For decades, compliance has operated as a rear-view mirror — periodic reviews, retrospective audits and manual checks designed to catch problems after they emerge. But modern finance is moving too fast for static oversight. As transactions accelerate, digital channels expand and financial crime becomes more adaptive, firms are being pushed towards something far more dynamic: compliance as a real-time control system.
Advances in AI, behavioural analytics and automation are enabling institutions to monitor risk as it unfolds — analysing transactions, communications and identities in near real time. The goal is no longer simply detecting misconduct after the fact, but identifying and responding to threats as they emerge.
The shift, however, brings difficult questions. Can firms operationalise continuous oversight without creating unmanageable noise? Will regulators trust increasingly autonomous systems? And as surveillance capabilities deepen, where should the industry draw the line between security, privacy and trust?
Compliance is no longer evolving slowly in the background. It is beginning to resemble the live operating system of modern finance.
In the view of John Byrne, CEO of Corlytics, many parts of financial services are being radically altered by the speed of technology and the impact of AI. In the sector of high frequency trading, Byrne claims the time from receiving market data to sending an order—has reached between 100 and 500 nanoseconds. Light, Byrne details, travels at 30 meters in 100 nanoseconds.
He said, “Many risk and compliance functions work on end of day processing and internal audit cycles range from anything from 3 to 36 months. Most second and third line functions in financial institutions need to move from months to milliseconds, as they are supervising business that will be unrecognisable in terms of speed.”
Moving from monitoring to intervention
A question on the lips of many in RegTech centers around what it takes to move from monitoring to intervention without breaking business workflows.
For Byrne, the transition from monitoring to intervention begins with accepting that many of today’s compliance workflows are no longer fit for purpose. As financial services accelerate and technology automates more operational processes, Byrne believes traditional working practices are steadily becoming obsolete.
“The industry needs to re-examine what workflows actually add value,” he says, arguing that many legacy processes have ultimately prevented firms from fully benefiting from modern technology.
A major weakness, in Byrne’s view, is the industry’s failure to use data strategically enough. Despite vast volumes of information flowing through institutions, many firms still struggle to predict and prevent serious errors or unauthorised trading before damage is done. Compliance therefore remains too reactive, too fragmented and too dependent on structures designed for a slower era of finance.
That leaves firms with little room for incremental change. Byrne argues there is “no alternative” but to re-engineer workflows from scratch, building compliance frameworks capable of operating inside a far faster and more technologically driven financial environment.
In the view of Scott Nice, CRO at Label, the shift from monitoring to intervention depends on a fundamental change in how firms position compliance inside the business itself. Rather than operating alongside workflows as a separate oversight function, compliance needs to become embedded directly within operational processes.
“The challenge is not simply identifying an issue,” Nice says, “but determining what action should be taken and how that action can be executed without disrupting the underlying business process.”
That remains a major obstacle across much of the industry. In many firms, alerts still trigger separate workflows — often manual ones — creating delay, operational friction and additional cost. True real-time intervention, Nice argues, requires decision-making logic to sit directly inside the workflow itself, with clearly defined rules around when to block activity, when to escalate and when to simply prompt for further action.
Yet the balance is delicate. Too much intervention risks slowing the business and frustrating users, while too little weakens the control environment entirely. The firms most likely to succeed, according to Nice, will be those that stop treating compliance as an overlay and instead design it as a native part of the workflow from the outset.
Sebastian Hetzler, co-CEO of IMTF, said that the move from monitoring to intervention represents far more than a technology upgrade. It is, he argues, a complete transformation in how compliance functions operate, shifting from retrospective analysis towards “in-transaction decisioning” where critical judgements are made within seconds.
That speed only works if transactions are enriched with the right context at the point of execution. Customer risk profiles, behavioural patterns and network relationships all need to feed into decision-making in real time so that interventions remain both accurate and proportionate.
Yet Hetzler is equally clear that real-time intervention cannot come at the expense of legitimate business activity. “Not every transaction should be stopped,” he says, stressing the importance of a risk-based approach where high-risk scenarios trigger immediate action, while lower-risk activity can still be reviewed retrospectively.
Can controls be embedded?
For Nice, embedding controls directly into transactions and workflows is no longer a theoretical ambition — it is becoming an operational necessity. Advances in automation, AI and interconnected data systems mean firms can now validate activity, block transactions or request additional information in real time, at the exact point of execution.
