markus41/plugins/lobbi-compliance-guard/skills/regulatory-map

Regulatory Mapping

Produce a comprehensive regulatory requirement matrix that maps each business process step to the specific regulatory requirements it must satisfy, identifies gaps where no control exists, and provides the foundation for a compliance program.

Step 1: Entity and Product Classification

Identify exactly what the client is and does, because regulatory obligations are entity- and product-specific.

Entity type (select all that apply):

Insurance:

• [ ] Insurance agent (licensed individual or agency)
• [ ] Insurance broker
• [ ] Managing General Agent (MGA) — has binding authority
• [ ] Managing General Underwriter (MGU) — no binding authority
• [ ] Admitted carrier (licensed in state, subject to rate/form filing)
• [ ] Non-admitted / surplus lines carrier
• [ ] Third-Party Administrator (TPA)
• [ ] Reinsurer

Mortgage:

• [ ] Mortgage broker (originates, does not fund)
• [ ] Mortgage banker / non-bank lender (originates and funds, sells to secondary market)
• [ ] Portfolio lender (originates and holds)
• [ ] Mortgage servicer (collects payments, loss mitigation)
• [ ] Correspondent lender

Financial Services:

• [ ] Registered Investment Advisor (RIA)
• [ ] Broker-dealer (FINRA member)
• [ ] Dual registrant (RIA + BD)
• [ ] Bank or credit union (state or federally chartered)
• [ ] Money services business (MSB)

Product lines and states (document each combination):

| Product Line | States of Operation | License Type Held | License Numbers | |-------------|---------------------|------------------|----------------| | [e.g., Personal lines P&C] | [e.g., TX, CA, FL] | [e.g., Insurance Agency] | [License #s] |

Step 2: Regulatory Universe Identification

Based on entity type and product lines, enumerate all applicable regulations.

Federal regulations (apply regardless of state):

| Regulation | Full Name | Administering Agency | Summary of Applicability | |-----------|-----------|---------------------|--------------------------| | RESPA | Real Estate Settlement Procedures Act | CFPB | Mortgage: settlement costs, kickbacks, escrow | | TRID | TILA-RESPA Integrated Disclosure | CFPB | Mortgage: LE and CD disclosures | | HMDA | Home Mortgage Disclosure Act (Reg C) | CFPB | Mortgage: LAR data collection and reporting | | ECOA/Reg B | Equal Credit Opportunity Act | CFPB | Credit: adverse action, fair lending | | FCRA | Fair Credit Reporting Act | CFPB + FTC | Credit: permissible purpose, adverse action | | Dodd-Frank QM/ATR | Ability to Repay / Qualified Mortgage | CFPB | Mortgage: underwriting standards | | BSA/AML | Bank Secrecy Act / Anti-Money Laundering | FinCEN | All financial: CIP, SAR, CTR | | GLBA | Gramm-Leach-Bliley Act / Safeguards Rule | FTC / banking regulators | All financial: privacy, data security | | CAN-SPAM | CAN-SPAM Act | FTC | Email marketing | | TCPA | Telephone Consumer Protection Act | FCC | Phone/text marketing | | FINRA 4511 | FINRA Recordkeeping Rule | FINRA | BD: books and records | | SOX | Sarbanes-Oxley Act | SEC | Public companies: financial reporting controls |

State regulations (document per state):

For each state of operation, identify:

• Insurance code and regulations (administered by state DOI)
• Mortgage banking / lending statutes (state banking dept or DOI)
• State consumer protection statutes
• State privacy laws (CCPA/CPRA for CA; others as applicable)
• State recording consent laws (one-party vs. two-party)
• State unclaimed property laws

Step 3: Requirement Extraction

For each regulation in the universe, extract the specific operational requirements — what must the business do, not just what the law says.

Requirement format:

REQ-[Regulation]-[N]:
Regulation: [Reg name and specific section/rule]
Requirement: [Plain English description of what must happen operationally]
Applies to: [Which entity types, product lines, or states]
Frequency: [Per transaction / Monthly / Annually / Ongoing]
Evidence required: [What documentation proves compliance]
Failure consequence: [Regulatory action, fine, license revocation, civil liability]

Example extractions:

REQ-TRID-001:
Regulation: TRID / Reg Z § 1026.37
Requirement: Deliver Loan Estimate within 3 business days of receiving application (6 triggers)
Applies to: All mortgage lenders and brokers
Frequency: Per loan application
Evidence required: LE issuance date, delivery confirmation, application date
Failure consequence: CFPB enforcement, inability to collect fees before LE delivery

REQ-NAIC-001:
Regulation: NAIC Unfair Trade Practices Act (adopted by most states)
Requirement: Acknowledge receipt of a claim within 10 working days; accept or deny within 45 days
Applies to: Admitted carriers, some TPAs
Frequency: Per claim
Evidence required: Claim acknowledgment log, acceptance/denial letters with dates
Failure consequence: State DOI market conduct citation, fines

Step 4: Process Mapping

Map each regulatory requirement to the business process step(s) where it must be implemented.

Process mapping table:

| REQ ID | Regulation | Requirement Summary | Process Area | Process Step | Step Owner | System | Gap? | |--------|-----------|---------------------|-------------|-------------|------------|--------|------| | REQ-TRID-001 | TRID / Reg Z § 1026.37 | LE within 3 business days | Loan origination | Application intake → LE generation | Loan processor | LOS | [Yes/No] |

Process areas to map (adjust for client):

Insurance:

• Marketing and lead generation
• Application intake and data collection
• Underwriting and risk assessment
• Quote and bind
• Policy issuance
• Endorsements and policy changes
• Renewals
• Cancellations and non-renewals
• Claims intake
• Claims investigation and adjudication
• Claims payment
• Compliance monitoring and reporting
• Producer licensing management

Mortgage:

• Lead generation and marketing
• Pre-qualification
• Loan application intake
• Disclosure delivery (LE, CD, ECOA, FCRA)
• Processing and document collection
• Underwriting
• Appraisal and title
• Closing preparation and CD delivery
• Closing and funding
• Post-close and trailing documents
• Secondary market delivery
• Servicing (if applicable)
• Loss mitigation and default (if applicable)

Step 5: Control Identification

For each requirement mapped to a process step, identify the control that satisfies it.

| REQ ID | Process Step | Control Description | Control Type | Automated? | Evidence Produced | |--------|-------------|---------------------|-------------|-----------|-------------------| | [REQ ID] | [Step] | [What the control does] | Preventive / Detective | Yes / No | [Log, report, document] |

Where no control exists, mark as GAP and proceed to Step 6.

Step 6: Gap Identification and Evidence Matrix

Gap summary:

| REQ ID | Requirement | Gap Description | Risk Level | Remediation | |--------|-------------|-----------------|-----------|-------------| | [ID] | [Requirement] | [What is missing or inadequate] | Critical / High / Medium / Low | [Specific action] |

Evidence matrix — what a regulator would request:

| REQ ID | Requirement | Evidence Type | Produced By | Stored Where | Retention Period | |--------|-------------|--------------|-------------|-------------|-----------------|

Output Format

Deliver one integrated artifact — the Regulatory Requirement Matrix — as a structured table with these columns:

Regulation | Section/Rule | Requirement (plain English) | Process Area | Process Step | Control | Evidence | Gap | Risk Level | Remediation

Accompany with:

• Regulatory Universe Summary — Bullet list of all applicable regulations with one-line description
• Gap Priority List — Top gaps ordered by risk level (Critical first), with owner and target remediation date
• Open Items — Regulatory requirements where client must provide clarification before mapping can be completed