Background

A regulatory authority has requested information about the company's internal data governance practices. The compliance team has been asked whether to share an internal policy document and an intra-group agreement that outlines how data flows between entities within the corporate group.

The Dilemma

There are different views on how to respond:

• How much information should be shared? Should we provide the full policy document or only a summary?

• Is consent required? Do we need approval from other group entities or other regulator(s) before sharing documents that reference their operations?

• What are the risks? Could sharing too much information create future obligations or expose the company to additional scrutiny?

Compliance Perspective

Position: Prioritize transparency and relationship-building with the regulator.

Key Arguments:

• Regulators value transparency and cooperation. Being forthcoming builds trust and demonstrates our commitment to good governance.

• If we appear evasive or overly legalistic, it may raise suspicions and lead to more intrusive follow-up requests or investigations.

• The policy documents demonstrate that we have robust internal controls, which reflects positively on the organization.

• From a regulatory relationship perspective, it is better to be proactive rather than reactive. Sharing information voluntarily can prevent escalation.

• While consent from other entities is courteous, regulatory obligations may override internal coordination requirements.

Suggested Approach: Recommend sharing the requested documents with a brief explanatory note highlighting the company's strong governance framework.