All countries
United States
Largely Compliant
Effectiveness: Substantial
Assessed 2016 by FATF
111
Regulations covered
7,630
Rules extracted
109,211
Obligations scored
Largely Compliant
FATF rating
111
Regulations covered
7,630
Rules extracted
109,211
Obligations scored
Largely Compliant
FATF rating
| Capital | Washington, D.C. |
| Population | 334.0M |
| GDP (USD) | $27.4T |
| Currency | US Dollar (USD) |
| Region | North America |
| CPI Score | 69/100 |
| Assessment body | FATF |
| Assessment year | 2016 |
| Overall compliance | Largely Compliant |
| Overall effectiveness | Substantial |
| FATF profile | View source → |
FATF Recommendations R1-R40 ratings from the 2016 mutual evaluation
9
Compliant
23
Largely Compliant
5
Partially Compliant
3
Non-Compliant
Immediate Outcomes IO1-IO11 from the 2016 mutual evaluation
We cover 111 United States regulations with 7,630 rules and 109,211 obligations scored
Prohibits discrimination on the basis of disability in places of public accommodation and commercial facilities, requiring accessible design and reasonable modifications to policies and practices.
Prohibits offering, paying, soliciting, or receiving anything of value to induce or reward referrals of items or services covered by federal healthcare programs. Relevant to healthcare providers, suppliers, and entities participating in Medicare or Medicaid.
Establishes quality standards for laboratory testing to ensure the accuracy, reliability, and timeliness of patient test results. Applies to all facilities performing clinical laboratory testing on human specimens in the United States.
Prohibits physician self-referrals for designated health services payable by Medicare or Medicaid, unless a specific exception applies. Applies to physicians and entities that furnish designated health services.
Requires US critical infrastructure operators to report significant cyber incidents to CISA.
CMS conditions that hospitals must meet to participate in Medicare and Medicaid covering patient rights, quality assessment, infection control, and medical staff. Applies to Medicare-certified hospitals.
CMS conditions of participation for skilled nursing facilities covering resident rights, quality of care, pharmacy services, and infection control. Applies to nursing facilities participating in Medicare and Medicaid.
Requires financial institutions to establish and maintain written customer due diligence procedures, including identifying and verifying beneficial owners of legal entity customers. Applies to banks, brokers, mutual funds, and other covered financial institutions.
Grants California consumers rights over their personal information, including the right to know, delete, and opt out of the sale or sharing of their data. Applies to businesses meeting specified revenue, data volume, or data sale thresholds.
Governs the Consumer Product Safety Commission's procedures for disclosing product safety information to the public, including manufacturer notification and comment requirements. Relevant to consumer product manufacturers and importers.
Requires federal financial regulators to assess how well banks and thrifts meet the credit needs of their communities, including low- and moderate-income neighborhoods. Applies to depository institutions.
Governs the Department of Homeland Security's handling of personally identifiable information and Freedom of Information Act requests, including privacy impact assessments and data protection requirements.
Sets standards of conduct for fiduciaries managing employee benefit plans, including duties of loyalty, prudence, and diversification. Applies to plan administrators, trustees, and investment managers of private-sector retirement and health plans.
Prohibits the payment of bribes to foreign government officials to obtain or retain business and requires issuers to maintain accurate books and records and adequate internal accounting controls. Applies to U.S. persons, domestic concerns, and issuers of securities.
Regulates the collection, dissemination, and use of consumer credit information, establishing accuracy, fairness, and privacy requirements. Applies to consumer reporting agencies, furnishers of information, and users of consumer reports.
Bank Secrecy Act / Anti-Money Laundering — 31 CFR Chapter X
Requires non-banking financial institutions to develop, implement, and maintain a comprehensive information security program to protect customer information. Applies to mortgage brokers, motor vehicle dealers, payday lenders, and other entities under FTC jurisdiction.
Requires financial institutions to explain their information-sharing practices to customers and to safeguard sensitive data, including providing opt-out rights for certain disclosures. Applies to banks, securities firms, insurance companies, and other financial service providers.
AICPA criteria for evaluating controls over security, availability, processing integrity, confidentiality, and privacy of information systems. Applies to service organisations undergoing SOC 2 examinations.
Sets organizational, operational, and regulatory requirements for federal credit unions, covering membership, lending, investments, and governance. Applies to federally chartered credit unions.
Provides a comprehensive catalog of security and privacy controls for federal information systems and organizations. Used by federal agencies and contractors to protect information systems in accordance with FISMA requirements.
Provides a voluntary framework of cybersecurity outcomes organized around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Applicable to organizations of all sizes and sectors seeking to manage cybersecurity risk.
