The XLoD Global conference in London this week convened leaders and senior managers from some of the world’s largest financial institutions to explore critical issues in non-financial risk, control, and compliance.
Over two days, regulators, industry practitioners, and technology providers shared insights on the trends and challenges shaping the future of financial services control and risk.
Here, we highlight SteelEye's main takeaways from the event, focusing on themes in risk and control priorities, data challenges, technological advancements, and evolving regulatory expectations.
Contents
Risk and Control Landscape: Prioritizing What Matters
One of the biggest challenges for risk and control departments is determining where to focus and what to prioritize—a theme that emerged strongly at XLoD Global - London 2024, particularly in the context of planning for the year ahead. While there’s growing recognition that firms can't address every issue simultaneously, the question remains: how do you decide what to focus on? With regulatory priorities on one side and internal objectives on the other, alignment is critical yet often complex.
Key Points:
-
Aligning Firm and Regulatory Priorities: Balancing regulatory demands with organizational priorities is challenging, especially when they don’t fully align. Firms need confidence in setting their own risk agendas—even if they differ from the regulator’s focus. By establishing a clear, justifiable framework, firms can manage risks in a way that satisfies regulatory expectations without compromising their core objectives.
-
Shifting from Process to Risk Management: Over time, risk and control practices have transitioned from process-oriented management to risk-based approaches. Prioritizing based on risk allows firms to allocate resources to the most significant threats, aligning efforts with the areas that carry the most impact.
-
This approach entails viewing risk as the primary gauge through which priorities are set, with the biggest risks taking precedence.
-
Risk serves as the guiding metric, or “barometer,” for monitoring, measuring, and adapting priorities—a pragmatic approach in an environment where addressing every issue is impossible.
-
Focusing on What’s Controllable: In many cases, broader macro issues lie beyond a firm’s direct control, making it crucial to concentrate on areas they can genuinely influence. Regulators want well-managed institutions, and their expectations are often reasonable. Problems arise when firms over-engineer or complicate their responses to regulatory feedback, leading to inefficiencies.
Dynamic Risk Management Programs: Staying Agile in a Fast-Paced World
With advancements in technology and rapidly evolving markets, static, annual risk management plans are increasingly ineffective. Today’s risk and control functions must be flexible and responsive to keep pace with real-world changes.
Key Points:
-
Beyond Annual Plans: In an environment where trading methods and communication channels constantly evolve, risk management programs must be dynamic and agile. Static, annual planning can leave firms vulnerable to unanticipated risks.
-
Embracing Agility: Regulators expect firms to demonstrate adaptive capabilities that respond effectively to a broad range of risks. A dynamic approach enables risk and control teams to proactively address emerging risks, identifying threats early rather than reacting after the fact. By leveraging advanced technology, firms are better equipped to meet these expectations.
-
Evolving Risk Assessments: The dynamic risk environment pressures firms to continuously update their risk assessments. However, overly complex assessments can lead to operational inefficiencies and obscure critical risks. Firms must ensure their assessments are both comprehensive and manageable.
Data: quality and lineage remain critical Challenges
Data quality and lineage remain critical, particularly as firms increasingly adopt generative AI and other advanced technologies that rely on structured, high-quality data. However, many firms continue to grapple with core data challenges, including fragmentation and insufficient ownership.
Key Points:
-
Data as an Asset: Treating data as an asset is essential for effective compliance. Firms with strong data quality gain advantages in compliance, AI capabilities, and overall risk management.
-
Prioritizing Data Improvements: It’s unrealistic to address all data issues simultaneously. Instead, firms should prioritize high-value data sets and use cases, applying a targeted approach to ensure key data is accurate and complete.
-
Cross-Functional Data Ownership: Data quality and lineage are best achieved through shared ownership. In some firms, data ownership resides within the second line of defense; however, effective data governance requires collaboration across departments and use cases.
-
Managing Unstructured Data: New technologies, including generative AI, are helping firms tackle unstructured data challenges, providing greater visibility and enabling deeper analysis.
-
Modern Technology: Platforms that unify structured and unstructured data support regulatory compliance by enhancing data integrity and lineage.
