Audits by Regulatory Authorities

Contract Type:

Each party acknowledges that the other party may be subject to audits by regulatory authorities to ensure compliance with applicable laws and regulations. Each party agrees to cooperate fully with the other party in connection with any such audit, including by providing access to any information reasonably required by the regulatory authority to verify compliance with this Agreement, provided that the disclosing party shall use reasonable efforts to limit disclosure of the Confidential Information. The parties shall consult with each other prior to such disclosure to determine if any portion of the Confidential Information is not required to be disclosed for purposes of such audit. Disclosures made in accordance with this section shall not be deemed to violate the confidentiality obligations under this Agreement."


This clause addresses the possibility of either party being subject to audits by regulatory bodies to check compliance with relevant laws and regulations. It stipulates:

1) Each party acknowledges that the other may face regulatory audits as part of their normal operations and legal obligations. These audits are to ensure applicable laws and rules are being followed.

2) If an audit occurs, each party agrees to fully cooperate with the other party in the audit process. This includes providing access to any information reasonably required by regulators to verify compliance with the agreement.

3) However, the party disclosing information will make reasonable efforts to limit sharing of confidential information as far as possible. Only information truly needed for the audit should be disclosed.

4) Before any disclosure of confidential information, the parties will consult with each other to determine what specific information is actually required for the audit purposes. Information not required will not be shared.

5) Any disclosures properly made under this clause to facilitate regulatory audits will not be considered breaches of the confidentiality obligations under the agreement. They are permissible disclosures.

The main purposes of including a clause on regulatory audits are:

1) Acknowledging potential disclosure obligations outside of either party's control due to the regulatory environment in which they operate. Confidentiality must accommodate this.

2) Reassuring the other party that any disclosures will be limited to information reasonably necessary and required for legitimate audit purposes as far as possible. Reasonable efforts at minimizing spread of confidential details will be made.

3) Providing transparency about if and when any confidential information may need to be shared with regulatory authorities to verify compliance. No surprises or unauthorized disclosures.

4) Ensuring proper consultation to determine precisely what information needs to be disclosed for a specific audit before any details are shared. Only required information will be revealed.

5) Confirming that good faith disclosures under the clause will not amount to breaches of confidentiality under the agreement. They are permitted derogations for proper regulatory purposes.

In summary, the overall aims of the clause are facilitating essential transparency and cooperation around audits and information requests from regulatory authorities, while still safeguarding confidential details as far as reasonably possible through consultation and restricted sharing.

History of the clause (for the geeks)

Early confidentiality agreements typically made no allowance for disclosures required due to regulatory compliance obligations. They focused solely on limiting sharing of confidential information between the parties to the contract.

However, this rigid approach failed to account for realities of increased regulation and oversight across industries that made some external disclosures inevitable and even mandatory.

As regulation intensified in areas like data privacy, healthcare, finance through the late 20th century, obligations around audits, compliance reporting and responding to regulator requests for information grew more onerous. Failing to cooperate with legitimate requests due to confidentiality agreements risked legal penalties and damaged relationships with authorities. It became clear exceptions were needed for required regulatory disclosures.

Courts also began viewing agreements that made no such exceptions as potentially unenforceable for vagueness or illegality. Certain disclosures were reasonably foreseeable from the outset as essential to legal compliance, despite confidentiality, especially for parties operating in heavily regulated spheres. Contracts seen as directly conflicting with laws or preventing vital compliance cooperation faced challenges.

In response, exceptions for disclosures legally required by regulators and government/law enforcement bodies became commonplace in confidentiality agreements. Provisions emerged allowing information sharing "to the extent required by law" or stipulating cooperation with regulators subject to using "reasonable efforts" to limit disclosures to what was truly necessary. Standard clauses developed as guidance for parties.

However, regulators themselves pushed for greater transparency around handling of information. Mere vague exceptions for disclosures "required by law" provided little reassurance the minimum information really would be shared or confidential data responsibly protected and only used for intended purposes. More detailed clauses evolved stipulating: acknowledgment of regulatory powers to request data, commitment to fully cooperate within confidentiality obligations, consultation to determine necessity of requests, and use/disclosure limited strictly to facilitating compliance.  

Today, regulatory audit and disclosure provisions aim for a balanced but transparent approach to confidentiality in compliance-focused contexts. Certain standard expectations exist around acknowledging regulatory relationships, cooperating with requests subject to checks around necessity and proportionality, securing consent where possible, and limiting onward use of information.

However, significant tailoring also still occurs to suit specific laws, regulators and commercial/contractual facts. The historical trend has been toward recognizing disclosures as inevitable in some situations but managing them in a way that, as far as possible, holds true to the overarching principles of confidentiality and data responsibility enshrined in agreements.