Regulatory change used to be a question of volume. More rules to track, more updates to implement. Today, it’s a question of fragmentation. With regulatory expectations diverging across jurisdictions, firms aren’t short of information; they’re short of clarity about what applies, where, and to whom. The challenge is no longer monitoring change, but connecting it. In that sense, connectedness — not confusion — becomes the true golden source of modern RegTech.
A challenging question for many in the financial services sector is how they determine which regulatory obligations apply to their business today, across every jurisdiction they operate in. For John Byrne, CEO of Corlytics, this starts with internal infrastructure.
At Corlytics, the firm automatically scans and monitors around 2,500 regulators globally. That surveillance extends beyond formal rule changes to include early indicators — speeches, consultation papers, enforcement signals — anything that may suggest a shift in regulatory direction.
“We pick up either a regulatory change or an indicator of a regulatory change,” he explains. AI-driven methods are used to capture and rationalise those signals across jurisdictions, ensuring changes are identified consistently, regardless of geography. But regulatory change is no longer a one-way street.
“For years, regulatory change meant more regulation,” Byrne says. Now, in some markets, it also means deregulation. A framework that once imposed 100 obligations may be reduced to 70. Managing that contraction, he argues, is just as complex as managing expansion. It requires systems capable of recognising not only what has been added, but what has been removed — and where.
The real strategic decision, however, lies in how firms respond to divergence. Global organisations rarely want to operate 10 or 15 different compliance models across jurisdictions. The operational risk becomes unmanageable. Instead, many adopt what Byrne describes as the “highest common denominator” approach: identifying the strictest applicable regulatory standard and aligning global policies and processes to that bar.
Some call it “gold plating.” Byrne frames it as pragmatism. If deregulation occurs in one jurisdiction but not in others, lowering standards locally may create fragmentation and risk. In practice, the highest bar tends to prevail. “Even if there’s deregulation happening in one part of the world,” he says, “if it’s not happening elsewhere, the highest common denominator still stands.”
In that sense, determining which obligations apply is not simply a technical exercise. It is a strategic choice about consistency, risk appetite and operational coherence across borders.
Where regulatory confusion is found
A common challenge for firms is understanding where regulatory confusion arises from. Does it sit within interpretation, applicability or the final stage of execution. For Byrne, the answer depends on perspective.
As a RegTech firm, Corlytics sits in a different position from the banks and asset managers it serves. The company monitors regulation globally and delivers structured intelligence to highly regulated firms. It is regulated itself — particularly in areas such as AI governance, cybersecurity and frameworks like DORA — but its primary exposure is through the sheer breadth of regulatory change it must track on behalf of clients.
That change, Byrne notes, is not uniform. In the United States, enforcement priorities have shifted around sanctions and the Foreign Corrupt Practices Act — effectively the regulatory perimeter around bribery and inducements. Meanwhile, cyber risk continues to expand globally. AI regulation is accelerating in Europe and Asia, while the US is moving at a different pace. Data governance regimes are diverging across jurisdictions rather than converging.
Against that backdrop, confusion tends to crystallise in two places: interpretation and applicability.
“The core business of Corlytics is to extract an obligation from a regulation,” Byrne explains. An obligation is not commentary or guidance — it is the definitive statement of what a firm must do, or must not do. Historically, that interpretation sat almost entirely with lawyers. Byrne sees that shifting. “We’re moving from lawyers interpreting regulation to technology — driven by lawyers — assisting in identifying the obligation.”
In other words, this ambiguity is being reduced upstream. The focus is no longer on debating what the law might mean in abstract terms, but on systemising what actions are duly mandatory.
Once the obligation is clear, a second layer of complexity emerges: applicability. Not every rule applies to every firm — or even every entity within a firm. Applicability depends on business activity.
Take client assets. A global bank holding client money faces one set of obligations under CASS. A hedge fund, operating under a different structure, faces a narrower subset. The regulatory perimeter shifts according to the nature and complexity of the business.
This is where confusion often arises for firms: not in what the rule says, but in whether it applies to them.
Byrne argues that technology is steadily eliminating much of the grey area. Interpretation is becoming more deterministic. The critical questions are becoming sharper and more binary: What is the obligation? Does it apply to this entity? If so, what must be done?
Execution, then, becomes the downstream consequence of clarity — not the source of confusion itself.
Connecting regulatory change
How can firms connect real-time regulatory change to specific entities, products and services?
Byrne outlines here that such a process is a key part of Corlytics technology, stating, “We monitor real-time regulatory change, and we have been developing for more than 10 years an AI that is able to understand what is applicable to a particular entity or what is related to a product of a service line.”
Going further, Corlytics is able to map every regulatory change and every obligation from a registry change into specific products or service lines. Byrne mentioned the firm can also adapt this to the specific product and service line taxonomy or description of the business.
Prioritising relevance over volume
How can firms ensure regulatory change management prioritises relevance over scale?
