EU evolution: the rise of evidence-based compliance

January 2025  |  FEATURE | RISK MANAGEMENT

Financier Worldwide Magazine

January 2025 Issue

Compliance in business can be a complex challenge, compounded by a seemingly endless series of rules and regulations that have steadily increased the burden on organisations.

Across Europe, and in the financial services (FS) sector in particular, this burden is increasing. According to recent research by Dun & Bradstreet, 75 percent of compliance decision makers in Europe’s FS sector state that regulatory demands on their compliance teams have significantly increased over the past year (8 percent higher than the average cross-sector score of 67 percent).

In the face of this increasing regulatory burden, organisations and their compliance departments are not only under pressure to comply, but to also enhance their risk management and compliance capabilities to promote success and innovation. However, in many instances, these capabilities are predicated on a ‘tick-box’ approach to compliance, particularly within European Union (EU) member states.

“EU regulators have historically focused on a more prescriptive, rules-based approach, with strict adherence to regulatory requirements,” concurs Lorraine Mouat, head of payment services at Thistle Initiatives. “But in recent years, we have begun to see more of a shift toward an evidence-based approach, with organisations’ compliance frameworks expected to be more dynamic and adaptable.”

In essence, the evidenced-based approach uses assurance activities, reports and controls which demonstrate that obligations are being met, risks are being mitigated and controls are working effectively. In other words, there is a clear framework in place which relies on robust evidential data being gathered and monitored, rather than relying on the traditional tick-box approach that depends on a collection of responses, attestations and statements to prove compliance.

“To this end, EU regulators are increasingly focusing on outcomes rather than processes,” says Joanne McNaul, senior director of financial crime risk management at K2 Integrity. “A principles-based approach emphasises accountability and encourages organisations to embed evidence of ethical considerations and risk management deeply within their operations. This demands a more adaptable framework that ensures organisations are aligned with core principles rather than rigid, region-specific rules.”

No longer required to complete a set list of tasks in order to prove compliance, regulators across the EU now expect organisations to undertake nuanced or tailored reporting that shows how they have succeeded in mitigating risks specific to their business, which includes how they update their controls and procedures in real time.

Driving factors

The factors that have led EU regulators to a more evidence-based mindset are numerous, and include the ever-increasing complexity of organisations’ business models, the frequency of cross-border transactions and major technological advances, as well as the global trend toward harmonised regulatory standards, particularly in the environmental, social and governance (ESG) space.

“The complexity of modern business environments, driven by rapid technological advancements and global interconnectedness, makes rigid rules insufficient to address emerging risks,” asserts Ms McNaul. “Prescriptive checklists often fail to capture the nuances of diverse and evolving industries, where static rules may quickly become outdated or irrelevant.

“Moreover, the rise of ever-evolving risks, such as cyber security threats, data privacy concerns and financial fraud, necessitates a more flexible and dynamic approach to compliance,” she continues. “These risks often transcend industry boundaries, requiring organisations to demonstrate that they are not just ‘ticking boxes’, but actively identifying and mitigating risks based on real-time evidence and making principle-based decisions.”

An evidence-based approach to compliance provides a flexible framework that can be interpreted and applied to all manner of circumstances.

Another key factor, in the view of Ms Mouat, is that of accountability. “Regulators want to ensure that organisations can demonstrate an understanding of key risks and explain how compliance frameworks address them,” she attests. “They are also looking for more data-driven insights, with compliance solutions tailored to the risk profile of the firm. As more organisations operate globally and across jurisdictions, regulators want to ensure that compliance frameworks are robust and can manage any change in risk profile.”

Gathering and managing compliance evidence

Given the wide variety of regulated organisations, in terms of business models, jurisdictions, products and customers, an evidence-based approach to compliance provides a flexible framework that can be interpreted and applied to all manner of circumstances.

The key for organisations is being able to demonstrate – through compliance evidence – that the measures they have in place are delivering the intended outcomes. Indeed, compliance evidence, including audit reports, licences, certifications, policies, training records, monitoring logs and testing results, is one of the best methods for demonstrating that compliance is being taken seriously.

That said, gathering and managing regulatory compliance evidence to meet obligations across a compliance programme is often easier said than done. But according to ZenGRC’s ‘What is Evidence Collection in Compliance?’, an effective evidence management framework should be built on the best practices outlined below.

First, standardised collection of regulatory compliance evidence. Companies should create intake procedures to gather evidence from systems and personnel digitally. They should incorporate compliance tools to automate regulatory evidence collection and ensure metadata like custodian timestamp is captured for chain of custody. In addition, they should allow for various evidence types, such as documents, audit logs and training records.

Second, centralised evidence in a repository. Using a searchable platform and avoiding scattered evidence storage, such as local drives or spreadsheets, is advisable. This simplifies oversight, retention and access for audits and law enforcement agencies.

Third, structured and organised regulatory compliance evidence. Companies should logically categorise evidence using tags-naming conventions aligned to compliance standards, as well as standardise file plans and structures organisation-wide. Organisations can also add descriptive metadata like compliance domain and department to enable quick search and findability.

