Why traditional compliance strategies no longer work: insights from the Global RegTech Summit

Financial institutions face an unrelenting pace of regulatory change.

Michael Rasmussen, a recognised expert in governance, risk and compliance, has noted that firms encounter hundreds of regulatory updates each business day, originating from over a thousand regulators worldwide. For many banks, the response remains frustratingly reactive: teams scrambling to interpret new rules, update policies and submit reports under tight deadlines. The result? Compliance becomes a brake on progress rather than a strategic enabler.

At the Global RegTech Summit USA 2025 in New York, Diana Paredes, CEO and co-founder of Suade, joined a panel discussion titled "Reg Change in the Financial Sector: Navigating the Evolving Regulatory Landscape."

Alongside Jeff Smith, Chief Compliance Officer at a major financial institution, Jeffrey Himstreet, Vice President and Senior Counsel at MFA, and Corey Carpenter, Director of Product Management at Archer Integrated Risk Management, Diana explored how regulatory change is reshaping compliance and risk functions, and what institutions must do to stay ahead.

This article distils the key insights from that conversation. You'll learn why traditional compliance strategies are no longer sufficient, how technology and data quality underpin effective risk management, and what practical steps senior leaders can take to build resilient compliance programmes that look forward rather than backward. Whether you're a compliance officer at a mid-sized bank, a chief risk officer at a global institution, or a regulator exploring how technology can improve oversight, these insights matter now more than ever.

Shifting from reactive compliance to proactive strategy

The panel opened with a simple question: how can financial institutions move beyond reactive compliance?

Diana highlighted a structural issue that many organisations overlook: workforce preparedness. Regulatory technology and automation are advancing rapidly, but if teams lack the skills to use these tools effectively, change stalls. Upskilling compliance professionals is as important as adopting new platforms.

Jeff Smith reinforced this point from a different angle. Larger institutions often struggle with silos and slow decision making, while smaller firms face resource constraints. In both cases, compliance officers are increasingly held personally accountable for failures. This reality makes communication with regulators essential, and strong internal buy-in becomes critical. When compliance is treated as a tick box exercise rather than a strategic function, institutions expose themselves to avoidable risk.

Corey Carpenter identified a common root cause of these challenges: poor data quality. Without standardised and clean data, even the most sophisticated technology adoption falters. His recommendation was clear. Start small, prove value, and then scale. This approach allows organisations to build confidence internally and demonstrate tangible results before committing to broader transformation.

The message from the panel was consistent. Compliance must shift from reactive box checking to proactive engagement that takes risk seriously. That shift requires better data and better communication, alongside a culture that treats regulatory change as an opportunity to strengthen the business rather than a burden to manage.

Building resilient risk management frameworks

As the discussion moved to risk management frameworks, the panellists agreed on data resilience and understanding how regulatory requirements flow through the financial system.

Diana emphasised the importance of vendor and data portability. Many institutions face vendor lock-in, where they cannot easily move their data or switch providers. This creates operational risk and limits flexibility. Institutions must demand contractual rights to their own data and insist on open APIs. Beyond that, they need to design architectures that support portability. When regulatory requirements change or new reporting obligations emerge, flexible infrastructure allows firms to adapt quickly.

Jeffrey Himstreet reminded the audience that Basel III Endgame affects more than just banks. Non-bank financial institutions are impacted indirectly through their bank counterparties, who pass on capital requirements through margin, collateral and settlement terms. Stress testing and liquidity analysis, once considered optional for non-banks, are now essential. Regulatory change ripples through the entire financial ecosystem, and institutions that fail to anticipate these effects will find themselves unprepared.

Jeff Smith added that vendor oversight remains critical, even after regulatory proposals are withdrawn or delayed. Managers remain fiduciaries with ongoing diligence responsibilities. This includes conducting penetration testing and validating data security. It also means ensuring that third-party providers can meet resilience standards. A robust risk framework goes beyond compliance checklists. It integrates resilience and portability into every layer of the organisation, alongside the foresight to anticipate future requirements.

For senior leaders, the takeaway is clear. Risk frameworks must be forward looking and built on flexible data architectures. They must be capable of adapting to changes in both regulation and the broader financial environment.

The role of regulatory technology and AI

Technology was a central theme of the panel, particularly the question of what is genuinely useful versus what is over-hyped.

Diana was direct: regulators will not accept 90% accuracy in compliance. For regulatory reporting, only near perfection is acceptable, which makes human oversight indispensable. Artificial intelligence can support compliance functions, but it cannot replace professional judgement.