Requires financial services companies regulated by the New York Department of Financial Services to implement and maintain a cybersecurity program, including risk assessments, access controls, and incident response. Applies to banks, insurers, and other DFS-regulated entities operating in New York.
Administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals, prohibiting transactions with sanctioned countries, entities, and individuals. Applies to all U.S. persons and entities.
Requires employers to record and report work-related injuries, illnesses, and fatalities. Applies to most private-sector employers, with limited exemptions based on industry and establishment size.
Establishes occupational safety and health standards for general industry workplaces, covering hazard communication, electrical safety, machine guarding, personal protective equipment, and numerous other hazards. Applies to most private-sector employers.
Defines security requirements for organizations that store, process, or transmit payment card data, covering network security, access control, encryption, and monitoring. Applies to merchants, payment processors, acquirers, and service providers in the payment card ecosystem.
Prohibits discrimination in credit transactions on the basis of race, color, religion, national origin, sex, marital status, age, or receipt of public assistance. Applies to creditors, including banks, finance companies, and retailers that extend credit.
Governs the availability of funds deposited in transaction accounts, check collection procedures, and return of unpaid checks. Applies to depository institutions including banks, savings associations, and credit unions.
Requires depository institutions to provide uniform disclosures about interest rates, fees, and terms for deposit accounts so consumers can make informed comparisons. Applies to banks, savings associations, and credit unions.
Establishes the rights, liabilities, and responsibilities of participants in electronic fund transfer systems, including ATM transactions, debit card payments, and direct deposits. Applies to financial institutions offering electronic fund transfer services to consumers.
Restricts extensions of credit by member banks to their executive officers, directors, and principal shareholders, imposing lending limits and requiring board approval. Applies to Federal Reserve member banks and their insiders.
Imposes quantitative limits and collateral requirements on transactions between banks and their affiliates to protect depository institutions from inter-affiliate risk. Applies to Federal Reserve member banks and their affiliates.
Governs the servicing of federally related mortgage loans and requires disclosures to borrowers about settlement costs, escrow accounts, and mortgage servicing transfers. Applies to mortgage lenders, brokers, and servicers.
Governs bank holding company formations, acquisitions, and permissible nonbanking activities, and sets capital adequacy and risk management requirements. Applies to bank holding companies and their subsidiaries.
Requires creditors to provide uniform disclosures of credit terms, including annual percentage rates, finance charges, and payment schedules, to enable consumers to compare credit offers. Applies to most consumer credit transactions including mortgages, credit cards, and installment loans.
Requires public companies to disclose climate-related risks, governance, strategy, greenhouse gas emissions, and the financial impacts of severe weather events and transition activities. Applies to SEC-registered domestic and foreign private issuers.
Establishes requirements for corporate governance, internal controls, financial reporting, and auditor independence to protect investors from fraudulent accounting practices. Applies to publicly traded companies and their audit firms.
AICPA criteria for describing a service organisation system in SOC 1 and SOC 2 reports, covering system boundaries, controls, and complementary controls. Applies to service organisations and their auditors.
US federal government security control baselines for cloud service providers at Low, Moderate, and High impact levels. Applies to cloud service providers seeking FedRAMP authorisation.
US federal law establishing minimum wage, overtime pay, recordkeeping, and child labour standards. Applies to employers and employees in the private sector and government.
US federal law entitling eligible employees to unpaid, job-protected leave for family and medical reasons. Applies to employers with 50 or more employees and their eligible workers.
Certifiable security framework harmonising requirements from regulations and standards including HIPAA, NIST, and ISO 27001. Applies to healthcare organisations and their business associates handling sensitive data.
NIST framework for managing risks from AI systems covering governance, mapping, measuring, and managing AI risks throughout the AI lifecycle. Applies to organisations developing or deploying AI systems.
AICPA framework for examining an organisation cybersecurity risk management programme, covering description criteria and control criteria. Applies to organisations seeking independent cybersecurity assurance.
AICPA attestation standard governing examination, review, and agreed-upon procedures engagements including SOC 1 and SOC 2 reports. Applies to service auditors and service organisations.
US federal law prohibiting employment discrimination based on race, colour, religion, sex, and national origin. Applies to employers with 15 or more employees, employment agencies, and labour organisations.
Requires large public and private companies doing business in California to publicly disclose their Scope 1, 2, and 3 greenhouse gas emissions. Applies to entities with annual revenues exceeding $1 billion.
Requires covered entities doing business in California to prepare and disclose climate-related financial risk reports consistent with TCFD recommendations. Applies to entities with annual revenues exceeding $500 million.