Byrne, here, begins with scale — because without understanding the scale, the problem doesn’t make sense. “A typical client might receive 300 regulatory notices every day,” he says. Those notices range from a few pages of legal text to more than a thousand. For a global bank, that can add up to as much as 30 million pages of regulatory material in a single year.
The challenge is obvious: volume is not value. The objective, Byrne explains, is not to process everything equally, but to filter aggressively and intelligently. “What we want to serve up is what we would call a relevant notice — something that is actually relevant for the client and our target generally.”
Corlytics’ benchmark is disciplined. Out of those millions of pages, the firm aims to ensure that no more than five per cent is ultimately deemed relevant and prioritised. Everything else is filtered out without creating blind spots. What does pass through is automatically routed to the appropriate sub-business units within the organisation.
In some cases, the filtration is even more exacting. Byrne points to one client where “about one in every 200 notices” makes it through — roughly half of one per cent. The result is an organisation that is not overwhelmed, not distracted, and not exposed.
“They’re not missing anything,” he says, “but they’re able to act only on what’s relevant to them.” The philosophy is simple but difficult to execute at scale: regulatory change management is not about reading more — it is about narrowing faster, with confidence.
Translating regulatory updates
For Byrne, the operative word is “concrete.” Too often, regulatory change is reduced to something “perfunctory or cosmetic,” he says — a surface-level update that creates the appearance of compliance without materially altering behaviour.
Corlytics’ approach begins with filtration. The first task is to determine what is genuinely relevant to the firm. Once that relevance is established, the technology moves quickly and deliberately. “We identify the obligation,” Byrne explains — the specific element of regulation that requires the firm to act, or in some cases, not to act. It is this obligation, not the broader regulatory text, that becomes the anchor point.
From there, the process becomes structured and systematic. The obligation flows automatically into Corlytics’ policy management system — an area Byrne describes as “best-in-class.” Policies are not left as static documents; they are immediately mapped to controls through the firm’s controls management technology. Those controls are then translated into the operational layer — processes and procedures embedded within the business itself.
The effect is a clear chain of traceability: obligation to policy, policy to control, control to process.
“We have very strong technology when it comes to taking that obligation and creating a template or suggestion for a policy,” Byrne says. The same logic applies to controls and, ultimately, to the day-to-day procedures that govern how work is done.
In Byrne’s view, this ability to move from regulatory text to operational reality — without losing precision — is not an add-on capability. It is the firm’s core competency. “We think we lead the way in terms of how we robustly manage all of this.”
The emphasis, throughout, is on substance over symbolism — turning regulatory change into something tangible, measurable, and defensible inside the organisation.
Regulatory interpretation accountability
When quizzed on where accountability for regulatory interpretation is held, as well as how consistency is enforced globally, Byrne stresses a clear point. “If you look at enforcements and how regulators enforce regulation, it can sometimes be different to what they publish.
“The other thing we do with our technology is track enforcements in terms of root causes of how firms get there, and its very interesting when you’re looking at the controls and the policies of firms, because that seems to be the root cause of what regulators are interested in,” said Byrne.
If the end result is where there is perform enforcements from poor outcomes, they are generally related to controls, policies and processes, the Corlytics CEO stressed. From here, if firms look at the accountability for the regulatory interpretation – which has had a big change over the last five years – Corlytics organises information based on accountable executives.
“This can include owners of different businesses, including a head of trading within an organisation, head of asset management within a particular part of an organisation, would be held accountable for all the regulatory aspects of their business,” said Byrne.
He added it is not just interpretation, but it involves using the technology to come up with a more bulletproof way of determining the outputs of the actions that are needed, as the root cause of enforcement is lack of action.
Byrne finished, “The problem in the industry is that many firms have what is called cognitive dissonance. They understand the regulation and they can interpret it, but they can’t implement it. It’s really about having the right tools to basically bridge the knowing and doing gap in this space.”
Documenting and governing
A key question asked of those in the RegTech industry is how they document and govern risk decisions taken above minimum regulatory requirements. For Byrne, he sees a shift of risk-based approaches by banks.
He said, “We’re seeing a movement where a lot of the really well-run banks are taking a risk-based approach where they’re saying that the regulator may be interested in something, but we have a risk here.”
Just because the regulator wants a particular thing, Byrne states, it isn’t good enough for said bank, and they must raise the bar higher as they don’t like the risks that are in this space.
Corlytics, in this respect, assists businesses in taking a risk-based approach so they are able to understand where the highest risks are and then set the bar higher than the minimum standards.
Understanding compliance functions
How can businesses know whether their compliance function is reducing confusion or just creating more of it?
For Byrne, he cited experience at Corlytics, where the company provides a utility benefit to its clients – who will let them know very quickly if something is not helping them.
He added, “Confusion generally comes in when there’s too much noise or too many spurious pieces of regulatory text get through – filtering out noise helps reduce confusion.”
Another area Byrne cites as a key spot for confusion is overlapping obligations. “One obligation says X and another says Y, so we have a process for managing that as well. We assist firms at all parts of the value chain to make it clear what should be done and what should be prioritised,” concluded Byrne.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