But while the technological capability increasingly exists, Nice argues the real challenge lies in operational readiness. Effective embedded controls depend on consistent, high-quality data, clearly defined rules and a firm understanding of who owns key decisions across the workflow.
It also demands a broader cultural shift inside compliance itself. Firms must become comfortable moving compliance “left”, intervening earlier in processes rather than relying on retrospective reviews and downstream remediation after risks have already materialised.
When implemented properly, embedded controls can significantly strengthen oversight while reducing operational inefficiencies. Yet Nice cautions that achieving this requires a level of data and operational maturity that many organisations are still working towards.
Hetzler said that firms can only truly embed controls at the point of execution if compliance stops operating as a separate oversight layer and becomes integrated directly into operational systems themselves.
At the transaction level, that means moving away from traditional batch processing towards real-time screening powered by AI models capable of identifying both known typologies and anomalous behaviour as it emerges.
But Hetzler argues the shift extends far beyond transactions alone. Effective embedded compliance also depends on dynamic, event-triggered KYC updates, real-time behavioural monitoring and workflow automation that can immediately route cases and support rapid decision-making.
In practice, the result is a continuous control environment where compliance is woven across the full operational lifecycle – from onboarding and transaction execution through to investigation and remediation – rather than confined to isolated review stages after the event.
Byrne, meanwhile, said that embedding controls directly into transactions is not only possible, but increasingly unavoidable as the speed of financial services continues to accelerate. The problem, he argues, is that most firms are still relying on control architectures built over the last thirty years for a completely different pace of business.
“A large number of controls don’t mitigate the current and emerging risks of firms,” Byrne says, warning that traditional oversight models are struggling to keep up with modern transaction speeds and increasingly automated markets.
That is forcing a shift towards far more preventative forms of control, designed to operate at the same speed — or even faster — than the transactions themselves. Byrne believes this will require entirely new disciplines inside compliance, where controls must become computationally efficient enough to intervene in real time without disrupting the underlying flow of business activity.
In that environment, many existing control structures will simply become obsolete. Byrne is blunt in his assessment that “current controls architecture will not be fit for purpose” as firms move towards increasingly embedded and real-time models of compliance.
Where real-time compliance fails
Where does real-time compliance fail, and what are the risks of acting on incomplete data?
For Byrne, the alkies heal of automation has always been data quality. “Compliance data will need to be converted into quality obligations requirements dynamically. The obligations will need to feed real time policies and controls. There will be a level of precision and accuracy required in this value chain. This paradigm of accuracy and timeliness means that both compliance and controls will be tightly integrated. It also means that a more strategic and predictive approach is needed, using the wealth of historic data that regulated firms are still not using.”
Byrne also stressed that controls will need to be substantially re-imagined, in terms of not just speed of execution, but will need a test driven approach in their development. Real-time compliance will need to move from being interpretative, to being fact and data based.
He said, “The industry does not sufficiently use outcome based facts from guidance notes, enforcements and industry advisory letters. Compliance must succeed in a real-time environment.”
Nice, on the other hand, said that eal-time compliance often fails at the point where decision-making still depends on human intervention or where the underlying data is incomplete, inconsistent, or delayed. Many so called real-time systems are still constrained by manual review processes, which limits their ability to operate at true speed and scale, said Nice.
He stated, “Acting on incomplete data introduces a different type of risk. Firms may block legitimate activity, create unnecessary friction for customers, or make incorrect determinations that have regulatory or reputational consequences. At the same time, delaying action while waiting for perfect data can mean missing the opportunity to intervene altogether.”
The core challenge, Nice emphasises, is not just speed, but confidence. “Firms need to understand the quality and limitations of their data and design controls that can operate effectively within those constraints,” he concluded.
Hetzler was clear that eeal-time compliance fails when speed outpaces context and decision quality. Most institutions, he said, still operate with fragmented data landscapes, making it difficult to enrich transactions with the full risk context in real time. Without this, decisions risk being based on partial information.
This creates two critical risks. First of all, over-intervention, leading to false positives, customer friction, and operational overload, and secondly, under-detection, where incomplete data masks complex or evolving financial crime patterns.
“In addition, real-time operations introduce organizational constraints: 24/7 alert handling, limited staffing flexibility, and unclear regulatory expectations around blocking transactions in-flight. Ultimately, acting in real time without sufficient data and governance does not reduce risk, it redistributes it,” he said.
Hetzler concluded, “Speed is nothing without control, and control emerges from context. Real-time compliance must be built on complete, connected data to be effective. Otherwise, it simply shifts risk instead of reducing it.”
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
