04 — Regulator Letter / Inquiry

Trigger: Official correspondence from a regulator — ESMA, FCA, BaFin, AFM, FIN-FSA, SEC, MAS, VARA, or others. Includes RFI letters, supervisory inquiries, marketing-communication concerns, and formal investigation notices.

First 30 minutes

Regulator letters are the crisis type where the comms team has the least discretion. Counsel leads. Comms supports. The first 30 minutes are about not making mistakes that constrain later options.

Confirm the letter is real. Phishing-style fake regulator letters happen. Confirm via the regulator’s published contact details, not via the contact in the letter.
Open the hotline. “Regulator letter received: [authority], [topic in ≤8 words], [type — RFI / supervisory / formal investigation / marketing communication], [response window].”
Engage counsel immediately. This is the one crisis type where counsel must be involved before any internal discussion of substance. Privilege protections kick in only if counsel is engaged from the start.
Lock down internal information distribution. Limit the war room to: CEO, head of legal/counsel, head of compliance, and (if marketing-related) head of marketing. Document who knows what, when. Anyone outside this circle who learns about the letter is an information-leak risk.
Do not communicate externally. No mention to investors, partners, customers, employees, social media, or anyone else until counsel approves. Most regulator letters carry confidentiality expectations or implicit norms.
Read the letter for response timing requirements. Many regulators specify response deadlines. Calendar them with internal-deadline buffer.
Identify what you’re being asked. Information request? Production of documents? Specific marketing change? Cease-and-desist? Each has a different handling profile.
Begin evidence preservation. From the moment you receive the letter, document-retention obligations may apply. Confirm with counsel whether litigation hold needs to be issued.

Holding statement template — most cases: no public statement

For most regulator letters — especially RFIs and supervisory inquiries — no public statement is required, expected, or desired. The relationship with the regulator is confidential by default. Public commentary is almost always against your interest.

The internal-only message, if one is needed:

Team —
      
      [ROLE — usually CEO or counsel] is in correspondence with [REGULATOR or "a regulatory
      authority"] regarding [GENERIC TOPIC OR "regulatory matters"]. This correspondence is
      confidential.
      
      If you are contacted by anyone — press, customers, partners, social-media accounts —
      asking about regulatory matters, please refer them to [LEGAL OR COMMS LEAD] without
      comment. Do not discuss internally outside the existing channels.
      
      This is standard regulatory engagement and is being handled appropriately.
      
      — [CEO]

Holding statement template — when public disclosure is required or has occurred

When the letter results in mandatory public disclosure (e.g., listed-company disclosure obligations, or the regulator itself publishes the action) or has been leaked publicly:

[TIMESTAMP — UTC]
      
      [COMPANY] has [RECEIVED CORRESPONDENCE FROM / IS IN DISCUSSIONS WITH] [REGULATOR] regarding
      [NARROW SUBJECT — counsel-approved language only].
      
      [BRIEF FACTUAL STATEMENT — counsel-drafted; usually some variant of "we are cooperating
      fully with the inquiry" or "we are reviewing the matter and will respond in accordance with
      applicable timelines"].
      
      [OPERATIONAL CONTINUITY STATEMENT — e.g., "Our operations and services to users continue
      normally during this process"].
      
      We will not comment further on this matter [WHILE THE INQUIRY IS ONGOING / BEYOND WHAT IS
      DISCLOSED HERE].
      
      — [Company]

Holding statement template — when a regulator-driven action affects users

When the letter results in user-affecting action (delisting required, marketing change required, geofencing required), users need to be informed about the operational change without (necessarily) the regulatory cause:

[TIMESTAMP — UTC]
      
      [USER-AFFECTING CHANGE — e.g., "[ASSET] will no longer be available to users in [REGION]
      beginning [DATE]"].
      
      [BRIEF, HONEST FRAMING — counsel-drafted. Often: "This change reflects our compliance with
      applicable regulatory requirements"].
      
      [USER ACTION REQUIRED — clear, specific, time-bounded].
      
      — [Company]

What all templates avoid: - Naming the specific regulation, rule, or article being applied unless counsel approves. - Disagreement with the regulator’s position publicly. Even if you believe they’re wrong. - Speculation about cause or context. - Predictions about outcome. - Anything that could be characterized as a public response to the regulator.