She also stressed that the promise of AI will not be realised without data standardisation and machine readable regulatory rules. If data is fragmented or regulations remain locked in unstructured documents, AI tools cannot function effectively. Institutions need to invest in data quality and advocate for regulators to publish rules in formats that machines can interpret.

Corey Carpenter outlined practical use cases where AI is already delivering value. In regulatory change monitoring, AI reduces noise by filtering vast volumes of data down to the obligations that truly matter. It maps these obligations to internal policies and controls. It tracks changes over time and flags potential gaps. But he echoed Diana's point: explainability and a human in the loop are non-negotiable. Regulators and auditors need to understand how decisions are made, and technology must support that transparency.

Jeff Smith highlighted trade surveillance as an area where no single technology provider yet offers a complete solution across all asset classes. Legacy systems, consolidation and data silos create blind spots. AI could eventually address some of these gaps, but only if institutions first fix their data foundations.

The consensus from the panel was that regulatory technology and AI are already delivering value in noise reduction and horizon scanning. They also help with control mapping. However, adoption must be grounded in data quality and explainability, alongside professional scepticism. Technology is a powerful tool, but it is not a substitute for strategic thinking or human oversight.

Preparing for the future without overburdening operations

The final theme of the discussion was how institutions can prepare for future regulatory change without exhausting their resources.

Jeffrey Himstreet argued that the best compliance officers are those who can "look around corners." Compliance must expand beyond formal rules to anticipate investor demands and supervisory focus. It must also track emerging risks such as digital assets. Waiting for regulations to be finalised before acting is too late.

Diana reinforced the importance of demanding more from internal IT functions and aligning internal service level agreements with external vendor contracts. If internal systems are slow, unreliable or inflexible, no amount of external technology can compensate. She also highlighted the need to upskill the next generation of compliance professionals in critical thinking. Tools like generative AI can provide summaries, but they cannot replace the ability to analyse, question and synthesise information.

Jeff Smith advised monitoring both regulators' disciplinary actions and competitor strategies. These signals often indicate what rules and risks will matter most in the near future. Institutions that build flexible and modular compliance programmes, underpinned by strong data and capable of pivoting quickly, will be best positioned to respond to new challenges.

Future prepared institutions will not treat compliance as a static function. They will invest in flexibility and upskill their teams. They will design systems that can evolve as quickly as the regulatory environment itself.

Striking the right balance

The panel closed with each speaker offering one piece of advice on balancing compliance with competitiveness.

• Jeff Smith emphasised communication across compliance, risk, finance and technology teams. Siloed functions lead to gaps and delays. They also create missed opportunities.
• Jeffrey Himstreet urged institutions not to stop at regulatory risk. Firms should use data to capture the full spectrum of operational and trading risks.
• Corey Carpenter returned to data foundations. Fixing data quality now is essential. Without it, the "bullet train" of AI and automation cannot run.
• Diana closed with a call to embrace change. Technology and regulation will keep coming, and those who resist will fall behind. Those who adapt will thrive.

Key takeaways

• Proactive compliance requires strategic thinking rather than reactive box checking. It must be anchored in data quality and foresight, alongside cross-functional communication.
• Flexible risk frameworks integrate resilience and portability. Vendor lock-in and rigid systems create operational risk. Fragmented data compounds the problem. Institutions need open APIs and contractual data rights. They also need modular architectures that can adapt quickly.
• Technology and AI must be applied thoughtfully. AI is not a silver bullet. It requires clean data and explainability. Human oversight remains essential. Institutions should focus on practical use cases that deliver measurable value.
• Future readiness depends on flexibility and upskilling. Regulatory change will not slow down. Institutions must invest in adaptable systems and train their teams in critical thinking. They must also monitor emerging risks proactively.
• Balance and agility are essential. Compliance can no longer be the brake. It must be the steering wheel, guiding organisations through uncertainty while enabling growth.

How Suade helps you stay ahead

Suade empowers financial institutions to navigate regulatory change with confidence. Our platform automates regulatory reporting and reduces manual effort. It also enhances data accuracy. Built on FIRE, an open source data standard, Suade ensures transparency and auditability. It provides resilience across your compliance infrastructure. Whether you are implementing Basel III, preparing for DORA, or managing liquidity reporting, Suade provides the tools to turn compliance into a strategic advantage.

Book a demo to see how Suade can transform your regulatory reporting and keep your organisation ahead of regulatory change.