Thinking Outside the Checkbox: Optimizing Compliance for a Complex Environment

In this episode of the ProSight Banking Strategies podcast, ProSight’s Product Manager for Risk and Compliance Amy Repp and Product Manager for its Policy Manager Solution Chris Boersma break down findings from the 2026 Compliance Outlook Survey. They discuss how an easing of federal regulation is part of a larger, complex compliance landscape. They explore how banks and credit unions are navigating rising state-level rules, evolving cyber and fraud risks, and the growing role of AI, while shifting toward a more proactive, risk-based approach to compliance.

Subscribe to ProSight Podcasts: Apple, Spotify, Amazon Music, YouTube

TRANSCRIPT:

Frank Devlin: This is the ProSight Banking Strategies podcast. We’re here to inform you on the top trends, challenges, and opportunities in banking today. ProSight is a leading non-lobbying connector of people and information with deep expertise in risk, fraud, compliance, and retail and commercial banking. Our purpose is to empower financial services leaders to strengthen and advance our industry through training and insights, as well as tools and resources, like this podcast.

Hello, and welcome to this ProSight Banking Strategies podcast. I’m Frank Devlin, a Senior Editor at ProSight. At a high level for financial institutions, this looks like a moment of regulatory relief. Less federal pressure, clearer priorities, but when it comes to compliance, that’s not really the story at all. Underneath that easy narrative, compliance teams are actually dealing with more complexity, rising budgets, a growing patchwork of state rules, escalating cyber and fraud risks, and a whole new layer of challenges around AI and digital assets.

This is all captured in the recently released ProSight Compliance Outlook Survey for 2026, which drew 150 responses from compliance leaders at institutions of all sizes. It found that 88% of respondents have a clear view of federal regulatory priorities, but the reaction was mixed on how that’s affecting compliance functions on the ground. For example, on balance, 41% of professionals who answered the survey said the approach of the federal regulators would mostly create opportunities to streamline compliance, but 20% said it would create challenges mostly. 34% said it would do both, and the rest were unsure.

To help us make sense of an uneven environment for compliance through the lens of this survey, we have two experts from ProSight, Amy Repp, Product Manager for Risk and Compliance, and Chris Boersma, Product Manager for ProSight’s Policy Manager Solution. Welcome and thank you, Amy and Chris. I was wondering if we could start off by you giving us a little bit more of your background. So Amy, can you tell us a little bit about yourself?

Amy Repp: Yes, thank you very much. I have more than 20 years of banking experience. I have worked in credit unions, community banks, as well as large national banks. I have been on the retail side in management, and spent my most recent 10 years prior to coming to ProSight as an internal auditor of compliance. So, that rounds out my background prior to ProSight. I’ve been with ProSight for about two years now.

Devlin: Great, thanks Amy. And Chris?

Chris Boersma: Hi, Frank. Thank you. My name’s Chris Boersma, I’m Product Manager of Compliance with ProSight. And I have been in the banking industry for over 25 years, probably 18 of those in the compliance and audit space. I was a compliance officer with a couple different credit unions and a couple different banks, I also spent five and a half years in consulting.

Devlin: Great. Well, thanks so much to both of you. And Chris, I wanted to start with you because you were actually quoted in the survey report, which is available on ProSightfa.org, as saying, “The current compliance environment is a paradox,” and that word has really resonated. We’ve talked to some other people in the industry and they think that word really describes it. So, we’re talking less federal oversight but more overall complexity. What are you seeing or hearing about on the ground from ProSight members? What are they describing to you?

Boersma: Yeah, thank you, Frank. So, we are seeing a reduction in federal supervision through the elimination of things like reputation risk and rolling back regulatory efforts that were issued by the previous administration.

In order to fill the void for the lack of federal oversight, states have been issuing legislation in areas such as AI, digital assets, privacy, and consumer protection laws to fill those federal gaps. This forces multi-state institutions to manage conflicting compliance standards, often creating an abundance of legal and operational challenges, including investments in technology. Furthermore, institutions face future risks as a change in the presidential administration could reverse legislative efforts, leading to high remediation costs.

Devlin: That’s interesting that you talk about the state regulations and state activity. We see a few states recreating what the CFPB has been doing, and even bringing in Rohit Chopra, who led the CFPB in California for their new agency. So, it’s very interesting what the landscape is looking like right now.

