CCO 2026: When the Regulator and the Board Are Raising the Same Issue

Across many financial institutions, a shared reality is taking shape, even if it is rarely articulated openly between the relevant stakeholders.

Caught between these two forces, the CCO is under pressure. The most intuitive response, addressing each pressure separately by adding resources to satisfy regulators while launching efficiency initiatives for the board, is showing its limits.

Regulators and executive leadership are pointing to the same underlying issue: the sustainability of the compliance operating model.

The real question is not choosing between rigor and efficiency. It is understanding why, when properly designed, one leads to the other.

1. Regulatory Pressure: A Paradigm Shift Since 2020

Over recent years, regulatory pressure has stopped being simply about compliance with an expanding body of rules. It has changed in nature. Supervisors no longer expect programs to be merely “in place.” They expect concrete evidence of their operational effectiveness.

DORA mandates documented, tested, and demonstrable operational resilience. SFDR requires institutions to produce precise and usable ESG data on their investments. The EU AML legislative package tightens the quality requirements on analyses and reports. And AI regulation introduisent de nouvelles contraintes de gouvernance.

Individually, these requirements remain manageable. Collectively, they create unprecedented operational pressure on organizations that have themselves changed little. The result: volumes grow, timelines tighten, and analytical quality, the very thing regulators are asking for, erodes.

Regulators are no longer asking for programs. They are asking for tangible proof that those programs work. That is a fundamentally different ask.

2. Budget Pressure: New Expectations from the Board

Compliance budgets in Europe have followed an unprecedented trajectory over the past decade. Between 2014 and 2024, compliance costs at European financial institutions rose sharply, driven by hiring, remediation programs, and technology investments.

For a long time, this trajectory was accepted without serious challenge, in an environment defined by heavy regulatory pressure and high-profile, deterrent-level sanctions. That era is ending.

Today, a threshold has been crossed. The question is no longer simply “Are we compliant?” but “How do we demonstrate it, and at what cost relative to the value produced?” This shift is structural. It marks compliance’s entry into a maturity logic: no longer only a protection function, but one whose operational efficiency must be demonstrated.

For the CCO, this creates a dual constraint: maintaining high regulatory standards while justifying resource allocation. But it is also an opportunity – to drive a genuine model transformation, provided the impact can be demonstrated.

3. Why Addressing Both Pressures Separately Is a Dead End

Addressing these two pressures separately is not just inefficient. It is counterproductive.

Reinforcing programs without changing the operating model means adding load to teams that are already stretched. Analysts process more alerts, produce more documentation, and respond to more regulatory requests, but with the same tools, the same processes, the same information silos. Analytical quality does not improve. It erodes further.

Adding resources or controls without evolving the operating model amounts to increasing the burden on teams, multiplying low-value tasks, and further diluting analytical quality. Analysts handle more alerts, produce more documentation, and field more requests – but within the same structural constraints.

Conversely, launching efficiency initiatives disconnected from regulatory requirements means improving productivity metrics without improving decision quality. Reducing the cost of processing an alert is meaningless if the genuine detection rate does not move. Regulators do not measure speed. They measure quality.

Addressing these two pressures separately amounts to optimizing a model whose foundations are no longer fit for purpose. You improve what exists, without questioning the direction.

Regulators and the board are expressing the same expectation in different language. Both want a model capable of producing quality decisions in a traceable, reproducible, and resource-efficient manner. The answer is not a trade-off. It is a transformation of the operating model.

4. The 2026 Compliance Operating Model: Three Necessary Shifts

Transforming the compliance operating model does not mean starting from scratch. It means identifying the structural shifts capable of simultaneously freeing up analytical capacity, elevating decision quality, and meeting the traceability standards regulators expect.

These three shifts must not be approached in isolation. They form a coherent system: automation frees up capacity, refocusing experts strengthens analytical quality, and quality-driven management makes it possible to demonstrate that value, both to the regulator and to the board.

5. What the CCO Can Activate Right Now

Transformation does not require a large-scale program from the outset. Three actions can initiate a credible momentum:

Evolve the Reporting Framework

Introducing decision quality indicators into traditional dashboards makes visible what was previously invisible. It immediately changes the nature of steering committee discussions.

Reframe the Dialogue with the Board

The goal is no longer to defend a budget, but to propose a different frame: what teams are doing today, what they could do with a better-designed model, and the concrete impact in terms of risk reduction and cost efficiency.

Run a Pilot on a Defined Scope

A concrete use case (AML, KYC, or regulatory response) is used to pilot unified information access and partial task automation over a defined period.

Measuring results grounds the transformation in evidence, with the board and the regulator alike.

These three actions alone will not transform the model. But they lay the concrete foundation: establishing an evidence base, aligning stakeholders, and demonstrating value through tangible results.

The question is no longer how to respond to two distinct pressures. It is recognizing that they reflect a single underlying requirement: a compliance model capable of delivering quality, traceability, and efficiency. In other words, a model that is finally sustainable.

• Regulators and executive leadership are converging on the same diagnosis: compliance programs must be both more robust and more efficient. The CCO sits at the intersection of these two demands and cannot address them in isolation.
• Treating these pressures separately is counterproductive: reinforcing programs without changing the operating model dilutes analytical quality, while efficiency initiatives disconnected from regulatory expectations do nothing to improve the quality of decisions.
• Three structural shifts can address both pressures simultaneously: automating low-value mechanical tasks, refocusing experts on complex analysis, and managing by decision quality rather than by volume.
• The CCO can initiate this transformation without a large-scale program: evolving the reporting framework, repositioning the dialogue with the board around value created, and launching a pilot on a defined scope to demonstrate impact through concrete results.

FAQ

01

How do you convince the board to invest in compliance model transformation when budgets are already under pressure?

The most effective entry point is reframing the conversation. Rather than defending an additional budget, the goal is to surface what the current model is actually costing: analyst time consumed by mechanical tasks, quality risk in files submitted to authorities, regulatory exposure. By making those costs visible and proposing a pilot with clear metrics, the CCO shifts from a defensive posture to a credible, quantified case for transformation.

02

Won’t automating compliance tasks risk degrading decision quality or creating new blind spots?

The risk exists if automation is poorly targeted. That is why it must focus first on mechanical, repetitive tasks: qualifying low-relevance alerts, gathering multi-system information, generating standardized documentation. These tasks do not require the expert’s analytical judgment. Automating them frees that capacity for cases that genuinely warrant it. Complex decisions, the identification of atypical patterns, and the construction of referral-ready files remain human acts, strengthened by better working conditions.

03

What concrete metrics allow you to manage compliance program quality rather than just volume?

Three metrics are particularly relevant. The alert-to-qualified-case conversion rate measures the genuine efficiency of the detection program. Referral quality to authorities assesses the analytical robustness of cases produced. And decision consistency across analysts on comparable cases surfaces variability and identifies calibration or training needs. These three indicators complement traditional volume and turnaround metrics and allow operational management to align with what regulators actually expect.