Stakeholder cascade

Tightly-held by default. Expand only when required.

#	Audience	Channel	Who	Goal
1	Counsel + CEO	Direct	CEO or compliance lead	Engage privilege; develop response strategy
2	Compliance team	Direct	Compliance lead	Production / response coordination
3	Board (if material to the entity)	Phone briefing — counsel-led	Board chair or CEO with counsel	Governance awareness
4	Auditors / external compliance advisors	If they’re already engaged	Counsel	Coordinated response
5	Internal — leadership only, narrow	Counsel-approved internal note	CEO	Operational awareness; not detail
6	Investors / disclosure obligation parties	Counsel-approved statement	CEO with counsel	Compliance with disclosure obligations
7	Public — only if required or already public	Counsel-drafted	Comms with counsel	Bounded, factual statement
8	Press	Reactive only, counsel-vetted line	Comms lead	Stay out of trouble

The cascade is narrow by default. Privilege depends on it. Information that flows wider than necessary loses privilege protections and creates discovery exposure.

Do

Engage counsel from minute one. Privilege requires it.
Preserve documents. Litigation hold may apply; confirm with counsel.
Respond on time. Regulator deadlines are not aspirational; missing them creates worse problems than the original inquiry.
Document every interaction with the regulator. Calls, meetings, letters, emails. Counsel will want this record.
Continue normal operations. Visible business-as-usual is reassuring to customers and investors and legally appropriate.

Don’t

Don’t reply to the regulator without counsel review. Even an acknowledgement letter.
Don’t disclose the letter publicly. Most regulators expect confidentiality; some require it.
Don’t discuss outside the privileged circle. Each additional person who knows is potential evidence in future proceedings.
Don’t tweet about it. Any public comment will be in the regulatory record.
Don’t make promises to the regulator you can’t keep. Counsel manages this; instinctive over-cooperation often creates problems.

Variants

RFI (Request For Information). Most common type. Standard inquiry; usually resolvable within the response window through cooperative production. Comms posture: silence + continue operations.

Supervisory letter on marketing communications. Specifically marketing-related (the type this product is most directly designed to prevent). Counsel-led but marketing must execute the response — review the flagged assets, update them per regulator guidance, document the changes. Often resolves with a written response and asset updates.

Formal investigation notice. Higher-stakes. Engage specialist regulatory counsel beyond standard counsel. Disclosure obligations may apply. Comms posture: the listed entity / public-facing project may need to disclose; private companies typically do not. Counsel decides.

Cease-and-desist. Time-sensitive. Counsel decides whether to comply, contest, or negotiate. Comms posture: usually no public statement; if any, it follows operational compliance with the order.

Subpoena / production order. Document-production discipline becomes paramount. Privilege review of every produced document. Specialist counsel.

Joint regulator action (multiple jurisdictions). Increasingly common. Coordinate counsel across jurisdictions. Single point of comms contact (no jurisdiction-specific statements that contradict).

24-hour follow-up

Confirm response timeline is calendared with internal buffer.
Document the matter in the regulatory file — every regulated entity should have one.
Brief counsel on operational facts they need to construct the response.
If marketing assets are implicated, freeze the relevant campaigns until counsel-approved updates are made.
Schedule recurring check-ins between counsel and CEO until the matter is resolved.
Consider whether disclosure obligations apply — to investors, to other regulators, to listed-entity reporting if applicable.

A note on the relationship between this template and the Coverage pillar of AI Crypto CMO

The point of running every marketing asset through MiCA / GDPR / cross-jurisdiction pre-flight checks is to make this crisis template the one you reach for the fewest times. The product exists because regulator letters about marketing communications are slow-moving, expensive, and largely preventable. If a subscriber has run their assets through the public and subscriber checks consistently, the universe of marketing-side regulator inquiries shrinks dramatically.

When a letter does arrive, the audit history saved in the subscriber Notion workspace becomes meaningfully useful: every checked asset, with timestamp, verdict, and rule citations. That audit trail is the evidence that the company exercised reasonable diligence — which is most of what regulators want to see in the response.

Cross-references: 05 — Key-Person Event, 06 — Partner Blow-Up, 08 — Withdrawal Pause. The Coverage pillar of the subscription is designed specifically to reduce the frequency of this crisis type.