--- name: regulatory-impact-assessment description: | Drafts a second-line impact assessment for a published rule, supervisory letter, FIL, circular, bulletin, industry letter, adopting release, advisory, supervisory speech, or enforcement theme. Carries two lenses in one artifact: an implementation lens (in-scope determination, obligation domains hit, policy and control impact, reporting and disclosure impact, technology and data impact, third-party impact, customer impact, cost-to-comply read, effective-date posture, transition relief) and a regulatory-strategy lens (firm position, regulator-engagement posture, comment-period posture if any, public consultation posture, peer-and-industry alignment, escalation triggers). Audience is regulatory affairs, head of compliance, head of legal, CRO chief of staff, and the head of business affected. Drafts only; attestation external. Best for: - A new final rule, supervisory letter, FIL, circular, bulletin, or industry letter has been published and the regulatory-change function needs a firm-impact and strategic-posture read before the issue is logged in the inventory. - A proposed rule is in comment period and the firm needs an impact read to support a comment-letter decision and the workplan that runs if the rule finalises. - A supervisory priorities letter, regulator speech, or interagency statement has shifted examiner posture and the firm needs to assess where current state may not hold up. - An enforcement action or consent order names a peer institution and the firm needs a fast read on whether the same theme applies and what the strategy posture should be. Not the right tool when: - The rule text has already been parsed and the next step is decomposing the rule into discrete obligations (use rule-to-obligation-extraction). - Firm policy text is already drafted and the question is whether it covers the rule (use policy-diff). - Gaps are already documented and the next step is sequencing the remediation (use implementation-plan). - The engagement is a live exam window and the artifact needed is the engagement playbook (use exam-brief). argument-hint: "[regulatory source: rule, letter, bulletin, circular, advisory, speech, enforcement theme]" --- # Regulatory impact assessment A regulatory item lands. A new final rule. A supervisory letter to the industry. An FIL. A CFPB circular. An NYDFS Industry Letter. An interagency statement. A regulator speech signalling enforcement focus. A consent order against a peer that telegraphs supervisory direction. The second line owes the firm two reads in one artifact: what does this mean for the implementation pipeline, and what does this mean for the firm's regulatory strategy. The implementation read scopes obligation domains, policy impact, control impact, reporting impact, technology and data impact, third-party impact, customer impact, cost-to-comply, transition window, and effective-date posture. The strategy read scopes firm position, regulator-engagement posture, comment-period posture if the rule is still proposed, public consultation posture, peer-and-industry alignment, and the escalation triggers that move the item from regulatory-change inventory to a CRO or board-level decision. The artifact is a written assessment per `templates/default-output.md` and a structured record per `schemas/regulatory-impact-assessment.schema.json`. Audience is regulatory affairs, head of compliance, head of legal, CRO chief of staff, and the head of the business affected; for a board-level item, the assessment summarises into a board pre-read pulled from the same record. Downstream consumers chain: `rule-to-obligation-extraction` reads the impact assessment to scope the atomic decomposition; `policy-diff` reads the policy-impact section to scope the diff; `implementation-plan` reads the obligation domains, transition window, and cost-to-comply to sequence remediation; `exam-brief` reads the assessment if the item enters the exam window before remediation lands. The skill stops at draft. The named lead (head of regulatory affairs, head of compliance, or general counsel for the strategy lens) attests. The skill does not opine on whether the rule applies as a matter of law; it names obligations, flags open questions, and routes them to qualified review. ## Ask first A few things settle before drafting. The conversation surfaces them in the first exchange; if not, default and flag. - **What is the source, and what kind of source is it.