Fourth, controlled and restricted access to sensitive compliance evidence. Companies should leverage access controls and permission levels. In addition, they should limit internal sharing only to personnel involved in the compliance programme. Also important is to carefully manage external sharing with auditors, regulators and other stakeholders, which helps maintain confidentiality and supports compliance requirements.

Lastly, continuous review and optimisation of compliance evidence management. Organisations should set reminders to regularly review evidence of health, coverage gaps, retention needs and compliance risks. They should also assess intake workflows and tools such as auto-capture for potential enhancements, as well as update procedures to account for regulatory changes and new compliance requirements.

“As evidence-based compliance frameworks become the norm, compliance professionals will have the opportunity to grow into a new role as valued strategic consultants and not just being treated as part of a box-ticking department,” vouches Adam Zoucha, senior vice president international at FloQast. “This will be a positive change. Compliance professionals who work in a function focused on strategic risk navigation are more likely to make suggestions, feel they have a valuable voice, take a wider view and suggest future long-term solutions not yet on the table.”

Key regulatory frameworks

In addition to the factors previously noted, the EU’s approach to regulatory compliance has also been shaped by key frameworks such as the 2018 General Data Protection Regulation (GDPR) which imposes comprehensive risk assessment and extensive disclosure requirements on organisations.

“The specificity of the GDPR’s requirements and the weight of its penalties have acted as a wake-up call to compliance functions across the EU and beyond,” says Mr Zoucha. “This is seen in the fact that ‘GDPR’ is now a household word – its implications are so massive that the man in the street knows about it, not just compliance experts.

“As a result, compliance requires more than box ticking – it requires root and branch effort,” he continues. “That, in turn, requires a more structured, formalised compliance approach to prove in granular detail organisations are complying with a massively far-reaching regulation.”

Under the GDPR, organisations are further incentivised to prioritise and formalise their compliance initiatives due to stringent penalties for non-compliance, with fines reaching up to €20m or 4 percent of global turnover. Moreover, the GDPR has heavily influenced global organisations outside the EU, with many adopting GDPR-like measures to ensure compliance when handling the data of EU citizens.

“The GDPR has been pivotal in moving the compliance dial, ensuring a more structured and formal approach, and introducing privacy by design and default,” adds Ms Mouat. “It brought a focus on risk management, accountability, transparency and other standards across all sectors. Its emphasis on documentation and a proactive approach has helped to set a new benchmark for evidence-based compliance.”

EU vs. US compliance

For many years, European regulators were generally perceived as lagging behind their US counterparts in terms of organised compliance frameworks. Indeed, US-based organisations have long been considered a compliance bastion, particularly with the establishment of the chief ethics and compliance officer role under the Foreign Corrupt Practices Act and Sarbanes-Oxley Act.

“Agencies like the Securities and Exchange Commission and Federal Trade Commission provide guidance, but organisations have more latitude in tailoring compliance programmes to their specific needs,” asserts Ms McNaul. “While penalties for non-compliance exist, they tend to be less uniform and severe than in Europe.”

Nevertheless, the gap in compliance posture between the US and the EU, she contends, is closing. “While we would not necessarily say that the EU has forged ahead of the US, there are key differences,” notes Ms McNaul. “For example, while the US’ Gramm-Leach-Billey Act data privacy considerations currently apply only to financial institutions, the GDPR’s broad scope applies to any organisation that processes the data of EU citizens. This suggests that the EU is pushing beyond the US in some areas.”

Rigorous and expansive

With European regulators continuing to develop regulations that demand a more evidence-based approach, organisations will be increasingly required to integrate compliance into their core business strategies and provide clear evidence of their risk management practices.

Three key regulations currently shaping this approach and with deadlines that fall within 2025 are worth noting: the Corporate Sustainability Reporting Directive, the Digital Operational Resilience Act and the Artificial Intelligence Act – each of which carry stringent reporting requirements.

“Europe’s approach to evidence-based compliance frameworks is likely to evolve by integrating technology, sustainability and cross-border cooperation,” forecasts Ms McNaul. “As tools like data analytics and artificial intelligence become more advanced, regulators in Europe, as well as those in other jurisdictions, are likely to use real-time monitoring and predictive tools to enhance oversight.

“Moreover, Europe’s progress in data protection, particularly through the GDPR, has prompted a global shift, inspiring privacy laws in countries like Brazil and India,” she concludes. “As European frameworks continue to evolve, the trend suggests they will continue influencing organisations worldwide to integrate technology, ESG principles and stricter cyber security measures in alignment with Europe’s evolving standards.”

With an overreliance on a checklist approach to compliance steadily being consigned to history and evidence-based frameworks rapidly taking its place, organisations across the EU can provide clear, documented evidence that they are not only meeting regulatory requirements but also achieving the intended outcomes of those regulations – helping them thrive in an increasingly complex legislative environment.

© Financier Worldwide

BY

Fraser Tennant

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.