Hassan Zebdeh, Financial Crime and Payment Advisor at Eastnets, outlines how banks can achieve stronger compliance outcomes by embracing more efficient, connected ways of working. 

Compliance has become one of the most resource-intensive functions inside modern banks. Year after year, institutions invest more people, more technology and more time into meeting expanding regulatory expectations, yet many find themselves no closer to achieving meaningful reductions in risk. Or cost. 

At the same time, financial crime is evolving daily, payments are moving in real time and regulators are increasingly focused on outcomes rather than process. While effort may increase, effectiveness doesn’t always follow suit. The systems and processes that once supported compliance in a pre-AI age are now being stretched to their limits, revealing a widening gap between what institutions put in and what they get back. 

This growing imbalance raises a critical question for the industry: how financially sustainable is the current approach to compliance, and what needs to change if banks are to keep pace with risk and regulation? 

The growing strain on compliance

Regulatory compliance can now account for more than 13% of operating costs, yet many banks continue to struggle with the same operational challenges. For most, rising spend has become the default setting for keeping up with regulatory obligations, rather than a reliable way to improve how risk is managed in practice. 

Part of the challenge lies in how compliance has evolved. In recent years alone, banks have had to absorb a wave of new and evolving requirements – from the EU’s AML Package and DORA’s operational obligations to global FATCA/CRS reporting deadlines and many other regulations globally. The response to these changes has often involved layering new controls, systems and processes onto existing ones, adding complexity without fundamentally rethinking how compliance has changed. 

The result is an environment that’s increasingly fragmented and difficult to scale. Compliance teams are expected to deliver faster detection, clearer auditability and stronger risk differentiation, while still relying on operating systems shaped by outdated processes and disconnected data. And yet, a single alert can take anywhere up to 22 hours to action – while some instant payments schemes require decisions in seconds, other nations still operate within minutes or longer. Sanctions lists are also changing, with the Office of Foreign Assets Control (OFAC) imposing sanctions on [https://”/]over 1,300 individuals and entities in 2025 alone, with this likely to double in 2026​. Banks are having to manage risk continuously, even as they attempt to modernise operations that were never designed for today’s pace, landscape or scale. 

Making matters harder, many firms are struggling to find and retain professionals with the right mix of legal, technical and operational expertise to work on these older platforms too. Experienced professionals are retiring en-masse, while nearly half of the new entrants lack the right experience needed to step into these roles effectively. Then again, why would the modern workforce want to work on outdated systems when they can choose new, more agile players within the industry? 

Taken together, this all culminates into a costly endeavour. There is little being done on a broader scale to address the underlying mismatch between rising complexity and operational capacity. Therefore, to keep pace with risk and regulation, we need an entirely different approach; one that focuses more on how compliance is designed, connected and executed. 

Reimagining compliance for a real-time world

For banks willing to rethink how compliance operates, this moment presents a clear opportunity to not only strengthen oversight, but to escape a cycle of rising cost and diminishing returns. As regulatory expectations rise and financial infrastructure accelerates, institutions have a chance to move beyond reactive expansion and build compliance frameworks that are both more effective and more economically sustainable. 

An efficiency-driven compliance framework is central to breaking this cycle. Rather than increasing headcount or layering new processes each time risk or regulation evolves, the focus needs to be on improving how compliance work is performed. By reducing duplication and allowing better decision-making at scale, efficiency helps banks contain costs while improving outcomes, addressing the root cause of the compliance cost trap. The question becomes; how can organisations unlock these improvements? In practice, this shift is anchored in four core capabilities that together redefine modern compliance. 

First, automation helps decouple compliance effectiveness from both headcount growth and large-scale system change. By streamlining the likes of data collection, enrichment and alert handling on top of existing environments, automation reduces manual effort without requiring a full ‘rip and replace’ approach of legacy platforms. This lowers the cost of day-to-day compliance activity while improving consistency and investigation speed. 

