4 Priorities for Compliance Officers Navigating Europe’s Transformed Financial Landscape

Over the past decade, Europe’s financial sector has been fundamentally disrupted. Digitalization and globalization have driven new business models that deliver services faster, across borders and often outside the traditional banking framework. This shift has forced compliance functions to adapt: Controls once designed for big, brick-and-mortar banks must now operate quickly in real time, across jurisdictions and within firms built on agile technology platforms. 

Regulators are racing to catch up, with measures like the European Union’s Digital Operational Resilience Act (DORA), the forthcoming payment services directive overhaul (PSD3), the Markets in Crypto-Assets Regulation (MiCA) and an expanding body of local central bank guidance, all intended to bring order to this transformed marketplace.

The sheer growth and diversity of financial institutions in Europe has altered the compliance landscape, too. Where the sector was once dominated by large banks and investment firms, it now includes players of every size and form, from lean startup payment institutions and crypto platforms to mid-size e-money firms and full-service challenger banks. This diversity means compliance cannot be applied through a single, standardized corporate model. Instead, it must take different shapes: from one-person teams in early-stage fintechs to multi-layered departments in international cross-border company groups.

The combined effect is clear: Compliance in Europe today looks fundamentally different than it did a decade ago. Businesses must design functions that are scalable, adaptable and responsive to both regulatory evolution and business model diversity. Even in legacy institutions, seasoned professionals are navigating an environment where compliance is expected to serve not just as a statutory safeguard but as a dynamic capability, one that evolves in step with the market itself.

In my experience building and advising compliance teams across different growth phases and jurisdictions, I have identified four senior management priorities for creating a resilient, independent compliance function that enables, rather than constrains, responsible growth: team size, clarifying roles and responsibilities, scaling the function to the company size and leveraging data.

Figuring out team size

Most European central banks expect a risk-based approach to compliance but also treat the adequacy of compliance resources as a non-negotiable governance principle. The European Banking Authority (EBA) guidelines on internal governance, the capital requirements directive and the European Central Bank’s new draft guide on governance and risk culture make this explicit in various forms.

While these frameworks target credit and investment institutions, supervisory practice shows the increasingly similar scrutiny applied across growing payment and e-money institutions and other regulated entities when they start scaling. Regulators are focusing not only on whether compliance exists but whether it is adequately resourced for the institution’s scale and risk profile.

Enforcement history underscores this. The infamous Central Bank of Ireland’s 100.52 million euros fine against the Bank of Ireland included findings that the bank failed to maintain sufficient resources to meet its obligations.

Best practice for resourcing assessments

Assessing resources for the compliance function should be a simple and relatively quick exercise. Such assessments should be:

• Conducted by the compliance function itself to preserve independence.
• Documented to create an audit trail, for example by integrating into regular compliance reports to management, ensuring issues are discussed and decisions minuted.
• Not overly complicated or lengthy; it should not become a burden for the compliance function by itself.

Key questions to assess compliance resourcing

Customer base and fund flows

• How many customers does the company serve?
• How many transactions do they conduct quarterly, and what is the value?
• What growth is projected in the business plan?
• What proportion of customers are high-risk (if applicable)?
• Are there any specific consumer protection risks — e.g., retail clients, vulnerable customers or those with low financial literacy?

General business risk

• What types of products are offered, and how complex are they for customers to understand?
• How many new products are planned, and what is their complexity?
• Which regions does the company operate in, and what risks do they pose?
• Does the business carry credit risk, and is it increasing?
• Does the business model present prudential compliance risks? (In which case, the finances/treasury department should be well staffed as well.)
• Are any key partners high-risk?
• How much is outsourced, and are critical/important functions outsourced?

Organizational complexity and compliance role

• Does the complexity of the organizational structure require additional compliance oversight?
• How is work divided between different divisions, and can compliance meet all requests in a timely way (i.e. what concrete tasks are attributed to the compliance team)?
• If part of a group, does the parent company’s compliance framework help or add additional tasks to the local compliance?

Other ad hoc relevant considerations

• For example, are there plans to apply for new licenses, is there a restructuring in another department increasing compliance workload, and are there strategic projects requiring significant compliance input?

The responses to these questions should form a clear and data-based conclusion on whether the current compliance resources are adequate, ideally linked directly to the organization’s risk appetite statement. In practice, compliance independence means the head of compliance must be empowered to request resources when necessary. Where such a request is substantiated and approved by the highest governing body, it should be treated as a governance decision and executed promptly by HR or other relevant functions.

Financial Services

EU Companies Face Double Workload on AML Before 2027 Harmonization Arrives

by Aynsley Vaughan

February 17, 2026

Hungary's tax authority owns the UBO database while Bulgaria uses the trade register — discrepancies like these create friction even as new regime approaches

Read moreDetails

Positioning compliance for maximum impact, defining roles and responsibilities

Independence is the foundation of an effective compliance function. To ensure this, from the outset, the head of compliance should report directly to the supervisory board or management board, ensuring visibility at the top and establishing compliance as a trusted adviser from the earliest stages. Aside from being a regulatory requirement, such positioning also facilitates growth of the compliance professionals, helps to build understanding of compliance at the highest levels and contributes to building the culture of integrity at the highest management levels. However, the requirement to maintain independence while ensuring organizational integration often creates challenges in practice.