** Final rule, proposed rule, supervisory letter, FIL, circular, bulletin, industry letter, interagency statement, adopting release, advisory, regulator speech, enforcement theme, or consent-order pattern. Source type drives the strategy lens: a final rule with a 24-month transition is a remediation-planning conversation; a proposed rule in a 60-day comment period is a comment-letter conversation first and a remediation-planning conversation second; a regulator speech is an examiner-posture-shift signal more than a hard obligation. Regulator and citation matter for the implementation lens (CFR pin if there is one; SR or bulletin number; FIL number; circular number; Industry Letter date; release number for SEC; advisory number for FinCEN); for a speech or theme, the citation is the speech URL and date or the published consent-order ID. - **Who is the firm, and what does that mean for in-scope.** Institution type (national bank, state member, state non-member, BHC, savings association, IDI, NCUA-supervised credit union, SEC-registered investment adviser, registered fund, broker-dealer, transfer agent, MSB, state-licensed money transmitter, state-chartered insurer, fintech under sponsor-bank arrangement, foreign-banking-organisation US operations). Primary federal regulators and primary state regulators. Asset thresholds and tier categorisations (Heightened Standards thresholds; Category I-IV under the FRB tailoring framework; CFPB $10B threshold; SEC AUM and accredited-investor thresholds; FinCEN MSB registration thresholds; NAIC RBC tier). Lines of business and product set. Geographies. Cross-border footprint. The institution profile is what the in-scope determination reads against; without it, the assessment defaults to public posture and flags the missing context. - **Who reads the assessment and what decision is it supporting.** Regulatory affairs reads it for inventory ingest and downstream-skill kickoff. Head of compliance reads it for control-and-policy impact and for the open-question routing. Head of legal reads it for the strategy lens and for the comment-period or engagement decision. CRO chief of staff reads it for the cost-to-comply read and the escalation calls. Head of the business affected reads it for the operating-model and customer-impact view. A board pre-read distils to executive summary, strategy posture, financial impact, and the decision being requested. Audience drives shape; an "impact assessment" without an audience is the failure mode. - **What is the source posture for this assessment.** Public-only, public-plus-firm-policy, public-plus-firm-policy-plus-evidence, or connector-aware. Public-only assessments stop at obligation domains, control-objective categories, and indicative cost ranges; firm-policy and firm-policy-plus-evidence assessments name policies, named controls, and named systems. The strategy lens runs across all postures but reads sharper with internal context. - **How time-pressured is the read.** A 48-hour read for a new circular feeds a same-week steering item; a 30-day read for a multi-hundred-page final rule feeds the formal regulatory-change-committee package. Depth, source posture, and the number of open questions all flex against the time budget. When `scope` is supplied, the skill consumes it for institution, persona, source posture, sector overlay set, and cross-cutting overlay set. When it is not supplied, ask the questions and default to public posture; flag the defaults in the assessment. ## How the assessment gets built The assessment has the same spine across regulators and source types. The order below is the spine; in practice, sections fill in as the source reads and as questions surface. The structured record sorts itself. **Source identification.** Regulator (and regulator office or division), instrument type, citation (CFR pin if present; SR, bulletin, FIL, circular, Industry Letter, release, advisory number; speech URL and date for a speech; enforcement order ID for a consent-order-driven theme), publication date, effective date if final, comment-period close date if proposed, transition-period stages if specified, related-instrument cross-references (the proposed rule that preceded the final, the FAQ that updated the bulletin, the speech that signalled the priority). The source-identification block is what the rest of the assessment cites against; an assessment whose source block is thin is an assessment that cannot be honest against its own claims. **In-scope determination.** Institution-type determination first: does the rule apply to the firm's federal-regulator chartering, state chartering, registration status, threshold tier, or activity. Product determination: which product lines are within the rule's scope. Business-unit determination: which first-line business owners are affected. Geography determination: federal, state-by-state, foreign, cross-border. Threshold determination: where the rule has an asset-size, AUM, transaction-volume, or activity-volume threshold, name it and the firm's read against it. Where the rule does not name a threshold, the in-scope determination says so. Where the rule applies in part (e.g., 1071 partial applicability based on origination volume), the in-scope determination names the part. Where the firm is out of scope, the rationale is one paragraph with the source pin. **Effective-date posture.