In our latest Top Risk Review, ORX's banking and insurance members reported an increase in Regulatory Compliance risk. In this blog, we provide an in-depth analysis of Regulatory Compliance risk which is causing an increasing burden across the financial services sector.
Our analysis draws on insights from the latest Top Risk Review and conversations with our members. We focus on the risk drivers, the interconnectivity between Regulatory Compliance and other risks and the methods used to manage the risk.
Regulatory Compliance concerns rise as the regulatory burden increases
In our latest Top Risk Review, ORX members reported an increase in Regulatory Compliance risk. This is primarily driven by:
- An increasing regulatory burden
- The volume and scope of new and evolving regulation relating to operational and non-financial risk (ONFR)
- Increasingly demanding approaches to regulatory supervision
- Regulatory divergence between jurisdictions
- Geopolitical uncertainty
'Relentless' regulatory environment
With a regulatory landscape that members describe as ‘relentless with never-ending change’, Regulatory Compliance has moved to fifth position in the most recent Top Risk Review (up three places year-on-year). Furthermore, participants’ overall materiality scoring of the risk has increased by more than any other of the top ten risks (>5% year-on-year). This trend of growth is seen across all sectors and regions.
| Change in materiality score year-on-year between H2 2023 and H2 2024 | |
| Overall | ↑ 5.08% |
| Banking | ↑ 6.29% |
| Insurance | ↑ 2.59% |
| Europe | ↑ 4.48% |
| Americas | ↑ 1.48% |
| Asia/Pacific* | ↑ 2.62% |
| Africa* | ↑25.45% |
*Participant sample size for these regions was smaller than usual in our H1 2024 review, resulting in significant score fluctuations.
Key drivers include:
- New or amended regulations
- Reductions in timescales for compliance
- Lack of clarity in new or amended regulation which can make interpretation and subsequent implementation challenging
- Upfront costs are often required to meet compliance
- Achieving compliance can detract from day-to-day risk management as teams focus on regulations
- Perceived impact of compliance on business or customers such as limitations on strategic decisions
- Increased costs overall
We provide more information on the drivers of Regulatory Compliance and other risks in Appendix 1 of the Top Risk Review H2 2024.
Changing volume and scope of new and evolving ONFR regulation
The scope of regulatory scrutiny continues to widen and grow in complexity with each iteration, particularly in the following areas:
- Cybersecurity
- AI (see our AI regulation tracker for the latest developments)
- ESG
- Data protection
- AML and sanctions
- Third-party risk management
- Disclosure requirements - especially relating to:
- Climate
- Human rights
- Investment portfolios
- Corporate tax
As reporting requirements continue to grow, firms’ processes, resources and budgets will increasingly come under strain. The sheer volume of new regulations may overwhelm compliance teams, or may require new skills to be hired into operational risk teams to help meet obligations.
Increasingly demanding approaches to regulatory supervision
Our members share concerns that the increased effort dedicated to regulatory and supervisory activity is having a knock-on impact. It's regularly reported that supervisors are significantly increasing the number of information requests placed on firms. Through the actions requested, these are often driving more granular – perhaps even burdensome – approaches to risk management. This reduces the time available for day-to-day risk management, and limits capacity to advance strategic risk management initiatives within the organisation.
Regulatory divergence between jurisdictions and geopolitical uncertainty
With different global regulators addressing similar themes independently, financial firms are increasingly facing the challenge of meeting regulatory compliance across their different operating jurisdictions – each with their own focus. This divergence ranges from subtle to significant, and even contradictory, regulation.
Key examples of regulatory themes addressed across different jurisdictions:
- Operational resilience: regulators have different focus areas within their operational resilience guidance:
- The EU focusing on digital resilience (DORA)
- The PRA/FCA in the UK focusing on important business services, financial stability and customer harm
- APRA in Australia bringing together requirements for business continuity, third party and operational risk management under the same standard (CPS 230).
- The EBA’s proposal of a new operational risk loss taxonomy, as part of a new operational risk loss framework, potentially adds a further categorisation and mapping burden to firms that may already have several taxonomies in place
- Basel III: Regional supervisors have taken different views with regards to the implementation of Basel III requirements (e.g. the inclusion of losses and pillar II requirements)
- More details available in the 2024 Capital Benchmark and on ORX’s Basel III SMA implementation tracker
To meet compliance with thematic regulations across jurisdictions, some ORX members are opting to roll out a group-wide stance that complies with the key themes seen across the various regulations, while permitting local variance as required. This allows globally operating firms to prepare for any future regulations addressing the same theme, and develop consistent, mature practice across the group.
Geopolitical uncertainties in 2025 and beyond
As we head into 2025, firms are facing an uncertain emerging risk horizon with regards to geopolitics. With the recent presidential election in the USA and upcoming elections across the globe, these political changes bring into question the direction and type of regulation that firms will need to comply with in the future.
Very different approaches to regulation could be seen in different jurisdictions. This has the potential for increasing the burden in some regions and for deregulation in others. For example, UK authorities have announced their intention to reduce the regulatory burden, and it is expected that the incoming US administration will favour a lighter regulatory environment. This could impact a range of ONFR topics, and history has indicated that periods of deregulation could also be accompanied by a future increase in conduct risk-related issues, if a period of intensified scrutiny follows.
We will be exploring the impact of the geopolitical landscape more in the 2025 Operational Risk Horizon, available soon.
Global alignment on thematic regulations would be a benefit to all
From analysing the results of the Top Risk Review and listening to our members, it is clear that there's a strong desire within the industry to see increased regulatory alignment at a global level. Financial services organisations that operate in multiple jurisdictions favour a coordinated approach to thematic regulations across regions.
At a time when digitalisation is accelerating, and the environment financial services organisations operate in is complex, effective regulation is essential. Yet, the impact of subtly differing requirements is significant. More regulatory alignment, coordinated at a global level, would reduce unnecessary complexity.
In turn, financial services organisations would gain time to enhance risk management, streamline regulatory compliance, and standardise risk management activity, ultimately contributing to an overall more resilient environment and providing greater protection for consumers.
Looking to the future
As the regulatory landscape continues to evolve, bringing complexity, and a lack of global alignment, we expect Regulatory Compliance risk to remain a key priority and concern into this year. Indeed, 38% of Top Risk Review respondents expect their scores to increase in the next six months.
We will revisit the topic both as part of our Operational Risk Horizon review of emerging threats, and in the next Top Risk review in mid-2025.
