COMPLIANCE PROGRAM CHARTER

[// GUIDANCE: Tie this charter to a board resolution adopting and empowering the program.]

TABLE OF CONTENTS

1. Document Header
2. Purpose and Objectives
3. Scope and Applicability
4. Governance and Reporting Lines
5. Authority and Independence
6. Core Program Elements
7. Regulatory Change Management
8. Reporting, Escalation, and Metrics
9. Resources and Budget
10. Review and Approval
11. Annexes (RACI, Definitions, Escalation Matrix)
12. California-Specific Regulatory Focus

1. DOCUMENT HEADER

Compliance Program Charter (this "Charter") adopted by [COMPANY LEGAL NAME], effective [EFFECTIVE DATE], approved by [BOARD/COMMITTEE NAME].

2. PURPOSE AND OBJECTIVES

• Establish mandate, authority, and accountability for the Compliance function.
• Prevent, detect, and remediate violations of law, regulation, and company policy.
• Embed compliance by design into products, services, vendors, and operations.
• Promote a culture of integrity and transparent escalation.

3. SCOPE AND APPLICABILITY

• Applies to: employees, officers, directors, contractors, and controlled affiliates.
• Domains (tailor): data privacy/security, sanctions/export, anti-corruption, antitrust, consumer protection/marketing, employment/EEO, safety, environmental, securities/fincrime, healthcare/PHI, sector-specific rules.
• Geographic reach: all jurisdictions where the company operates, markets, or processes data.

4. GOVERNANCE AND REPORTING LINES

4.1 Board/Committee Oversight
- Oversight body: [AUDIT/COMPLIANCE/BOARD COMMITTEE]; meeting cadence: [QUARTERLY].
- Responsibilities: review program effectiveness, approve policies, oversee remediation, ensure resources, review significant incidents and regulator interactions.

4.2 Compliance Officer
- Title/name: [CHIEF COMPLIANCE OFFICER OR EQUIVALENT].
- Functional reporting to [BOARD COMMITTEE CHAIR]; administrative reporting to [CEO/GC].
- Direct, unfettered access to independent directors.

4.3 Management Ownership
- Domain leads (privacy, security, HR, finance, product, operations, sales) accountable for controls, testing, and remediation within their areas.

5. AUTHORITY AND INDEPENDENCE

• Authority to access records, systems, and personnel for compliance activities.
• Authority to halt or delay high-risk activities pending review.
• Protection from retaliation; removal/reassignment requires [BOARD/COMMITTEE] approval.
• Authority to engage external counsel/forensics without prior management approval when required for independence.

6. CORE PROGRAM ELEMENTS

6.1 Risk Assessment
- Annual baseline plus event-driven updates (product/geo changes, incidents, M&A).
- Heat map, top risks list, and remediation plan with owners/dates.

6.2 Policies and Standards
- Lifecycle: drafting, SME/legal review, approval, publication, version control, training, exceptions with compensating controls.

6.3 Training and Awareness
- Role-based plan, completion targets, refresh cadence, and tracking; board/leadership training where applicable.

6.4 Monitoring and Testing
- Control testing plan, sampling, issue logging, root-cause analysis, remediation verification.

6.5 Issue Intake and Investigations
- Channels: hotline, email, manager, Compliance.
- Triage, investigation protocol, documentation, remediation, lessons learned.

6.6 Third-Party Risk Management
- Tiering, due diligence, contractual controls, ongoing monitoring, and offboarding requirements.

6.7 Recordkeeping and Legal Holds
- Retention rules aligned with legal/regulatory requirements and hold procedures.

7. REGULATORY CHANGE MANAGEMENT

• Horizon scanning for laws/regulations and regulator guidance.
• Impact assessments, owner assignments, control/policy updates, and documented interpretations.
• Tracking log of changes, decisions, and implementation status.

8. REPORTING, ESCALATION, AND METRICS

• Regular reports to [BOARD/COMMITTEE]: risk results, testing, incidents, remediation status, training metrics, hotline trends, regulator contacts.
• Escalation triggers: regulator inquiries/exams, data breach, sanctions match, public official contact, material control failure, fraud/bribery indicators.
• KPIs/KRIs: [DEFINE METRICS-e.g., exception aging, time-to-remediate, completion rates, incident closure times].

9. RESOURCES AND BUDGET

• Budget, tools, and headcount proportional to risk; access to external expertise.
• Training budget for staff; tooling for hotline, case management, testing, and TPRM.

10. REVIEW AND APPROVAL

• Annual review by Compliance and [BOARD/COMMITTEE]; interim updates upon material changes.
• Approval recorded in meeting minutes; effective date documented.

11. ANNEXES (EXAMPLES)

• Annex A: RACI by domain/process.
• Annex B: Definitions and abbreviations.
• Annex C: Escalation matrix (severity, response times, approvers).
• Annex D: Metrics catalog and targets.

12. CALIFORNIA-SPECIFIC REGULATORY FOCUS

• Privacy. California Consumer Privacy Act/CPRA requirements for notices, data rights, sensitive data, and vendor contracts.
• Consumer Protection. Unfair Competition Law (Bus. & Prof. Code Section 17200) and Consumer Legal Remedies Act (Civ. Code Section 1750 et seq.) exposure for marketing, sales, and disclosures.
• Employment. FEHA compliance for discrimination/harassment and California-specific wage/hour obligations.
• Data Incidents. California breach notification requirements (Civ. Code Section 1798.82).