Financial Regulatory Change Management Reimagined: How AI is Rewriting the Rulebook
Request a DemoCompliance teams at banks and payment providers are facing an unprecedented double-whammy. On one hand, boards and C-suites are demanding immediate AI adoption to cut operational costs. On the other hand, the volume, velocity, and cross-border complexity of regulatory changes are skyrocketing - and the personal liability for compliance failures remains entirely real.
How do you bridge the gap between boardroom hype and defensible, regulatory-grade reality? In our recent webinar, Luke Baker (Payments and Banking Industry Lead at Vixio) sat down with an expert panel, including Nilesh Khatri, Head of Technology, Regulated FinTech & Financial Services, and Andrew Dawson, Chief Risk and Compliance Officer / MLRO, Yeepay UK, discuss how financial services firms are actually deploying AI on the ground, bypassing endless data-cleansing projects, and keeping humans firmly in control.
The Compliance Vice: Boardroom Pressure vs. Regulatory Reality
"Most teams are caught in a bit of a vice," Luke Baker opened. "On one side, you have boards demanding immediate AI adoption. On the other, you have the sheer volume of regulatory change—and 85% of compliance leaders say managing cross-border complexity is their biggest headache."
While generic, consumer-facing LLMs (Large Language Models) are highly capable, their unacceptably high hallucination rates make them a non-starter for high-stakes regulatory decisions. To make AI "regulatory-grade," firms have to systematically strip away the machine's "creativity."
Andrew Dawson shared a practical example from his time at LHV, where they built a proprietary LLM to assist analysts with Suspicious Activity Report (SAR) filings:
"We placed this model in a proprietary environment so the data wasn't used to train public models, anonymized the customer data, and - most importantly - turned the 'heat settings' down to the absolute minimum. You don't want any sort of creativity or imagination when you're writing a SAR."
— Andrew Dawson, Chief Risk and Compliance Officer / MLRO, Yeepay UK
The result? An analytical process that previously took five hours was reduced to near-instantaneous, allowing analysts to focus on high-value human verification rather than repetitive data formatting.
Bypassing the Utopian Data Lake: The 60-25-15 Rule
A common roadblock to AI adoption is messy, siloed legacy data. Many compliance teams assume they must wait for a multi-year, multi-million-dollar enterprise data transformation project before they can even pilot an AI tool.
Nilesh Khatri suggests bypassing this "utopian" trap by starting small and allocating budgets realistically. He introduced a pragmatic framework for AI compliance pilots:
The 60-25-15 Budgeting Framework
- 60% on Data Hygiene: Sourcing, cleaning, mapping lineage, and establishing ownership for a very narrow, targeted domain or jurisdiction first.
- 25% on Governance and Control: Setting up audit logging, decision authority, testing boundaries, and human oversight.
- 15% on AI Tooling and Licensing: The actual software and model access.
"In many failed pilots, this ratio is completely inverted. Teams spend all their budget on the shiny new AI tool, and squeeze the data and governance pieces. To show momentum, pick a single jurisdiction or a specific product taxomony, get it right, and replicate that success."
— Nilesh Khatri, Head of Technology, Regulated FinTech & Financial Services
Can Agentic AI Handle Granular Regulatory Nuance?
The industry is rapidly shifting past basic Q&A chatbots and moving toward agentic AI—systems designed to run in the background, autonomously filtering noise, extracting obligations, and triggering workflows.
But can an AI agent actually grasp the spirit of complex regulations? The panel agreed that while AI is highly efficient at "bookending" the compliance lifecycle - specifically horizon scanning (identifying that a rule has changed) and administrative actions (like populating repetitive KYC questionnaires) - the critical middle phase must remain human.
For instance, when the UK introduced new safeguarding regulations for EMIs, understanding how those rules interacted with a firm's unique, localized treasury systems required deep contextual knowledge, emotional intelligence, and organisational navigation that no AI possesses.
Furthermore, Nilesh warned of a potential bottleneck: "If AI compresses the time it takes to scan and flag rules, but your human interpretation team is capped, you haven't actually sped up your implementation timeline. You’ve just built a much larger backlog."
Designing for Failure: Auditing the "No-Action" Decisions
Regulators are notoriously ruthless when it comes to explainability. If an AI system autonomously filters out 90% of regulatory updates as "noise," how do you prove to an auditor why a specific rule was dismissed?
The consensus was clear: You must design for failure, not the happy path.
- Separate Recommendations from Decisions: The AI should only recommend a course of action. The final click, justification, and sign-off must come from a named, accountable human.
- Log Everything at Runtime: Audit trails must capture the exact prompt, data inputs, model version, and human override logs at the split-second the decision is made—not reconstructed after the fact.
- Avoid the Black Box: Put the burden of proof on your software vendors. If a system flags or dismisses an alert, a non-technical compliance officer must be able to easily trace and export why that path was taken.
The Verdict: AI is the Assistant, Not the Decision-Maker
As personal liability regimes like the UK's SMCR expand, compliance officers cannot afford to outsource their judgment. AI is a powerful cognitive assistant that can handle the administrative heavy lifting, but the ultimate accountability - and the final interpretation - remains human. As Luke Baker summarised: "You can outsource the execution of a system, but you can never outsource the accountability."
Hear the Full Discussion On-Demand
Want to dive deeper into use cases like transaction monitoring optimisation, the rise of "no-code" compliance builds, and how to manage cross-border data residency limits?