** Mandatory compliance date. Phase-in stages with their dates. Transition-period relief if any (and the source pin for the relief). Sunset clauses or contingent provisions. Litigation posture if the rule is under judicial review (a vacatur or stay that affects the effective date). Early-adoption posture: where the firm is considering early compliance to align with peer movement or with internal-policy refresh, the posture is named and the rationale captured. Where the rule's effective date is itself uncertain (contingent on Congressional Review Act, contingent on funding, contingent on agency rulemaking implementation), the assessment says so. **Impacted obligation domains.** High-level domains the rule touches: BSA/AML, fair lending, UDAAP, model risk, cyber, third-party risk, privacy, consumer protection, prudential, market conduct, market structure, custody, marketing rule, broker-dealer conduct, investment-adviser conduct, fund regulation, insurance market conduct, climate disclosure, AI governance, operational resilience. Existing obligation-inventory references where the impact assessment overlays prior items. The domains are not the obligations themselves (that is the next skill, `rule-to-obligation-extraction`); they are the inventory hooks the impact assessment leaves for the downstream skill to anchor on. **Policy and procedure impact.** Which firm policies likely need amendment. Each policy entry names the policy area (third-party risk management policy; information security policy; model risk policy; AML CDD procedures; advertising and marketing review procedures), the expected change type (`amendment`, `new policy`, `withdrawal`, `cross-reference update`, `procedure refresh`, `training-content refresh`), and the rationale. The skill does not draft policy language; that is `policy-diff` and the firm's policy authoring process. The skill names the surface area. **Control and evidence impact.** Control objectives potentially affected (control objective, not control instance), with the expected change type (`new control objective`, `existing control objective re-scoped`, `evidence frequency or depth change`, `testing methodology change`, `monitoring KRI change`). Anticipated evidence gaps: areas where the rule's evidence expectation likely exceeds current state (a new annual attestation requirement, a new board-reporting expectation, a new vendor-evidence requirement, a new model-documentation expectation). The control impact reads alongside the policy impact; together they scope what the implementation pipeline will own. **Reporting and disclosure impact.** Regulatory reports affected (Call Report schedule changes; FFIEC report-of-examination expectations; SEC filings such as Form ADV, Form N-CSR, Form 10-K cyber disclosure; CFPB HMDA or 1071 reporting; FinCEN BSA reporting; NAIC annual statements; state-DOI filings). Public disclosures affected (privacy notices, adverse-action notices, marketing claims, climate disclosures, AI-use disclosures, cyber-incident disclosures). Board reporting affected (new board-committee items, new MIS expectations, new attestation requirements). Where the rule introduces a new reporting cycle, the cadence and the first-cycle date land here. **Technology and data impact.** Systems of record affected (core banking, loan origination, deposit operations, claims management, policy administration, trading and execution, custody, transfer-agent systems, model platform, vendor management system). Data lineage implications: which fields, which sources, which retention periods. Model inventory implications: which models, which model-tier categories. Where the rule introduces a new data field (1071 demographic fields), the field-by-field implication reads here. Where the rule introduces a new control-automation expectation (real-time transaction monitoring against a new typology), the technology-build implication reads here. **Third-party impact.** Vendor arrangements likely affected. Each vendor entry references the arrangement type (critical activity, non-critical activity, sub-contracted, sponsor-bank arrangement, fintech partnership, cloud infrastructure, model vendor, data vendor) and the expected change type (`contract amendment`, `evidence-pack refresh`, `right-to-audit invocation`, `exit-plan refresh`, `new register-of-information entry`, `de-scoping or substitution`). Where the rule alters the firm's posture toward fourth-party visibility, the assessment notes it. Where the rule is itself a third-party-risk rule (June 2023 interagency guidance, DORA), the third-party section is the long section and the rest of the assessment scopes the implementation pattern. **Customer impact.