body spans multiple types, classify by its primary governance character.

Description — The geographic scope of this agency’s authority — the level in the geographic hierarchy at which the agency operates.

Benefit(s) — Enables filtering and querying by governance scope. Distinguishes global standards bodies from national regulators from state-level agencies — each requiring different governance investment and different enterprise response protocols.

Source — Manual.

Examples — Global, Supranational, National / Federal, State / Provincial, Regional, Local / Municipal

Notes — Valid values: Global (authority recognized across all or most jurisdictions worldwide), Supranational (authority over multiple sovereign nations through treaty or political union — e.g., EU), National / Federal (authority within a single sovereign nation), State / Provincial (authority within a sub-national state, province, or territory), Regional (authority within a defined geographic region within a state or country), Local / Municipal (authority within a city, county, or local jurisdiction).

Geographic Region(s)

[Multi-Value]

Description — The standard enterprise geographic region(s) within which this agency has jurisdiction. Enables portfolio-level queries by enterprise region: all agencies governing APAC operations, all agencies governing European operations, all agencies governing North American operations.

Benefit(s) — The region-level query is the most common executive and board-level governance question: "what is our regulatory exposure in Asia-Pacific?" Without this attribute, answering that question requires traversing individual jurisdiction records. With it, the answer is a single query.

Source — Manual.

Examples — Global, North America, Latin America and Caribbean, Europe, Middle East and Africa (MEA), Asia-Pacific (APAC)

Notes — Use the enterprise’s standard geographic region taxonomy. Separate multiple values with semicolons. Supranational bodies like the EU map to Europe; global standards bodies like ISO map to Global.

Country(s)

[Multi-Value]

Description — The specific country or countries within which this agency has jurisdiction. The most operationally important geographic attribute — the level at which most regulatory obligations, penalties, and enforcement actions are scoped.

Benefit(s) — Enables the most common compliance query: "show me all regulatory agencies with jurisdiction in Germany" or "show me all agencies governing our operations in Japan." Every enterprise compliance program organizes at least partially by country. Without Country, the inventory cannot answer country-level questions.

Source — Manual.

Examples — United States, Germany, United Kingdom, Japan, Australia, France, Brazil, Singapore

Notes — Use ISO 3166-1 country names or the enterprise’s standard country taxonomy. Separate multiple values with semicolons. For supranational bodies, list all member countries or use the supranational entity name (e.g., "European Union — all 27 member states"). For global bodies, record as Global.

Locale(s)

[Multi-Value]

Description — The specific sub-national jurisdiction(s) — states, provinces, cantons, prefectures, cities, or municipalities — within which this agency has authority, where authority is sub-nationally scoped.

Benefit(s) — Required for agencies whose jurisdiction is defined at the sub-national level. The U.S., Canada, Australia, Germany, and many other countries have material compliance obligations at the state or provincial level that cannot be captured through country-level classification alone.

Source — Manual.

Examples — California (CPPA — California Privacy Protection Agency), New York (DFS — Department of Financial Services), Quebec (CAI — Commission d’accès à l’information), Illinois (IDPFR — Illinois Biometric Information Privacy Act enforcement), Texas (OAG — Office of the Attorney General for TDPSA enforcement)

Notes — Leave empty for agencies with national or broader jurisdiction. Separate multiple values with semicolons. Use the standard sub-national name (state, province, canton, etc.) followed by the agency abbreviation or name for clarity.

Jurisdiction

[Multi-Value]

Description — The specific named legal or political entity (country, union, treaty organization, or geographic scope) within which this agency exercises formal authority.

Benefit(s) — Captures the legal identity of the jurisdiction — distinct from both the geographic region (which is an enterprise portfolio classification) and the country (which is a geographic fact). The European Union is a jurisdiction distinct from "Europe" as a region and distinct from its 27 member countries.

Source — Manual.

Examples — United States of America, European Union, United Kingdom, State of California (United States), Province of Quebec (Canada), Basel Committee on Banking Supervision (international treaty body)

Notes — Separate multiple values with semicolons. Use the formal legal or political name of the jurisdiction. Distinct from Country — "European Union" is a Jurisdiction; "Germany, France, Italy [and 24 others]" is the Country list for that jurisdiction.

Regulatory Domain

[Multi-Value]

Description — The primary subject matter area(s) this agency regulates — the domains of enterprise activity subject to this agency’s jurisdiction.

Benefit(s) — Enables domain-level regulatory portfolio analysis: "show me all agencies governing data privacy across all jurisdictions" or "show me all cybersecurity regulators in Europe." This is the subject-matter lens on the regulatory landscape, as distinct from the geographic lens.

Source — Manual.

Examples — Data Privacy; Cybersecurity and Operational Resilience; Financial Services; Healthcare; Environmental and ESG; Labor and Employment; Trade and Export Control; Consumer Protection; Telecommunications; Energy; Aviation and Transportation; Pharmaceuticals and Medical Devices; AI and Emerging Technology; Tax and Revenue; Securities and Capital Markets; Anti-Money Laundering (AML) and Financial Crime; Corporate Governance; Product Safety

Notes — Separate multiple values with semicolons. Use the enterprise’s standard regulatory domain taxonomy. A single agency may govern multiple domains — the FTC governs both Consumer Protection and Data Privacy; the SEC governs both Securities and Corporate Governance.

Industry Scope

[Multi-Value]

Description — The specific industries or sectors subject to this agency’s jurisdiction. Some agencies regulate a single industry; others govern a domain across all industries.

Benefit(s) — Enables industry-specific regulatory portfolio analysis. An enterprise can query: "show me all agencies with jurisdiction over financial services operations in Asia-Pacific" — combining Regulatory Domain, Industry Scope, and Geographic Region.

Source — Manual.

Examples — All Industries (for cross-sector regulators like data protection authorities), Financial Services, Healthcare and Life Sciences, Pharmaceuticals and Medical Devices, Energy and Utilities, Telecommunications, Aviation and Transportation, Consumer Products, Defense and Government Contracting

Notes — Separate multiple values with semicolons. Use "All Industries" for agencies whose jurisdiction spans all sectors within their domain (e.g., data protection authorities regulate all industries that handle personal data).

Enforcement Model

[Multi-Value]

Description — How this agency enforces compliance — the mechanisms it uses to ensure the enterprises subject to its jurisdiction meet its requirements.

Benefit(s) — The enforcement model determines what kind of compliance evidence the enterprise must produce and what consequences follow from non-compliance. An agency that licenses enterprises has different consequences (market access) than one that issues fines (financial). Understanding enforcement model drives compliance program design.

Source — Manual.

Examples — Investigative and Punitive (conducts investigations, issues fines and sanctions); Licensing and Authorization (grants and revokes licenses or market access); Reporting and Disclosure (requires periodic compliance reports, filings, or disclosures); Standard-Setting Only (publishes standards without direct enforcement authority); Hybrid (multiple enforcement mechanisms)

Notes — Separate multiple values with semicolons. Most government regulators use a Hybrid model. Standards bodies typically use Standard-Setting Only. SROs often use Licensing and Authorization.