Professional Services: Standards and Regulatory Reference
Professional services in the United States operate under a layered regulatory system involving federal agencies, state licensing boards, self-regulatory organizations, and industry-developed compliance frameworks. This page provides a structural overview of that landscape, organized by regulatory level and cross-referenced to the professional verticals covered by the Authority Industries division.
Federal Regulators
Several federal agencies exercise oversight over professional service industries. Their jurisdiction varies by sector, and in many cases, federal regulation operates alongside — rather than instead of — state-level licensing and oversight.
Securities and Exchange Commission (SEC)
The SEC regulates securities markets, investment advisers, broker-dealers, and public company financial reporting. It enforces the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Advisers Act of 1940, and the Dodd-Frank Wall Street Reform Act.
Financial Industry Regulatory Authority (FINRA)
FINRA is a self-regulatory organization authorized by Congress to oversee broker-dealers and registered representatives. It administers qualification examinations (Series 7, Series 63, etc.) and operates the BrokerCheck public disclosure database.
Federal Trade Commission (FTC)
The FTC enforces consumer protection and antitrust laws across industries. Its jurisdiction touches professional services through advertising regulation, data privacy enforcement, and unfair business practices oversight. The FTC also enforces the Health Breach Notification Rule and various industry-specific trade regulation rules.
Consumer Financial Protection Bureau (CFPB)
The CFPB regulates consumer financial products and services, including mortgage lending, student loans, credit reporting, and debt collection. It exercises authority under the Dodd-Frank Act over financial institutions and service providers.
Centers for Medicare & Medicaid Services (CMS)
CMS administers Medicare, Medicaid, and the Children's Health Insurance Program. It establishes conditions of participation for healthcare providers, manages provider enrollment, and enforces billing and coding compliance requirements.
Department of Health and Human Services (HHS)
HHS oversees public health policy and administers HIPAA privacy and security rules through its Office for Civil Rights. It also houses agencies such as the FDA, CDC, and SAMHSA, each of which affects specific healthcare professional verticals.
Department of Justice (DOJ)
The DOJ enforces federal criminal law, antitrust law, and civil rights statutes as they apply to professional services. Its Antitrust Division has brought enforcement actions in healthcare, real estate, and legal services markets. The DOJ also oversees the Executive Office for Immigration Review, which regulates immigration law practice.
State Licensing and Regulatory Bodies
Most professional services licensing in the United States is administered at the state level. Each state maintains its own licensing boards, commissions, and regulatory agencies. Common state-level bodies include:
Bar Associations and Attorney Regulation
Each state operates a bar association or equivalent body that governs attorney admission, professional conduct, and disciplinary proceedings. Most states require passage of the Uniform Bar Examination (UBE) or a state-specific bar exam, along with character and fitness review.
State Insurance Commissions
Every state and territory has an insurance commissioner or department of insurance that licenses insurance producers, regulates rates, approves policy forms, and handles consumer complaints. The National Association of Insurance Commissioners (NAIC) coordinates model laws across jurisdictions.
Real Estate Commissions
State real estate commissions license real estate brokers and salespersons, establish continuing education requirements, and enforce professional conduct standards. Licensing requirements — including examination content, experience thresholds, and reciprocity agreements — vary significantly by state.
Health Departments and Medical Boards
State health departments oversee facility licensing, public health enforcement, and vital records. State medical boards license physicians, physician assistants, and other health professionals, and administer disciplinary proceedings for professional misconduct.
Other Professional Licensing Boards
States maintain separate licensing boards for numerous other professions, including accountancy (CPA boards), engineering, architecture, and various counseling and therapy professions. The Council on Licensure, Enforcement and Regulation (CLEAR) serves as a clearinghouse for information on professional and occupational regulation.
Industry Compliance Frameworks
Beyond government regulation, professional service industries operate under various standards frameworks developed by standards bodies, industry consortia, and federal agencies. Key frameworks include:
NIST Cybersecurity Framework (CSF)
Published by the National Institute of Standards and Technology, the CSF provides a risk-based approach to managing cybersecurity risk. Originally voluntary, it has become a de facto baseline for cybersecurity programs in financial services, healthcare, and government contracting. NIST CSF 2.0 was released in February 2024.
PCI Data Security Standard (PCI-DSS)
The PCI Security Standards Council publishes PCI-DSS, which governs the handling of payment card data. Compliance is required for any organization that processes, stores, or transmits cardholder data, affecting financial services, hospitality, real estate, and healthcare organizations that accept card payments.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA establishes national standards for the protection of health information. The Privacy Rule and Security Rule apply to covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates. Enforcement is handled by HHS Office for Civil Rights.
Sarbanes-Oxley Act (SOX)
SOX establishes corporate governance and financial reporting requirements for publicly traded companies. It affects financial services firms, accounting practices, and legal counsel involved in public company compliance. The Public Company Accounting Oversight Board (PCAOB) oversees audit firms under SOX authority.
Cybersecurity Maturity Model Certification (CMMC)
The Department of Defense developed CMMC to assess and certify the cybersecurity posture of defense contractors. CMMC 2.0 establishes three certification levels and affects professional service firms — including IT, consulting, and engineering firms — that handle controlled unclassified information (CUI) in defense contracts.
ITIL (Information Technology Infrastructure Library)
ITIL is a set of practices for IT service management published by PeopleCert (formerly Axelos). While not a regulatory requirement, ITIL certification is widely referenced in digital transformation and IT professional services as a competency framework for service delivery.
How Regulation Varies by Vertical
The degree and type of regulatory oversight differs substantially across professional service sectors:
| Vertical | Primary Regulatory Level | Key Frameworks |
|---|---|---|
| Financial services | Federal + state | SEC, FINRA, SOX, Dodd-Frank |
| Legal services | State (primary) | State bar rules, ABA model rules |
| Health services | Federal + state | HIPAA, CMS, state medical boards |
| Insurance | State (primary) | State insurance codes, NAIC models |
| Real estate | State (primary) | State licensing laws, RESPA |
| Cybersecurity | Federal + contractual | NIST CSF, CMMC, state breach laws |
| Digital transformation | Varies by sector served | Depends on client industry |
| Hospitality | State + local | Health codes, liquor licensing, ADA |
| Training/workforce | Federal + state | DOL, state education agencies |
In general, professions with direct consumer risk (healthcare, legal, financial) face the most stringent licensing requirements. Professions that are newer or more technology-oriented (cybersecurity, digital transformation) are more commonly governed by contractual frameworks and voluntary standards rather than occupational licensing.
References
- U.S. Securities and Exchange Commission: https://www.sec.gov/
- FINRA: https://www.finra.org/
- Federal Trade Commission: https://www.ftc.gov/
- Consumer Financial Protection Bureau: https://www.consumerfinance.gov/
- Centers for Medicare & Medicaid Services: https://www.cms.gov/
- U.S. Department of Health and Human Services: https://www.hhs.gov/
- U.S. Department of Justice: https://www.justice.gov/
- National Association of Insurance Commissioners: https://content.naic.org/
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
- PCI Security Standards Council: https://www.pcisecuritystandards.org/
- HHS HIPAA Information: https://www.hhs.gov/hipaa/
- PCAOB (Sarbanes-Oxley Audit Oversight): https://pcaobus.org/
- CMMC Program (Department of Defense): https://dodcio.defense.gov/CMMC/
- Council on Licensure, Enforcement and Regulation: https://www.clearhq.org/