From Reactive to Ready: Modernising Regulatory Change Management in Banking

Regulatory change management (RCM) has become one of the most demanding challenges facing banks today. With new rules and guidance emerging every 12 minutes globally, compliance teams are under relentless pressure to keep up. Over the past decade, compliance costs have risen by more than 60%, and nearly 40% of compliance leaders acknowledge that their organisations still lack a clear strategy to manage growing regulatory complexity.

Against this backdrop, a recent Vixio webinar brought together industry experts Joanna Pesantez, Head of Compliance at Kroo, Stefan Moser, Head Group Compliance & Operational Risk at VP Bank, and Sherra Brown, Head of Regulatory Research & Analysis from Vixio. Their discussion focused on how banks can shift away from reactive firefighting and towards a more structured, forward-looking approach to RCM. Three clear themes emerged.

Key Takeaway 1: A Mature RCM Process Requires Structure and Agility

A modern RCM framework needs to be both robust and adaptable, moving well beyond manual tracking exercises. Across the panel, there was broad agreement that mature programmes follow a clear end-to-end lifecycle: Identify → Assess → Engage → Implement → Monitor.

Getting the early stages right is critical. Joanna Pesantez highlighted the importance of a strong assessment phase, noting that when teams invest time upfront and bring stakeholders along on the journey, implementation tends to run far more smoothly. This stage, however, is often the most complex. Regulations differ significantly across jurisdictions, and outcome-based regimes such as Consumer Duty require interpretation rather than simple box-ticking.

“If you get the assessment phase right and bring people along on the journey, implementation becomes much smoother.”

_{-Joanna Pesantez, Head of Compliance at Kroo}

Stefan Moser reinforced this point, stressing that the sheer volume of regulatory change makes accurate assessment non-negotiable. With new requirements appearing every few minutes, missing a key obligation at this stage can undermine all subsequent implementation efforts.

Key Takeaway 2: Evidence and Auditability Are Non-Negotiable

Implementing regulatory change is only half the challenge; proving it has been done properly is just as important. Sherra Brow underscored the importance of maintaining a clear and comprehensive audit trail, posing a simple but powerful question: if an organisation can’t evidence its actions, can it really claim compliance?

Strong auditability not only satisfies regulators but also strengthens a bank’s overall risk posture. More mature RCM programmes capture the full lifecycle of regulatory change, enabling institutions to demonstrate accountability during audits and reducing the likelihood of adverse findings or consent orders.

Key Takeaway 3: Technology and Culture Drive Proactive Compliance

While spreadsheets may still be common, particularly in smaller institutions, they are becoming increasingly difficult to sustain. Automation and AI are emerging as powerful enablers, especially when it comes to impact assessment and workflow management.

Stefan Moser shared that, given the choice, assessment would be the first stage he would automate, pointing to AI’s potential to map regulations to organisational requirements and significantly reduce manual effort. Sherra Brown echoed this sentiment, emphasising that AI is not about replacing compliance professionals but about giving them better tools to move from reactive responses to proactive planning.

“If I could automate one stage, it would be assessment. AI could help map regulations to organizational requirements, saving enormous time.” 

_{-Stefan Moser, Head Group Compliance & Operational Risk at VP Bank}

However, technology alone is not enough. A strong compliance culture across both first and second lines remains essential. As Joanna Pesantez explained, when people understand the rationale behind regulatory changes, adoption and implementation become far more effective.

“People need to understand the ‘why’ behind changes. When they do, everything goes much smoother.”

_{-Joanna Pesantez, Head of Compliance at Kroo}

‍

Looking ahead, the next frontier for RCM lies in predictive analytics and deeper integration with GRC systems, offering true end-to-end visibility. Banks that invest in the right technology and embed compliance into their organisational culture will be better positioned to reduce risk, improve efficiency, and build resilience in an increasingly complex regulatory environment.

‍

Want to hear the full conversation? Get it on demand here.