So Chris mentioned concern about a pendulum swing. You streamline your compliance function and then things change again in 2028. What are you hearing there? How do you plan for stability and have it stand up your function that way, but then you also aren’t really expecting it to last. Banks and credit unions are caught in between. How are they dealing with that? What would you recommend?

Repp: I think change has long been a constant in our industry. I don’t necessarily think that’s shocking. Compliance teams are accustomed to working with this phenomenon of working in current guidelines and expectations, while simultaneously understanding changes that are coming. Preparing policies, systems, people to maintain compliance throughout the adjustment phase. I think it’s important to have a reliable source of information for relevant updates and changes and a process to follow to implement those, and perhaps tools also that aid in both understanding and implementing changes as they come.

Devlin: So one of the big changes, if you wanted to talk thematically and what the administration is trying to do, is to get away from check-the-box, and more towards a principles-based approach where you apply the risk appetite and the compliance ethic that makes the most sense for your institution. What are you seeing or hearing again from members about what they are changing and how they’re operating day-to-day? Is that ability or capability being compromised at all by this complex environment that we’re talking about? Are banks in fact able to streamline in some sense their compliance functions? Chris.

Boersma: Financial institutions definitely are shifting way from the check-the-box compliance approach to more of a material financial risk management approach, because simply passing a compliance audit doesn’t mean the institution has adequately mitigated the risks. Checklists focus more on past regulations rather than on emerging threats. So, institutions need to incorporate a strong culture of compliance. Transforming regulatory adherence from position can cause institutions to become confused and less efficient. They really need to focus on the legal requirements and getting those incorporated in the daily operations.

Devlin: Speaking about legal requirements, I imagine that is also complicated by the state regulation challenge. For Amy, what was maybe the hardest part or at least a hard, challenging part of managing compliance? Chris mentioned this earlier, across multiple jurisdictions. How does that actually create challenges when you’re trying to get your job done as a compliance officer?

Repp: It’s no longer just about knowing the rules, it’s about understanding how they are interpreted and applied differently across those different jurisdictions. What is acceptable in one state can trigger a very different expectation in another, and institutions need stronger governance to offset that, better tracking and a dynamic way of updating their policies and controls to fit within that.

Devlin: Yeah, and there’s so much to keep track of now and you have to square one state with another state. A lot of organizations try to hue to the most difficult regulations and then maybe they’re covered for all of them, but then I understand that can also, maybe, if it really could get out of hand because you’re doing so much for one state and it doesn’t really apply very much to the rest. So it’s a very interesting, complicated picture.

So nearly three quarters of respondents to our survey, they believe that anti-money laundering requirements are going to demand more resources. Chris, what do you think is driving that?

Boersma: Yeah, thank you, Frank. So, legacy compliance systems cannot handle modern financial crime tactics. It’s forcing institutions to invest heavily in technology to help them identify the methods that the financial criminals are using. And it’s also becoming more and more challenging because of the adoption of instant payment and borderless payment rails. So, systems must evaluate the risks and run verifications in a split second before a transaction can clear. This requires expensive upgrades to the institution’s overall infrastructure.

Devlin: Right. So you’re talking about fraud risks and money laundering risks. They’re getting faster, harder to deal with because of things like instant payment rails and that sort of thing. That brought fraud to mind. Amy, can you talk about how fraud risks have changed with these new payment systems as money moves faster?

Repp: Yeah, absolutely. There are more channels and less time when it comes to those things, whether it’s the scam of the time or social engineering attacks, deep fake technology, or AI generated phishing campaigns. The speed and scale of attacks continues to increase, and at the same time, faster payments require real-time analytics, monitoring, identity verification because institutions also are expected to respond at a faster and faster pace. So, the challenge really is shifting from reactive fraud detection to proactive prevention through training, customer education, and effective use of their systems and automation.

Devlin: Just to tease out a little bit, you talked about AI, and that is interesting because that’s both a risk and a solution. So we are having fraudsters and maybe even nation states tapping AI to make their exploits tougher to detect and stop, but then we also have financial institutions clearly building up their AI muscle to find and detect things. And I know that AI is going to be very helpful with money laundering, maybe can flag things much faster than a human ever could. Amy, how are you finding that institutions are navigating this sort of push-pull, this balance between AI for good and AI for evil? What’s happening in practice?