Next, risk-based approaches make sure resources are applied where they make the most difference. In practice, this means deeper scrutiny for higher-risk customers, geographies or transaction patterns, while allowing faster, lighter-touch processing for low-risk activity. With AI models and agents, banks can learn from historical patterns, detect subtle anomalies and adapt to evolving fraud and financial crime typologies, using a risk-based approach to automatically reduce false positives. But by tailoring controls to actual exposure, institutions can improve outcomes while reducing unnecessary operational burden. 

The third capability is streamlined reporting. This can be a time-consuming component of compliance, but automated, standardised reporting helps institutions meet regulatory obligations more efficiently, particularly across jurisdictions. By producing consistent, explainable and audit-ready outputs, financial institutions can reduce the recurring cost of manual reconciliation, remediation and regulatory engagement – all while strengthening compliance confidence. 

Finally, interoperability underpins efficiency. Compliance systems rarely operate in isolation and replacing them outright is too costly and disruptive. Interoperable environments, however, allow institutions to modernise incrementally – connecting existing systems, eliminating duplication and extending the value of current investments – without downtime or operational risk. 

Together, these four capabilities help shift compliance away from perpetual cost growth and toward a more stable, scalable model. Efficiency simply becomes the next frontier. Not as a shortcut, but as the mechanism through which banks strengthen defences, control costs and remain resilient in an increasingly demanding regulatory environment. 

Escaping the cost trap

As regulation becomes more outcome-focused and financial crime continues to evolve, banks are being pushed to reconsider not how much they spend on compliance, but how effectively that investment is put to work. 

Efficiency now represents the next frontier of compliance. And those institutions that rethink how compliance is designed, connected and scaled will be better positioned to strengthen defences, control cost growth and respond faster to change.  

The opportunity ahead is to move compliance beyond perpetual expansion and toward purposeful design. For banks, regulators and the wider financial ecosystem, the objective is clear: build compliance frameworks that are fit for the future, resilient by default and capable of keeping pace with risk – all without letting cost become the limiting factor. 

by Manuel Sanchez, Information Security and Compliance Specialist, iManage

For decades, cybersecurity centered around prevention. Build the right walls around your perimeter, deploy the right tools, train your people not to click the wrong links, and you could keep the bad actors out.

Today, the question driving security strategy is no longer “how do we stop a breach?” but “how do we survive one?” It is a subtle but profound shift in philosophy, and it is reshaping everything from how IT and Security leaders structure their teams to how they select their vendors and deploy AI.

Rehearsing for the worst

The practical expression of this shift is visible in how security teams are being restructured. Organisations are establishing dedicated disaster recovery teams – not to prevent incidents, but to contain and recover from them when they occur. These teams maintain detailed, regularly updated playbooks covering everything from backup restoration to stakeholder communications, with roles pre-assigned and procedures rehearsed well in advance.

In many ways, this mirrors the logic behind disaster drills: fire alarms matter, but knowing the evacuation routes and the post-incident recovery plan determines how well an organisation survives. Critically, responsibility cannot rest with the CISO alone. Business continuity after a cyber incident is a whole-company challenge – which means every core part of the organisation is involved to sustain critical business operations.

Governance in the gray areas

Running alongside this shift is a governance crisis that is easy to underestimate until it becomes a serious risk. As organisations adopt more applications across more vendors and hosting services, the shared responsibility model that was supposed to keep cloud accountability clear has become increasingly difficult to enforce.

The sheer volume of cloud applications in use at any given enterprise is too vast for consistent governance under current approaches – and bad actors have become skilled at identifying exactly where vendor responsibility ends, and customer accountability begins, then operating precisely in that “gray area”. Being aware of this risk and putting preventative measures in place is important, but recognising the role these cloud applications play and the impact to key business operations if these applications were compromised, is critical.

Meanwhile, data volumes continue to grow exponentially, and unstructured data continues to accumulate in the background across many digital systems. Why is this important? If you don’t know what data you have, where it is stored, who has access to it, and, most importantly, how it is protected – onsite or cloud backup – this makes the recovery process a lot harder.