Requires contractors performing renovation, repair, and painting activities that disturb lead-based paint in pre-1978 housing and child-occupied facilities to be certified and follow specific work practices. Relevant to renovation contractors and property owners.
Governs the filing and regulation of rates, terms, and conditions for the sale and transmission of electric energy and natural gas in interstate commerce. Applies to public utilities, power marketers, and natural gas companies.
Establishes security standards for high-risk chemical facilities, requiring vulnerability assessments, site security plans, and personnel surety measures. Applies to facilities possessing specified chemicals of interest above threshold quantities.
Governs the classification, packaging, labeling, and transportation of hazardous materials by highway, rail, vessel, and air in the United States. Applies to shippers, carriers, and packaging manufacturers handling hazardous materials.
Sets security requirements for pipeline and rail transportation systems, including cybersecurity measures, personnel vetting, and security planning. Applies to owners and operators of pipeline facilities and freight and passenger rail systems.
Regulates the manufacture, processing, distribution, use, and disposal of polychlorinated biphenyls (PCBs) and PCB-containing items. Applies to facilities and persons that handle, store, or dispose of PCB materials.
Mandates cybersecurity standards for operators of the North American bulk electric system.
NERC reliability standards for bulk electric system planning, operations, and performance excluding critical infrastructure protection. Applies to utilities, grid operators, and generation owners in North America.
Sets general regulations for commodity futures and derivatives markets, covering registration, reporting, recordkeeping, and business conduct standards for market participants. Applies to futures commission merchants, commodity pool operators, and other CFTC-regulated entities.
Regulates the registration, conduct, and fiduciary obligations of investment advisers, including recordkeeping, disclosure, and custody requirements. Applies to persons or firms that provide investment advice for compensation.
Sets regulatory requirements for publicly offered investment companies, including governance, capital structure, and operational restrictions. Applies to mutual funds, closed-end funds, unit investment trusts, and their advisers.
Prescribes the non-financial disclosure requirements for registration statements and periodic reports filed with the SEC, covering business descriptions, risk factors, management discussion, executive compensation, and corporate governance. Applies to public reporting companies.
Prescribes the form and content of financial statements and related schedules required in filings with the SEC. Applies to public reporting companies, investment companies, and their independent auditors.
Establishes rules governing short selling, order execution, and alternative trading systems in U.S. securities markets, including locate and close-out requirements for short sales. Applies to broker-dealers, exchanges, and alternative trading systems.
Governs the trading of securities on secondary markets, establishing registration, reporting, proxy solicitation, and anti-fraud requirements. Applies to exchanges, broker-dealers, and publicly traded companies.
Provides exemptions from SEC registration for certain private offerings of securities, establishing conditions under which issuers may sell securities without full public registration. Applies to issuers conducting private placements and their investors.
Establishes a tiered cybersecurity maturity model that defense contractors must achieve to handle controlled unclassified information. Applies to organizations in the Department of Defense supply chain.
Imposes requirements on operators of websites and online services directed to children under 13, including obtaining verifiable parental consent before collecting personal information. Applies to commercial website and app operators.
Imposes cybersecurity requirements on defense contractors for safeguarding covered defense information and reporting cyber incidents to the Department of Defense. Applies to contractors and subcontractors handling controlled unclassified information in the defense supply chain.
Protects the confidentiality of customer proprietary network information held by telecommunications carriers, restricting its use and disclosure. Applies to telephone companies and interconnected VoIP providers.
Specifies security requirements for protecting controlled unclassified information (CUI) in nonfederal systems and organizations. Applies to contractors and other organizations that process, store, or transmit CUI on behalf of federal agencies.
Provides a standardised security authorisation framework for cloud products used by US federal agencies.
Requires US federal agencies to develop, implement, and maintain information security programs.
Sets national ambient air quality standards for criteria pollutants to protect public health and welfare. Applies to states, local air quality agencies, and emission sources subject to the Clean Air Act.
Establishes the National Pollutant Discharge Elimination System (NPDES) permit program for regulating point source discharges of pollutants into waters of the United States. Applies to industrial, municipal, and other facilities that discharge wastewater.
Establishes current good manufacturing practice requirements for finished pharmaceutical products in the US.
Sets standards for generators of hazardous waste, including waste determination, accumulation limits, recordkeeping, and manifest requirements. Applies to facilities that generate hazardous waste as defined under the Resource Conservation and Recovery Act.
Governs the certification and operations of domestic, flag, and supplemental air carriers, including crew requirements, maintenance programs, and safety procedures. Applies to scheduled and charter airlines operating large aircraft.