** Customer-facing changes: communication, disclosure, fee, product, eligibility, complaint-handling, dispute-handling, adverse-action, account-opening, account-closing. Where the rule introduces a new customer right (a new dispute-resolution mechanism), the operational implication for the front line is named. Where the rule alters the customer's evidence burden (a new KYC documentation expectation), the operational implication reads here. Customer impact is named in plain language; the failure mode is technical jargon that obscures the customer touch. **Financial impact (cost-to-comply).** Implementation cost (one-time): policy and procedure refresh, control build-out, technology change, vendor remediation, training, communication. Ongoing run-rate cost: testing, monitoring, reporting, governance overhead. Indicative ranges with the basis (peer benchmark, vendor estimate, similar prior project). Where the agency's own published cost-and-benefit analysis (the federal-regulatory-analysis convention runs under OMB Circular A-4 and Executive Order 12866; cite the operative version of A-4 in effect when the agency drafted the analysis) provides a baseline, cite it; the firm's read calibrates against the agency's published numbers but does not adopt them as ground truth without firm-side validation. Agency cost estimates routinely diverge from firm-side reads; the assessment names the divergence and the basis. Where the cost-to-comply read is genuinely a low-confidence estimate, the assessment says so. The financial-impact section informs the regulatory-strategy posture and the implementation-plan sequencing; an unhonest cost read undermines both. **Regulatory-strategy implications.** The strategy lens. Firm position on the rule: support, conditional support, opposition, neutral with operational concerns, no public position. Regulator-engagement posture: industry-association comment letter, firm-direct comment letter, supervisor meeting, formal comment-letter signature, no engagement. Comment-period posture if the rule is proposed: dates, internal owner, draft pathway, board-or-committee approval gate, coordination with industry associations (BPI, ABA, SIFMA, ICI, IAA, ACLI, NAFCU, ICBA, MBA, others). Public consultation posture: testimony, press posture, public statement (rare and counsel-set). Peer-and-industry alignment: where the firm reads the industry consensus, where it diverges, what that divergence implies for engagement strategy. Escalation triggers: thresholds at which the item moves from regulatory-change-committee to CRO, general counsel, executive committee, board risk committee, or full board. The strategy section is what makes this skill different from a generic rule digest; the assessment reads as the second line's view of both the implementation pipeline and the regulator-engagement posture. **Open legal and business questions.** Items requiring qualified review before the assessment closes. Each question carries the question text, the owner role (legal, compliance, business head, sponsor), and what the question blocks downstream (rule-to-obligation-extraction kickoff, policy-diff scope, implementation-plan sequencing, comment-letter signature, the strategy posture itself). Open questions are routed; an assessment with open questions but no routing is an assessment that drifts. **Recommended next steps.** Skill-level handoffs: `rule-to-obligation-extraction` for the atomic decomposition; `policy-diff` against the named affected policies; `implementation-plan` for the milestone build-out; `exam-brief` if the item enters an active exam window. Firm-side handoffs: legal review on the strategy lens; finance partnership on the cost-to-comply refinement; head-of-business consultation on the operating-model implication. Each handoff is named with an owner role and a target date. **Source trace and confidence.** Every material claim about the source, the in-scope read, the impact areas, the cost-to-comply, or the strategy posture cites a source from `references/source-anchors.md`. Unsupported claims are marked `[evidence needed]`. Section references that cannot be confirmed get `[verify section]` rather than fabricated. The assessment carries a confidence label per section (high / medium / low / unknown); a single overall label hides the variance and is rarely honest. Medium overall is the honest read for most assessments produced in the first 48 hours of a regulatory item; the label tightens as the open questions close. ## Sector and cross-cutting overlays When the scope names a sector, load the matching overlay in `references/sector-overlays/{banking,insurance,capital-markets,payments-fintech}.md`. The overlay carries the regulator-specific scoping convention, threshold tier semantics, named-policy and named-control patterns, sector-specific cost-to-comply patterns, and sector-specific strategy posture (industry-association alignment, agency-engagement