AI agents on the rise – and with it new risks

Although the focus of this article is on resilience, prevention must still remain an essential part of your defences. On that front, the accelerating adoption of autonomous AI in cyber defence tasks is reshaping security operations as visibly as anything else happening in the field right now. The volume, speed, and sophistication of modern threats have simply outpaced what human analysts can manage in real time.

The shift is toward AI that doesn’t just flag anomalies for human review, but actively detects, analyses, and neutralises threats as they emerge, even using predictive models to anticipate attacks before they fully materialise. This frees human experts to focus on strategic decisions and complex defence work rather than spending their days firefighting.

Autonomous AI does, however, introduce risks of its own. When AI agents operate across systems – accessing sensitive repositories, triggering actions, sharing data – they expand the attack surface in ways that aren’t always immediately visible.

Managing the digital identities of AI agents, much like managing employee access credentials, is becoming a critical security discipline. Accordingly, comprehensive traceability frameworks that log every action an agent takes are no longer optional; they are the foundation of responsible AI deployment in any security context.

The supply chain wake-up call

The case for moving from a “prevention” mindset to a “resilience” one is further bolstered by recent high-profile breaches via compromised managed service providers, which have forced a fundamental reset in how organisations evaluate their vendors.

The era of cost-first selection is over. Security credentials, demonstrated through continuous and verifiable evidence, are now non-negotiable for any provider hoping to retain enterprise clients – and what organisations are demanding goes well beyond point-in-time audits. They want real-time visibility into every third-party integration, every software update, and every vendor interaction – including the cloud services the vendors themselves use.

“Trust but verify” has become the operational standard, and providers who cannot demonstrate validated controls and live monitoring are finding themselves out of contention. It is a structural shift that will reshape the vendor landscape considerably — and it is already underway.

A new era demands a new approach

In the end, prevention still matters, but resilience – instilled via the key focus areas above – is what turns disruption into survivable events rather than existential crises. The organisations that are honest about the limits of prevention and embrace the shift towards resilience won’t just better withstand the next wave of attacks – they’ll be differentiating themselves from competitors still clinging to yesterday’s playbook.

Rasha Abdel Jalil, Director of Financial Crime & Compliance at Eastnets, discusses the operational and strategic shifts needed to stay ahead of regulatory compliance in 2025 and beyond.

As we move through 2025, financial institutions face an unprecedented wave of regulatory change. From the EU’s Digital Operational Resilience Act (DORA) to the UK’s Basel 3.1 rollout and upcoming PSD3, the volume and velocity of new requirements are constantly reshaping how banks operate.

But it’s not just the sheer number of regulations that’s creating pressure. It’s the fragmentation and unpredictability. Jurisdictions are moving at different speeds, with overlapping deadlines and shifting expectations. Regulators are tightening controls, accelerating timelines and increasing penalties for non-compliance. And for financial compliance teams, it means navigating a landscape where the goalposts are constantly shifting.

Financial institutions must now strike a delicate balance: staying agile enough to respond to rapid regulatory shifts, while making sure their compliance frameworks are robust, scalable and future-ready.

The new regulatory compliance reality

By October of this year, financial institutions will have to navigate a dense cluster of regulatory compliance deadlines, each with its own scope, jurisdictional nuance and operational impact. From updated Common Reporting Standard (CRS) obligations, which applies to over 100 countries around the world, to Australia’s new Prudential Standard (CPS) 230 on operational risk, the scope of change is both global and granular.

Layered on top are sweeping EU regulations like the AI Act and the Instant Payments Regulation, the latter coming into force in October. These frameworks introduce new rules and redefine how institutions must manage data, risk and operational resilience, forcing financial compliance teams to juggle multiple reporting and governance requirements. A notable development is Verification of Payee (VOP), which adds a crucial layer of fraud protection for instant payments. This directly aligns with the regulator’s focus on instant payment security and compliance.

The result is a compliance environment that’s increasingly fragmented and unforgiving. In fact, 75% of compliance decision makers in Europe’s financial services sector agree that regulatory demands on their compliance teams have significantly increased over the past year. To put it simply, many are struggling to keep pace with regulatory change.

But why is it so difficult for teams to adapt?