While the three lines of defense model provides clear guidance on the role of compliance and its interaction with other lines of defense, organizations frequently face challenges in interpreting and implementing these principles in practice.

Separating AML/CTF from general compliance

As businesses mature, European regulators increasingly expect AML/CTF compliance to operate separately from general regulatory compliance within the second line of defense. Practically speaking, both areas have simply become too complex to be managed effectively under a single generic role in larger organizations. Planning for this separation early allows for better talent development and process clarity.

Asking related key forward-looking questions early on can support building a resilient, effective and agile compliance function.

• Will the organization have a chief compliance officer overseeing both regulatory and AML/CTF compliance, or will these remain separate units with no common larger department?
• Will there be a well-developed first line of defense to support both functions, and to whom will it report? For example, Know Your Customer (KYC), transaction monitoring and screening teams should ideally operate within the first line of defense. This allows the money-laundering reporting officer (MLRO) to maintain independence as a second-line control. However, if at first these functions are conflated, the company must be ready to make a logical decision to establish an appropriate first line of defense AML/CTF function and structure its reporting to the appropriate leadership.
• Over time, some businesses even choose to also establish a full first line of defense compliance team, in which case, it will require rethinking the reporting lines as well.

Legal, regulatory and compliance: Drawing the line

Disagreements between legal and compliance are especially important to anticipate, because both functions interpret how regulations apply to products and services, and both are often staffed by lawyers. This overlap makes differing interpretations likely. Clear guidelines should therefore set out how to handle such cases, for example, where compliance reaches a different conclusion than legal on the readiness of a new product launch. The escalation process should be tied to the firm’s risk appetite statement and provide management with a structured choice: accept the risk (if it falls within risk appetite) or reject it and require further product development before launch.

Working with internal audit

Similarly, the relationship with the third line of defense, internal audit, will most likely be rather close at the start of the business. While both compliance and the internal audit must ensure their full independence, the nature of work of both of these functions require the functions to actively cooperate at all business growth stages. This becomes especially evident in the case of planning the compliance monitoring and assurance work.

If both functions investigate the same issues simultaneously without coordination, the organization risks:

• Audit fatigue from duplicate requests
• Inefficient use of resources
• Conflicting findings or recommendations

A practical solution: conduct regular operational meetings to align annual plans, share intelligence and ensure that workstreams complement rather than duplicate each other.

Maturing the compliance function: from generalist function to a strategic second line

As financial institutions mature, the compliance function must transition from an all-purpose regulatory problem-solver into a strategic, independent second-line capability that balances dual responsibilities: enabling the business to grow responsibly while holding it accountable to regulatory and ethical standards.

This evolution is central to embedding the three lines of defense model in practice. The precise scope of compliance responsibilities will vary by jurisdiction and business model:

• Some countries, such as Lithuania, issue prescriptive compliance guidelines with specific expectations for structure and function.
• Others follow a more principles-based approach, leaving more discretion to the institution.

However, the EBA guidelines and various service-specific EU regulations offer clear guiding direction in most cases by providing tasks that must be performed by compliance. For example, MiFID II requires investment firms to implement compliance controls for personal transaction monitoring. Banks face even broader expectations. For example, the ECB’s forthcoming guidelines on governance and risk culture will emphasize behavioral and cultural dimensions, positioning compliance officers as visible champions of integrity alongside senior management.

While specific processes will vary, there are some foundational elements that should guide this evolution.

• Structured risk ownership and advisory role
• Regulatory obligations registries
• Ongoing advisory support
• Monitoring, oversight and assurance
• Standardized reporting to management

Harnessing data for compliance mastery

Compliance is already data-driven. According to a 2025 PwC survey, technology is already helping companies move faster, navigate complexity and avoid hazards. For compliance, this includes better visibility of risks and risk management activities (64%), faster identification and proactive response to compliance issues (53%), higher quality/more insightful reporting (48%) and increased productivity and cost savings (43%).

What this means from the start is that most (if not all) company policies should gradually have defined key risk indicators (KRIs) to measure implementation success, so the compliance function can monitor it effectively. For example, one of the simple KRIs to monitor the effectiveness of the internal customer inquiries handling is how many internal inquiries are escalated to the authorities, since it provides qualitative data for analysis. 

Dashboards should support the analysis and monitoring of all key compliance metrics, e.g., customer complaints, data subject requests and entries in compliance tools, such as conflict of interest declarations, gifts and entertainment logs or whistleblower reports.

Compliance must also leverage other data used by the risk function to ensure that internal controls function effectively and cohesively. For instance, risk incidents should be categorized in a way that allows filtering by compliance-relevant risk typologies.

Similarly, compliance should start thinking about early warning indicators from Day One. For example, an excellent source of trying to better understand customer needs and behavior is analyzing the data behind the different products offered, looking into the number and reasons for customer inquiries, complaints and even patterns of customers using and paying for specific products. This means that whatever internal data tools and dashboards the business is building, compliance should be a stakeholder in these processes to make sure that they will be able to utilize it when needed.

These data foundations allow compliance functions to build increasingly sophisticated reports with as much automation as possible, intervene early in cases of potential noncompliance and support the development of a cohesive internal control system as the business grows.