COMPLIANCE PROGRAM CHARTER

[// GUIDANCE: Tie this charter to a board resolution adopting and empowering the program.]

TABLE OF CONTENTS

1. Document Header
2. Purpose and Objectives
3. Scope and Applicability
4. Governance and Reporting Lines
5. Authority and Independence
6. Core Program Elements
7. Regulatory Change Management
8. Reporting, Escalation, and Metrics
9. Resources and Budget
10. Review and Approval
11. Annexes (RACI, Definitions, Escalation Matrix)
12. New York-Specific Regulatory Focus

1. DOCUMENT HEADER

Compliance Program Charter (this "Charter") adopted by [COMPANY LEGAL NAME], effective [EFFECTIVE DATE], approved by [BOARD/COMMITTEE NAME].

2. PURPOSE AND OBJECTIVES

• Establish mandate, authority, and accountability for the Compliance function.
• Prevent, detect, and remediate violations of law, regulation, and company policy.
• Embed compliance by design into products, services, vendors, and operations.
• Promote a culture of integrity and transparent escalation.

3. SCOPE AND APPLICABILITY

• Applies to: employees, officers, directors, contractors, and controlled affiliates.
• Domains (tailor): data privacy/security, sanctions/export, anti-corruption, antitrust, consumer protection/marketing, employment/EEO, safety, environmental, securities/fincrime, healthcare/PHI, sector-specific rules.
• Geographic reach: all jurisdictions where the company operates, markets, or processes data.

4. GOVERNANCE AND REPORTING LINES

4.1 Board/Committee Oversight
- Oversight body: [AUDIT/COMPLIANCE/BOARD COMMITTEE]; meeting cadence: [QUARTERLY].
- Responsibilities: review program effectiveness, approve policies, oversee remediation, ensure resources, review significant incidents and regulator interactions.

4.2 Compliance Officer
- Title/name: [CHIEF COMPLIANCE OFFICER OR EQUIVALENT].
- Functional reporting to [BOARD COMMITTEE CHAIR]; administrative reporting to [CEO/GC].
- Direct, unfettered access to independent directors.

4.3 Management Ownership
- Domain leads (privacy, security, HR, finance, product, operations, sales) accountable for controls, testing, and remediation within their areas.

5. AUTHORITY AND INDEPENDENCE

• Authority to access records, systems, and personnel for compliance activities.
• Authority to halt or delay high-risk activities pending review.
• Protection from retaliation; removal/reassignment requires [BOARD/COMMITTEE] approval.
• Authority to engage external counsel/forensics without prior management approval when required for independence.

6. CORE PROGRAM ELEMENTS

6.1 Risk Assessment
- Annual baseline plus event-driven updates (product/geo changes, incidents, M&A).
- Heat map, top risks list, and remediation plan with owners/dates.

6.2 Policies and Standards
- Lifecycle: drafting, SME/legal review, approval, publication, version control, training, exceptions with compensating controls.

6.3 Training and Awareness
- Role-based plan, completion targets, refresh cadence, and tracking; board/leadership training where applicable.

6.4 Monitoring and Testing
- Control testing plan, sampling, issue logging, root-cause analysis, remediation verification.

6.5 Issue Intake and Investigations
- Channels: hotline, email, manager, Compliance.
- Triage, investigation protocol, documentation, remediation, lessons learned.

6.6 Third-Party Risk Management
- Tiering, due diligence, contractual controls, ongoing monitoring, and offboarding requirements.

6.7 Recordkeeping and Legal Holds
- Retention rules aligned with legal/regulatory requirements and hold procedures.

7. REGULATORY CHANGE MANAGEMENT

• Horizon scanning for laws/regulations and regulator guidance.
• Impact assessments, owner assignments, control/policy updates, and documented interpretations.
• Tracking log of changes, decisions, and implementation status.

8. REPORTING, ESCALATION, AND METRICS

• Regular reports to [BOARD/COMMITTEE]: risk results, testing, incidents, remediation status, training metrics, hotline trends, regulator contacts.
• Escalation triggers: regulator inquiries/exams, data breach, sanctions match, public official contact, material control failure, fraud/bribery indicators.
• KPIs/KRIs: [DEFINE METRICS-e.g., exception aging, time-to-remediate, completion rates, incident closure times].

9. RESOURCES AND BUDGET

• Budget, tools, and headcount proportional to risk; access to external expertise.
• Training budget for staff; tooling for hotline, case management, testing, and TPRM.

10. REVIEW AND APPROVAL

• Annual review by Compliance and [BOARD/COMMITTEE]; interim updates upon material changes.
• Approval recorded in meeting minutes; effective date documented.

11. ANNEXES (EXAMPLES)

• Annex A: RACI by domain/process.
• Annex B: Definitions and abbreviations.
• Annex C: Escalation matrix (severity, response times, approvers).
• Annex D: Metrics catalog and targets.

12. NEW YORK-SPECIFIC REGULATORY FOCUS

• Privacy & Data Security. NY SHIELD Act data security obligations for private information; sectoral NYDFS cybersecurity rules if applicable.
• Consumer Protection. NY General Business Law Sections 349-350 (deceptive acts and false advertising).
• Employment. New York State Human Rights Law and mandated sexual harassment prevention policies/training.
• Incident Response. New York breach notification obligations and regulator communication protocols.