Compliance change management is a major challenge for financial institutions as they attempt to analyse hundreds of new regulations and updates every year. Alison Young, Deputy Head of Financial Crime Compliance at Rabobank, sat down with FinTech Global to explore regulatory change management in 2026.
The current regulatory landscape
One of the defining characteristics of the US compliance landscape in 2025 was around enforcement. While certain enforcement actions were issued, there was also a trend in lifting enforcement actions.
Young also highlighted there were over 10 enforcement actions issued by the Office of Foreign Assets Control (OFAC) over the course of the year. In the same vein, 2025 also saw a greater expectation on financial institutions to take steps to tackle drug cartels. The US government listed multiple cartels as foreign terrorist organizations and the OFAC added various individuals to the Specially Designated Nationals (SDN) list in a bid to freeze assets.
Moving away from enforcement action, 2025 also saw a handful of changes to existing regulatory frameworks. Young pointed to the FAQ issued by FinCEN regarding SAR filing obligations. One notable change explained when you would file a SAR, guidance on continuing activity reviews and taking a risk-based approach to no SAR decisions.
She added, “This guidance could be impactful, but at this point I’m not sure how many financial institutions have actually changed their procedures based on that guidance.”
Another important area of change in compliance was around artificial intelligence (AI). While the technology has dominated talks of innovation for many years, there has been little guidance on frameworks around its use. There is growing interest around how Financial Institutionsare using AI and what controls have been implemented. “Those conversations in the industry around AI, I think are only beginning.”
These are just a small handful of the challenges compliance teams are balancing that will likely continue to evolve over the next 12 months. Heading into 2026, we may see more executive orders and other mechanisms deployed to address certain risks. So, I would expect a little bit more of what we’ve seen in 2025 continue into 2026. Compliance is not static, with new rules or developments that need to be assessed for how it impacts a firm. The effectiveness of a firm’s ability to do this correlates with their regulatory change management workflows.
What does regulatory change management look like?
When it comes to regulatory change management there is no standard format. Each financial institution will have their own system in place with a unique spectrum of manual and automated workflows.
Young has seen a variety of methods in place over the course of her career, but typically has seen a vendor solution that disseminates relevant regulatory updates based on predetermined rules and provides them to the firm. A compliance team then collects this information to analyse whether any changes are needed, whether that is across policies, procedures, systems, tooling, governance, and more.
Young has seen frameworks where an owner of regulatory change will manually log their review and analysis of the change. This information is then usually stored within a spreadsheet or internal tool. Similarly, some firms might implement a dual review, where a member from each of the compliance and legal teams review an update and provide their insights. This allows for a mixture of perspectives and highlights aspects that could have been missed by an isolated review.
Young believes it is important to have multiple opinions on a new regulation. For instance, if there is a new policy focused on financial crime, the firm should engage a key contact from the business that is focused on that area to provide related insights. She said, “Even if it doesn’t look like there’s much to it, it’s still good to send it out and get that impact analysis and confirmation from those key stakeholders that nothing needs to change based on this new information.”
AI complexity
One of the exciting prospects of regulatory change over the coming years is an increased regulatory focus around AI. This interest could help to accelerate the adoption of the technology within compliance and create a plethora of new use cases.
Young noted, “It is not widely used yet in financial crime compliance, and when it is used, its impact so far has not been material for many institutions. I think that will change over the next decade as we learn more, but for now we are coming up with potential use cases for AI, and if we’re lucky, we get to test those use cases. I think we have a long way to go in this space, and again, we’re only starting to scratch the surface of the potential with AI.”
One of the challenges that comes with adoption of AI within compliance, and the wider financial services ecosystem, is its governance. While the technology has impressive capabilities, it is fallible. A simple mistake could cause significant damages for firms, financially and reputationally.
A recent study by Infosys found that 95% of the 1,500 executives it surveyed had experienced at least one problematic incident from the use of enterprise AI. Of the damages incurred from AI incidents, 77% contributed to direct financial loss, but many respondents deemed reputational damage more threatening than financial losses. Without correct guardrails, AI is a risk.
One of the challenges of building effective governance around AI, compared to other areas, is due to the uncertainty of what the ideal framework looks like.
Young said, “We need to inform our governance committees around AI usage, track pilots or use cases with metrics on at least a quarterly basis, if not monthly. We know we need escalation channels to senior management at the organization. We know we need testing and we need model validations if it’s considered a model. There are a lot of things to think about when it comes to AI governance, and I think sometimes you learn as you go along. It’s really important to bring regulators along for that entire journey from the very beginning, so you’re not surprising them.”
She added that including regulators from the start of the AI journey has proven to be a best practice approach.
As adoption continues, Young believes proper governance structures will start to take shape as the industry learns from what works and how to ensure protections are effective.
However, if firms can build a strong foundation for their AI and its governance, the technology can provide sizable benefits. A recent PwC survey of senior US business leaders claimed 60% see responsible AI as a boost to return on investment and organisational efficiency, and 55% say it improved customer experience and innovation.
Over the next decade, Young sees AI being super impactful to how compliance and regulatory change management looks. A report from KPMG highlighted many also share this opinion. It found that 68% of financial services executives plan to leverage generative AI across their compliance and risk processes.
She said, “AI is going to allow us to be more dynamic and more precise. It’s going to allow us to identify areas that maybe didn’t occur to us and it will be much more efficient at looking through a risk and control library for impacted areas. Over time this will also reduce risk because there will be less human error.”
The current reliance on spreadsheets sees humans waste hours each week compiling and filtering through to identify what might be applicable. Instead, an AI tool can allow the user to move more freely across documents, not only in terms of extracting key data from new updates but cross-checking to identify what is relevant and updates that are needed. Instead, firms need to have some form of horizon scanning in place so they can be prepared for changes and avoid some of these damages.
Reactive versus proactive approaches
Many firms face a difficult battle when trying to monitor all of the relevant regulatory updates that come through in a month. Last year, CUBE surveyed over 2,000 senior compliance decision-makers across the US, Canada, Europe, China, India, Australia, and Japan and found that 82% track between 26 and 100 alerts each month, including 39% who track between 51 and 100.
With the pace of change, it is easy for firms to sit in a reactive approach to change management, wait for things to come to them and deal with them. It becomes more like a compliance fire-fighting exercise. However, with the risk of financial penalties, reputational damage and increased regulatory scrutiny, the risks are high.
As such, Young encourages firms to have forward thinkers involved in the change management process that have eyes across all functions and the business. She said, “We really need to work across an entire organization. Do not just think about your department, but you need to think about all the other departments and the three lines of defence. You really need to bring in viewpoints from all different angles to really have a proactive approach.”
Another helpful measure is to work closely with peers and establishing working groups. This is a great melting pot for ideas and help ease the burden of regulatory change.
Regardless of what approach a firm takes, there is one final challenge that can sneak up on firms – a false sense of time. While an update might have a year or two until implementation, that time will go past quickly. Building new policies and testing systems can have lengthy review times, especially if coordinating across jurisdictions.
Young added, “As soon as you become aware that there’s a potential regulatory change be proactive. Start looking at it, determining impact, benchmarking and determining if an action plan is needed.”
Copyright © 2018 RegTech Analyst