Communication Surveillance and the Challenges of Off-Channel Comms
Off-channel communications remain a significant challenge, particularly as employees use a growing number of digital tools to communicate. Advances in monitoring technology have made it easier to mitigate the risk of off-channel communications, but balancing costs and functionality remains complex. Many firms still opt to ban specific encrypted messaging channels through policy. However, as technology evolves, regulators are shifting their expectations, placing increased demands on financial institutions to carry out more sophisticated surveillance of communications.
Key Points:
-
Evolving Regulatory Expectations: Regulators are moving beyond a focus on record-keeping and placing greater emphasis on full data coverage and effectiveness in surveillance practices. It is increasingly important for firms to demonstrate not only that they are capturing data but also that they have control systems and well-trained staff to monitor communications proactively.
-
Driven by Fines Over Written Regulations: Much of the compliance pressure around communication surveillance has stemmed from enforcement action rather than specific, codified guidelines. As a result, firms are calling for more “pen-to-paper” clarity, as vague guidance combined with significant penalties creates a challenging operating environment.
-
Regulatory Clarity and Anticipated Actions: Experts anticipate that regulators will provide greater clarity around communications surveillance requirements, including specific areas like voice surveillance, in the near future.
-
Overlooked Channels: While much focus has been on well-known platforms like WhatsApp, many firms overlook channels such as Slack, Telegram, or tools popular within specific departments (e.g., engineering). This oversight can create compliance blind spots and expose firms to risks.
-
Managing False and True Positives: High alert volumes and false positives remain a concern. However, a prominent challenge lies in managing true positives, as employees may claim off-channel discussions were innocuous, such as “just asking what time to go to the gym.”
-
Subtle Patterns of Evasion: Detecting nefarious activity in communications requires monitoring common evasion tactics, such as message deletion, edits, or whispered conversations. These can often be identified if systems are properly configured.
-
Growing Role of Voice Surveillance: With advancements in transcription and voice analytics, there is now a compelling case for firms to enhance voice surveillance. Voice remains a channel where employees are typically less guarded, increasing the likelihood of compliance risks. Yet, it is often overlooked in risk frameworks, where standard practices involve only random sampling of voice calls.
-
Expanding Scope of Surveillance: As communication surveillance evolves, its applications are expanding beyond market abuse to include non-financial misconduct, such as harassment, bullying, and other inappropriate behaviors. Regulators increasingly expect firms to monitor for these issues.
Trade Surveillance: Balancing Rules-Based Systems with AI Models
The XLoD conference highlighted the evolving landscape of trade surveillance, where both rules-based systems and AI-driven models are shaping the future of monitoring and compliance. As financial institutions strive to balance the strengths of each approach, they face challenges in calibration, data integration, and the persistent issue of false positives.
Key Points:
-
Rules-Based Systems: While rules-based systems are repeatable and valuable for consistent application, they require careful calibration to minimize false positives. Without a “gold standard” to guide them, these systems often generate unnecessary alerts. To improve efficiency, robust models should be capable of self-calibration or, where feasible, managed by vendors with user oversight and approval.
-
AI Models in Trade Surveillance: AI models are gaining traction in trade surveillance as they can analyze complex patterns, adapt to evolving behaviors, and manage alert volumes through scoring. Regular training of these models, supported by strong data quality, lineage, and venue inventory, is essential for accurate performance.
-
Cross-Product Analysis: AI is particularly advantageous for cross-product analysis, a regulatory priority, especially in OTC trades. The ability to identify correlations across products enhances compliance in complex trading environments.
-
Data Completeness and Integration: A significant challenge for effective trade surveillance is achieving complete and integrated data, particularly when analyzing cross-product or OTC trades. Incomplete data can obscure patterns and weaken analysis. Firms are increasingly adopting proactive strategies to identify and address data gaps.
-
False Positives and Alert Reduction: Reducing false positives remains a pressing concern, as excessive alerts can overwhelm compliance teams. Profiling and rule-based adjustments can help manage alert volumes, enabling teams to concentrate on high-risk cases.
-
Front-Office Culture and Vigilance: Maintaining a culture of vigilance within the front office is critical, especially as voice-based trade manipulation becomes a focus area. Surveillance teams must collaborate closely with front-office personnel to monitor compliance and detect any suspicious patterns.
2025 Priorities: Automation, Standardization, and Integrated Surveillance
As risk and control environments grow more complex, firms are prioritizing automation, standardization, and integrated surveillance to streamline compliance and reduce operational inefficiencies. These 2025 priorities aim to unify control efforts, simplify processes, and enhance the accuracy and consistency of risk management across regions.