Regulates commuter and on-demand air carrier operations, covering pilot qualifications, aircraft maintenance, flight operations, and safety standards. Applies to air taxi and charter operators using smaller aircraft.
Prescribes maximum driving time and minimum rest periods for commercial motor vehicle drivers engaged in interstate commerce. Applies to motor carriers and drivers of commercial vehicles.
Establishes procedures for determining the safety fitness of motor carriers, including safety ratings, new entrant requirements, and administrative review processes. Applies to interstate motor carriers and freight brokers.
Sets safety standards for railroad track, equipment, signal systems, and operating practices to protect railroad employees and the public. Applies to freight and passenger railroad operators.
Establishes criteria for the FDA's acceptance of electronic records and electronic signatures as equivalent to paper records and handwritten signatures. Applies to organizations that maintain records or submit documents to the FDA electronically.
Sets quality system requirements for the design, manufacture, packaging, labeling, storage, and servicing of medical devices. Applies to manufacturers and specification developers of finished medical devices.
Protects the privacy of student education records and gives parents and eligible students rights to access and amend those records. Applies to educational institutions that receive federal funding.
US federal law prohibiting discrimination based on race, colour, or national origin in programmes and activities receiving federal financial assistance. Applies to recipients of federal funding including schools, hospitals, and state agencies.
Establishes science-based standards for the growing, harvesting, packing, and holding of produce for human consumption. Applies to farms that grow, harvest, pack, or hold covered fruits and vegetables.
Requires food facilities to implement a food safety plan with hazard analysis and risk-based preventive controls for human food. Applies to domestic and foreign food manufacturing, processing, and storage facilities.
Requires meat and poultry processing establishments to develop and implement Hazard Analysis and Critical Control Point plans to ensure food safety. Applies to USDA-inspected slaughter and processing facilities.
Establishes national standards for the protection of individually identifiable health information, including privacy, security, and breach notification requirements. Applies to covered entities such as health plans, healthcare providers, and healthcare clearinghouses, as well as their business associates.
Requires insurance licensees to develop, implement, and maintain an information security program to protect nonpublic information from unauthorized access. Applies to insurers, agents, and other entities licensed by state insurance departments.
Regulates transactions within insurance holding company systems, requiring registration, reporting, and prior approval of material transactions between affiliated insurers and their parent companies. Applies to insurers that are part of a holding company group.
Requires insurers to engage independent auditors and establish internal audit functions, including audit committee requirements and management reporting on internal controls. Applies to insurance companies subject to state financial regulation.
Requires large insurers and insurance groups to conduct an Own Risk and Solvency Assessment, evaluating the adequacy of their risk management framework and capital position. Applies to insurers meeting specified premium or group premium thresholds.
Establishes the conditions under which a ceding insurer may take credit for reinsurance on its financial statements, including collateral and reinsurer certification requirements. Applies to insurers entering into reinsurance agreements.
Defines and prohibits unfair or deceptive acts and practices in the insurance business, including misrepresentation, false advertising, and unfair claims settlement. Applies to insurers, agents, and other persons engaged in the business of insurance.
Controls the export and temporary import of defense articles and defense services, requiring State Department authorization for international transfers. Applies to manufacturers, exporters, and brokers of defense-related items on the U.S. Munitions List.
Screens foreign investments in the US for national security risks through the CFIUS review process.
Controls the export of dual-use items, technology, and software from the United States for national security.
Governs procurement rules and contract terms for US federal government acquisitions of goods and services.
Requires that goods shipped between U.S. ports be transported on vessels that are U.S.-built, U.S.-owned, U.S.-flagged, and U.S.-crewed. Applies to domestic maritime shipping operators and provides cabotage protections for the U.S. maritime industry.
Establishes inspection and safety standards for towing vessels operating on U.S. navigable waters, covering vessel design, equipment, crew qualifications, and safety management systems. Applies to owners and operators of towing vessels.
Sets safety and health standards for the construction industry, covering fall protection, scaffolding, excavation, electrical safety, and other construction-specific hazards. Applies to employers and employees engaged in construction activities.
US model building code covering structural design, fire protection, means of egress, accessibility, and energy conservation for commercial and residential buildings. Applies to builders and code officials.
US federal law requiring colleges and universities to disclose campus security policies and crime statistics annually. Applies to postsecondary institutions participating in federal student aid programmes.
US federal law prohibiting sex-based discrimination in education programmes receiving federal funding, covering admissions, athletics, and sexual harassment. Applies to schools, colleges, and universities receiving federal financial assistance.
Run probabilistic risk scores across 109,211 United States obligations. See exactly where your gaps are.
Get started