convention, peer-firm patterns). Same pattern for cross-cutting overlays where present (`cyber.md`, `privacy.md`, `climate.md`, `conduct.md`). The overlay enforces a boundary the generic skill cannot. A banking overlay carries OCC, FRB, FDIC supervisory framing, Heightened Standards thresholds, CRA scoping where relevant, and the federal banking response-letter convention; it does not carry SEC marketing-rule framing. An insurance overlay carries NAIC model-law adoption mechanics (state-by-state effective-date variance) and NYDFS overlays; it does not carry CFPB authority. A capital-markets overlay carries SEC adopting-release mechanics, FINRA rule-filing alignment, IAA Rule 206(4)-7 implications, and the AUM threshold mechanics; it does not carry banking heightened-standards framing. A payments-fintech overlay carries CFPB larger-participant authority, state money-transmitter overlays, and bank-fintech partnership framing. Load only the overlays the scope flags. Loading none when one applies is the more common failure mode; loading all four for completeness adds noise and dilutes the strategy lens. ## Quality bar Holds across every assessment. Every material claim about the rule, the in-scope read, the impact area, the cost-to-comply, or the strategy posture cites a source from `references/source-anchors.md` or a loaded overlay by path. Unsupported items carry `[evidence needed]`. Section references that cannot be confirmed get `[verify section]`. Source evidence, vendor or firm management assertion, public-source obligation, generated inference, and open legal question stay distinguishable; the artifact shows the seams. Roles only, never named individuals. No named institutions in narrative beyond a public defendant in a finalised consent order, and only for structural pattern. The skill stops at draft; the named lead attests. The skill does not opine on whether the rule applies as a matter of law. ## Adaptation Depth scales to the source: a 48-hour read on an FIL is shorter than a 30-day read on a 600-page final rule. Audience drives shape: regulatory affairs runs the operational version; CRO chief of staff and general counsel pull the strategy lens forward; a board pre-read distils to executive summary, strategy posture, financial impact, and decision request. Source posture drives what the assessment can assert at high confidence and what carries `[evidence needed]`. Sector and cross-cutting overlays load from the scope. The strategy lens flexes against the source type: a final rule's strategy lens is sparse on comment-period posture (the comment period is over) and rich on engagement posture; a proposed rule's strategy lens is rich on comment-period posture; a speech's strategy lens is rich on examiner-posture-shift signalling and sparse on comment posture. Where firm-specific policy or named review machinery applies, it lives in `references/firm-overlay.md` and is consumed when present; the assessment itself stays generic. ## Pointers - `references/source-anchors.md` — citations and excerpts for the named anchors (federal banking, CFPB, SEC and FINRA, NYDFS and state regulators, FinCEN, NCUA, NAIC, OMB Circular A-4, ISO/IEC 42001, NIST AI RMF, federal-register impact-analysis convention). - `references/sector-overlays/{banking,insurance,capital-markets,payments-fintech}.md` — sector overlays loaded from scope. - `references/cross-cutting/{cyber,privacy,climate,conduct}.md` — cross-cutting overlays loaded from scope where the rule touches the topic. - `references/firm-overlay.md` — firm-installed regulator-relationship history, named policy taxonomy, named control taxonomy, named cost-baseline references, internal escalation triggers, named industry-association memberships; consumed when present. - `templates/default-output.md` — assessment template. - `schemas/regulatory-impact-assessment.schema.json` — structured-output contract for downstream consumption. - `examples/` — public-source-derived scenarios. - `TROUBLESHOOTING.md` — recurring defects in impact assessments. ## Output Two artifacts: the assessment per `templates/default-output.md`, and the structured record per `schemas/regulatory-impact-assessment.schema.json`. The named lead attests; the assessment is a draft until that step. Downstream consumers: `rule-to-obligation-extraction` reads `affected_obligation_domains` and `source_citation` to scope the atomic decomposition. `policy-diff` reads `policy_impact` to scope the diff. `implementation-plan` reads `affected_obligation_domains`, `effective_date`, `transition_period`, and `cost_to_comply` to sequence remediation. `exam-brief` reads the assessment when a regulator engages on the item before remediation lands. The schema is the cross-skill contract; additive changes only, never silent renames. Breaking changes ship as a versioned migration with downstream skills told in advance.