A regulatory change drops on Friday afternoon. In 2015, that meant scheduling an IT project, drafting a requirements document, and hoping the update would go live before the auditors came knocking. Best case: three months. Worst case: you’re explaining to regulators why you’re still working on it.
Fast forward to today. A business user opens the rules engine, makes the configuration change, runs the validation tests, and pushes it live by Monday morning.
That shift didn’t happen everywhere. But where it did, it changed everything about how compliance operates.
The numbers tell you how incomplete that transformation has been. 82% of compliance departments still rely on manual processes. 79% still use spreadsheets for compliance management. But the gap between institutions that made the leap and those that didn’t has never been wider.
The Document Storage Era
Back in 2006, compliance systems prioritised document storage over decision logic. Processes ran on IBM Lotus Notes and FileNet. They held files but couldn’t interpret policy or apply rules consistently across jurisdictions.
The technology existed to store documents. Not to make decisions.
The transformation began when business rules previously confined to Excel checklists were industrialised into API-driven, testable decision services. These became the single reference point across platforms, cutting manual intervention by 50% across the client lifecycle: due diligence, sanctions screening, adverse media, PEP checks, periodic reviews.
Speed improved. But that wasn’t the main change.
The entire conceptual model shifted. Compliance platforms had been built as digitised checklists rather than systems capable of applying policy logic. Moving from checklists to executable code meant rethinking compliance as an engineering discipline.
From Procedure to Engineering
My own perspective changed during a global deployment that required sign-off across multiple regions. The work shifted from assessing whether people followed procedures to guaranteeing the system produced correct outcomes every time.
You stop asking if someone completed the steps. You ask whether the system delivers the right result regardless of who runs it or where they sit.
The most effective model for global operations separates what’s universal from what’s local. Call it the 80/20 architecture. The immutable core of an institution’s global policy stays fixed. Local configurations handle regional regulatory variations.
Here’s a practical example. A firm operating across fifteen jurisdictions can’t afford fifteen different interpretations of “high-risk client.” But it does need different documentation requirements, thresholds, and reporting obligations in each market.
The core logic stays constant. The local layer adapts without breaking the foundation.
When Policy Becomes Code
Policy-as-Code means regulatory intelligence lives inside systems as executable logic, not in procedural manuals gathering dust on a shared drive. Take a full policy document and break it down into discrete logic statements. Subjective interpretation becomes objective classification.
Any regulatory requirement can be expressed as a set of atoms of logic. If the industry is classified as high-risk and the jurisdiction imposes elevated regulatory requirements, the risk tier is set to high, and specific documentary evidence is required. The tool queries the central rules engine in real time. It runs cascading logic: apply all relevant global core policies first, then layer every configured local rule for the specified jurisdictions. The system knows what to ask, when to ask, and what evidence to require, based on the client’s profile and location.
Banks adopting AI-driven onboarding engines report 40–70% reductions in KYC and onboarding time. They’re automating:
- Document extraction and validation
- Sanctions and PEP screening
- Adverse media checks
- Case summarisation
The time savings matter. But consistency matters more.
The Cultural Shift
A regulatory update that once required a formal IT project with a multi-month timeline can now be implemented by a business user within days.
Compliance teams get direct ownership over rule configuration. No waiting for development cycles. This velocity matters when you’re trying to keep pace with regulatory changes that don’t arrive on convenient timelines.
The process, which was sequential, opaque, and slow, becomes parallel, transparent, and fast. When a new sanction list is published or a jurisdiction tightens beneficial ownership rules, the institution responds immediately. Clients get faster onboarding. Risk officers get better data. Auditors see a clear trail.
The economics are stark. A 2025 Fenergo study found that 70% of financial institutions lost clients in the past year due to slow, inefficient onboarding. That’s up from 48% in 2023. Average abandonment rates sit around 10%. Revenue walks away because the compliance process feels like friction rather than protection.
Meanwhile, 93% of financial institutions plan to implement agentic AI within two years. 26% expect more than four million dollars in annual compliance operations savings from these deployments.
What Still Hasn’t Changed
For all the progress in tooling and architecture, many institutions still face the same problem: translating complex regulatory texts into consistent, auditable action. Without codification, compliance runs on manual interpretation, procedural checklists, and disconnected systems. That creates operational delays, inconsistencies, and audit risk embedded deep in client lifecycle processes.
Policy documents stay fragmented. Interpretation varies by team, by region, sometimes by individual officers. The knowledge lives in the heads of subject matter experts rather than in systems that can execute and explain their own decisions. When those experts leave, or regulatory texts change, the institution scrambles to recreate the logic from scratch.
A NorthRow KYC survey found that:
- One in five onboarding checks takes more than 24 hours
- 40% of firms rely on Word and Excel for regulatory compliance
- Some organisations spend up to 25% of revenue on compliance
These numbers reflect organisations still operating in the pre-engineered era.
The Next Decade
The next phase will be defined by intelligence-led client lifecycle management, not digitising forms and workflows. This approach moves beyond process digitisation. It establishes compliance as a distinct engineering discipline within the financial institution.
Build systems where policy is an active, managed asset rather than a passive document. Replace operational uncertainty with systematic control. The institution that can interpret, implement, and justify its rules most quickly, consistently, and transparently will manage risk more effectively.
In an industry governed by rules, that advantage compounds. The technology exists. The business case is clear.
The gap is cultural and architectural. Institutions must decide whether compliance is something they document or engineer. Whether policy lives in PDFs or executes as code. Whether regulatory change triggers a project or a configuration update. The decade ahead belongs to firms that choose the latter.