Key Points:
-
Automation: Automation remains a top priority for firms as they strive to enhance efficiency across risk and control departments. Firms are evaluating which processes are most suitable for automation, recognizing that its extent depends on the specific process or control. For example, surveillance obligations benefit significantly from automated solutions that summarize information, provide risk scores, and suggest preliminary resolution categories. However, while automation can handle repetitive tasks and data processing, human analysts remain essential for decision-making. This approach underscores the principle that automation should enhance processes rather than replace critical controls and human oversight.
-
Standardization: Over time, many firms have accumulated a vast number of controls across the three lines of defense, often operating in silos tailored to specific risk types or control categories. This fragmented approach has resulted in costly, data-intensive processes, duplicated efforts across teams, and the risk of gaps between control environments. In 2025, a key focus will be breaking down these silos and standardizing controls to create a cohesive, unified framework. By aligning and consolidating controls, firms can better communicate and report risks at the board level, offering a clearer, more comprehensive view of the control environment while reducing operational complexity.
-
Integrated Surveillance: The convergence of communications and trade surveillance functions is increasingly viewed as essential for effective risk management. Integrating voice, e-communications, and trade surveillance into a single platform enables firms to maintain unified oversight, minimize risk by reducing data silos, and support consistent compliance processes across jurisdictions. While integrated surveillance offers a holistic view of risk, data alignment challenges persist. Disparate data formats, quality standards, and reporting structures across communication and trade systems complicate integration. However, advanced platforms that specialize in bridging these gaps are available. As regulatory expectations evolve, firms are encouraged to leverage such solutions to enhance their risk management frameworks.
Insights from Regulators
In today’s evolving financial landscape, regulators emphasize adaptable compliance frameworks that keep pace with market demands and technological advancements. At XLoD, regulators highlighted their preference for flexibility over rigid rules, allowing firms to tailor compliance to their unique needs. They also underscored the importance of leveraging new technologies to enhance risk and control programs.
Key Points:
-
Adapting Risk and Compliance Frameworks to the Dynamic Financial Landscape: In an evolving financial landscape, compliance, control, and risk frameworks must also evolve. Regulators expect firms to adapt their practices to meet the demands of a dynamic marketplace and advancing technologies. Static compliance programs are no longer sufficient; firms must continuously assess emerging threats and technological advancements.
-
Balancing Regulatory Clarity with a Principle-Based Approach: A poll revealed firms’ frustrations with regulatory guidance, particularly regarding a lack of clarity. However, regulators at XLoD noted that financial institutions likely wouldn’t want rigid, one-size-fits-all rules. Regulatory frameworks are often principle-based, providing firms the flexibility to tailor compliance to their unique operational models. This approach allows firms to implement compliance programs that best fit their needs, with regulators verifying their effectiveness through oversight. Striking a balance between desiring clear rules and avoiding a “tick-box” regulatory approach remains a challenge.
-
Regulatory Expectations Around the Use of Technology: Regulators are closely monitoring technological advancements as these shape their expectations for compliance. Today’s capabilities—such as improved voice transcription and linking voice and electronic communications with trading activity for full trade reconstruction—open new possibilities for areas like surveillance. These advancements also raise the bar for financial firms, which are now expected to evolve their compliance and risk processes accordingly.
-
Approach to AI: Regulators generally view technological advancements like generative AI as beneficial and are even exploring how these tools can improve their own processes. While mindful of AI’s risks, they see its potential to address significant compliance challenges, such as high alert volumes, false positives, and managing unstructured data. For instance, the UK regulator hosted a Tech Sprint in 2024 focused on leveraging AI for trade surveillance, signaling their support for AI’s role in the future of compliance.
Conclusion: Navigating the Future of Compliance
The insights shared at XLoD underscore the transformative shifts occurring in the realms of risk, control, and compliance.
From the growing role of AI and automation to the integration of surveillance functions and evolving regulatory expectations, it’s clear that financial institutions must embrace agility and innovation to stay ahead.
2025 will undoubtedly bring new complexities, but with the right strategies and tools, financial institutions can not only meet these demands but also enhance their resilience and effectiveness. By prioritizing adaptability, standardization, and a proactive approach to compliance, firms can ensure they are well-equipped to navigate the road ahead.
