CISI Global Financial Compliance: Law vs Regulation (How They Work Together)

Compliance officers work with a mix of “hard” legal requirements and “softer” standards that still drive real behaviour. In day-to-day practice, you may follow a regulator’s rulebook, an industry code, and your firm’s internal policies—all while staying within the boundaries set by legislation.

In the CISI Global Financial Compliance exam, candidates are often assessed on whether they can distinguish law from regulation and explain how both create enforceable expectations. Understanding this interaction helps you answer scenario questions about accountability, enforcement, and the consequences of breaches.

This lesson shows how the compliance “stack” is built: from statutes to supervisory rules and down to internal codes of conduct, including how ethical expectations often go beyond the minimum legal position.

Where this topic sits inside CISI Global Financial Compliance

This topic belongs to the international regulatory environment foundation. It supports later learning on principles vs rules, self-regulation, and extra-territorial regimes (e.g., data protection, market integrity, financial crime and tax reporting), because each of those areas blends legislation with regulatory rules and guidance.

The concept explained in plain English

Law is established by a recognised authority (typically government/legislature) and enforced through courts or formal legal processes. Breaching the law can lead to criminal penalties, civil liability, fines, or other sanctions.

Regulation is the system of rules, standards, and supervisory expectations that govern how firms behave in financial markets: conduct standards, conflicts management, treating customers fairly, suitability, disclosures, and stability-related requirements. Regulations are often issued and enforced by supervisory authorities empowered by legislation.

In short: legislation creates the framework and powers; regulators create and enforce detailed requirements within that framework; industry and internal codes often raise the bar further to embed integrity and ethical conduct.

How it works step-by-step

1. Legislation establishes the architecture: it defines who is regulated, what activities require authorisation, and what enforcement powers exist.
2. Regulators issue rulebooks and standards: these specify conduct and prudential expectations for firms and individuals.
3. Market conventions and codes fill practical gaps: industry bodies may publish best practices to standardise behaviour.
4. Firms translate requirements into internal controls: policies, procedures, training, surveillance, monitoring, and reporting lines.
5. Enforcement and discipline occur at multiple levels: courts for legal breaches; regulators for rule breaches; employers for internal code violations.

Practical examples

• Primary legislation: sets up a regulator and grants it powers to authorise firms and impose sanctions.
• Regulatory rules: specify how firms should manage conflicts, give suitable advice, and disclose information.
• Industry code: an association may publish guidance on best execution practices that members adopt contractually.
• Internal code of conduct: can prohibit accepting gifts above a low threshold even if not illegal, to protect integrity.

Exam focus: how this is tested

• Definitions: law vs regulation; identify which is which in a scenario.
• Sources of obligations: primary legislation, regulator rules/standards, market conventions, industry codes, internal codes.
• Ethics: explain why internal/industry codes may go beyond legal minimums.
• Accountability: who enforces what (courts vs regulators vs firms).

Common pitfalls and how to avoid them

• Pitfall: Assuming “not illegal” equals “compliant.” Avoid: Remember regulatory and internal standards can be stricter.
• Pitfall: Forgetting market conventions/codes are sources of standards. Avoid: Include them when asked about sources of compliance.
• Pitfall: Over-claiming one country’s model applies everywhere. Avoid: Use the principle, then add “verify local implementation.”

Self-test (original questions)

1. Question: What is the main role of legislation in financial services?
   Answer: To create the legal framework and powers for regulation.
   Explanation: It establishes scope, authorities, and enforceable obligations.
2. Question: Give three sources of compliance standards besides law.
   Answer: Regulator rules, industry codes, internal codes.
   Explanation: Compliance is built from multiple layers of standards.
3. Question: Who typically enforces laws: courts or regulators?
   Answer: Courts (though regulators may investigate and refer).
   Explanation: Legal breaches are ultimately determined through legal processes.
4. Question: True/False: Internal codes always match the minimum legal requirement and never go beyond.
   Answer: False.
   Explanation: Firms often set higher ethical expectations to protect reputation.
5. Question: What does “regulation” typically focus on in markets?
   Answer: Conduct standards, conflicts, suitability, disclosures, and stability.
   Explanation: It sets behavioural/outcome expectations for firms and individuals.
6. Question: Why might a firm adopt rules stricter than the law?
   Answer: To manage reputational risk and support consistent ethical behaviour.
   Explanation: Trust and integrity are competitive and risk controls.
7. Question: What is a “market convention”?
   Answer: A commonly accepted market practice that guides behaviour.
   Explanation: It standardises conduct even where detailed rules are limited.
8. Question: In a scenario, an action isn’t illegal but breaches a regulator rulebook. Is it a compliance issue?
   Answer: Yes.
   Explanation: Regulatory breaches can lead to sanctions even without criminality.

Note for candidates in Abu Dhabi

When preparing for CISI Global Financial Compliance Abu Dhabi, create a one-page “compliance sources map” you can revisit weekly: legislation → regulator rules/standards → industry codes → internal policies. This helps in multiple-choice questions where you must identify the correct source of an obligation. Use short daily sessions (20–30 minutes) to rewrite definitions in your own words, then do scenario drills that ask: “Is this law, regulation, or internal policy?” For booking and ID requirements, avoid assumptions and verify the latest steps with CISI and/or the exam provider before scheduling.

FAQs

Q1: Is regulation always created by government?
No. Regulators act under government-given powers, but industry bodies and firms also create codes and standards.

Q2: Can a firm be sanctioned for breaching a regulator rule even if no law was broken?
Yes. Regulatory breaches can lead to fines, restrictions, or licence impacts.

Q3: Are codes of practice legally binding?
Sometimes indirectly—through contracts, membership terms, or regulatory expectations; verify specifics by jurisdiction.

Q4: Why do internal codes matter for compliance?
They operationalise obligations and set expected behaviour for staff.

Q5: What is the relationship between ethics and compliance?
Ethics supports good judgement where rules are not explicit, especially in principles-based environments.

Q6: What are “rules and standards issued by supervisors”?
Regulatory requirements published by competent authorities (e.g., rulebooks, guidance, standards).

Q7: Do market conventions replace regulation?
No. They supplement and standardise practice within the boundaries set by law and regulation.

Q8: How should I answer “sources of compliance obligations” in the exam?
List multiple layers and provide one example for each.

Next step

For structured coverage of the full regulatory environment in CISI Global Financial Compliance, follow Tadawul Academy’s lesson plan in our Global Financial Compliance course and practise application questions on www.TadawulExams.com.

Helpful links: Free Access | FAQ | Shop

About Tadawul Academy
Tadawul Academy provides CISI-aligned learning paths, exam practice support, and compliance-focused explanations designed for busy professionals.

Disclaimer
Always verify exam rules, pass marks, and booking steps with the official CISI syllabus and exam provider.

Quick Quiz

1. Which source most directly creates a regulator’s powers?
   • A. Market convention
   • B. Primary legislation
   • C. Internal code
   • D. Industry newsletter
2. A firm bans certain gifts even though the law is silent. This is best described as:
   • A. A statutory offence
   • B. A market manipulation rule
   • C. An internal code going beyond legal minimums
   • D. A court judgement
3. Regulatory standards commonly cover:
   • A. Weather risk forecasts
   • B. Proper conduct, conflicts, and suitability
   • C. Personal lifestyle choices outside work
   • D. Corporate branding guidelines

Answers

• 1: B
• 2: C
• 3: B