The answer lies in a perfect storm of structural and operational challenges. In many organisations, compliance data is trapped in silos spread across departments, jurisdictions and legacy platforms. Traditional approaches – built around periodic reviews, static controls and manual processes – are no longer fit for purpose. Yet despite mounting pressure, many teams face internal resistance to changing established ways of working, which further slows progress and reinforces outdated models. Meanwhile, the pace of regulatory change continues to accelerate, customer expectations are rising and geopolitical uncertainty adds further complexity.

At the same time, institutions are facing a growing compliance talent gap. As regulatory expectations become more complex, the skills required to manage them are evolving. Yet many firms are struggling to find and retain professionals with the right mix of legal, technical and operational expertise. Experienced professionals are retiring en-masse, while nearly half of the new entrants lack the right experience needed to step into these roles effectively. And as AI tools become more central to investigative and decision-making processes, the need for technical fluency within compliance teams is growing faster than organisations can upskill. This shortage is leaving compliance teams overstretched, under-resourced and increasingly reliant on outdated tools and processes.

Therefore, in this changing environment, the question suddenly becomes how can institutions adapt?

Staying compliant in a shifting landscape

The pressure to adapt is real, but so is the opportunity. Institutions that reframe compliance as a proactive, technology-driven capability can build a more resilient and responsive foundation that’s now essential to staying ahead of regulatory change.

This begins with real-time visibility. As regulatory timelines change and expectations rise, institutions need systems that can surface compliance risks as they emerge, not weeks or months later. This means adopting tools that provide continuous monitoring, automated alerts and dynamic reporting.

But visibility alone isn’t enough. To act on insights effectively, institutions also need interoperability – the ability to unify data from across departments, jurisdictions and platforms. A modern compliance architecture must consolidate inputs from siloed systems into a unified case manager to support cross-regulatory reporting and governance. This not only improves accuracy and efficiency but also allows for faster, more coordinated responses to regulatory change.

To manage growing complexity at scale, many institutions are now turning to AI-powered compliance tools. Traditional rules-based systems often struggle to distinguish between suspicious and benign activity, leading to high false positive rates and operational inefficiencies. AI, by contrast, can learn from historical data to detect subtle anomalies, adapt to evolving fraud tactics and prioritise high-risk alerts with greater precision.

When layered with alert triage capabilities, AI can intelligently suppress low-value alerts and false positives, freeing up human investigators to focus on genuinely suspicious activity. At the more advanced stages, deep learning models can detect behavioural changes and suspicious network clusters, providing a multi-dimensional view of risk that static systems simply can’t match.

Of course, transparency and explainability in AI models are crucial. With regulations like the EU AI Act mandating interpretability in AI-driven decisions, institutions must make sure that every alert or action taken by an AI system is auditable and understandable. This includes clear justifications, visual tools such as link analysis, and detailed logs that support human oversight.

Alongside AI, automation continues to play a key role in modern compliance strategies. Automated sanction screening tools and watchlist screening, for example, help institutions maintain consistency and accuracy across jurisdictions, especially as global lists evolve in response to geopolitical events.

Similarly, customisable regulatory reporting tools, powered by automation, allow compliance teams to adapt to shifting requirements under various frameworks. One example is the upcoming enforcement of ISO 20022, which introduces a global standard for payment messaging. Its structured data format demands upgraded systems and more precise compliance screening, making automation and data interoperability more critical than ever.

This is particularly important in light of the ongoing talent shortages across the sector. With newer entrants still building the necessary expertise, automation and AI can help bridge the gap and allow teams to focus on complex tasks instead.

The future of compliance

As the regulatory compliance landscape becomes more fragmented, compliance can no longer be treated as a tick-box exercise. It must evolve into a dynamic, intelligence-led capability, one that allows institutions to respond to change, manage risk proactively and operate with confidence across jurisdictions.

To achieve this, institutions must rethink how compliance is structured, resourced and embedded into the fabric of financial operations. Those that do, and use the right tools in the process, will be better positioned to meet the demands of regulators today and in the future.