Repp: Institutions are definitely wanting to utilize the technology, but also having to understand how to govern it and use it responsibly. So on one hand, as you mentioned, helps improve monitoring, fraud detection, operational efficiencies, but it definitely introduces new risks around models, data quality, misuse by bad actors. So the balance comes from treating it as both an opportunity or a capability and a control issue, where it can strengthen your risk management, use clear governance, human accountability around how it’s deployed.

Devlin: So cyber channels are clearly a very important platform, the main platform for maybe using this AI in a nefarious way. And so, it’s probably not surprising that the top response in the survey for the areas that are demanding more attention and resources was data security and cybersecurity. 78% of our respondents said that was a very top concern.

Chris, other than what we’ve talked about, what are some other reasons that you think cyber and data risks are really taking the lead in boardrooms and top management discussions?

Boersma: So, I think a lot of that has to do with the fact that traditional compliance is generally backward looking. It’s a defined set of rules that are generally static and they may change here and there, but mostly they stay the same. And over time, financial institutions have developed internal controls that have helped mitigate a lot of those risks. The problem with data security and cybersecurity is that they’re evolving, they’re emerging, they’re constantly changing in complexity and volume and sophistication. And the impact that those risks can have on financial institutions is much higher than what we would call the traditional compliance violation or effect.

Devlin: So Chris, data is always talked about as it’s got to be clean, it has to make sense, and nothing else is going to really work well without it, including if you want to deploy AI in an optimal way. So, what separates organizations that are succeeding with how they’re handling data and those that are not? And what have you seen that works? What sort of tips do you talk about?

Boersma: I think institutions that focus on technology to allow them to automate things and become more efficient, become less costly, are going to have an advantage over other institutions that don’t do this. So, AI’s not necessarily going to wipe out a whole bunch of jobs necessarily, but it’s going to make things more efficient. And institutions that use AI are going to be more competitive and more successful than ones that don’t.

Devlin: Sticking on AI a little bit, the respondents clearly said another big priority is automating and using AI to help keep up with all the latest compliance challenges, faster risk, faster payments, everything’s faster. But at the same time, they’re saying that this doesn’t mean, as you’ve mentioned, Chris, this doesn’t mean we’re replacing everyone with AI. No, we need to really focus on talent and developing leadership.

And I remember one of the commenters, we had really great comments if anyone does want to check out the article at prosightfa.org. A lot of rich comments there, and one person said that, “We need someone to tell the story, the narrative. We need our compliance leaders to really tell the story about why we need this compliance function to be strong.”

So, thinking about what you need to do in compliance now, and Chris, you mentioned how it can’t be backward looking so much. What does a modern compliance team need now that it didn’t need five years ago? And maybe not just from the technology end of it, but also maybe culture point of view, talent, skills, what do you think about in those terms?

Boersma: So yeah, I’ve been in compliance for almost 20 years now, and I would say the things that haven’t changed, there’s a set of rules and you have to follow them. What has changed is technology and the ability to communicate with key stakeholders. So, you have to set a tone at the top with compliance and if you’re not getting management on board, it’s going to be very difficult to have a centralized approach with your compliance management system. So I would say the one skill that stands out to me over the others is really, communication.

Devlin: So Amy, I wanted to circle back a little bit, because Chris was talking about the need to not look to the past for everything, look to the future. Something that’s happening right now and will be more important in the future is digital assets require major attention. Are you seeing, are banks still in exploration mode or are we now in full scale build out for digital assets?

Repp: Can we say, yes? This is definitely an enormous topic and I think thoughts here have evolved from, should we or shouldn’t we, to, how do we? Even institutions that are choosing not to enter the digital asset product mix will still need to consider the risk implications and utilize risk assessments, fraud considerations, policy revisions, and the list continues.

Devlin: It’s such an interesting time. Again, I wanted to talk a little bit about the pendulum swing. I’m going to return to that topic. Amy, you mentioned it before, so maybe get Chris’s take on this. What decisions are being made today? We talked to some other folks in the survey who said that everything we do today, we know that in a couple of years there might be another regulatory group, team that’s going to look at things in a different perspective than are being looked at now and there could be some issues with that. So, what do you think the main areas are that our decisions are made today that will be looked at differently in a couple years? What’s the kind of exposure to that, do you think?

Boersma: Most of the things that have been changed or reduced so far has been efforts from the previous administration. If those come back, and I’m thinking of one key area in particular, it has to do with capital. So, there’s some discussions going on right now where they’re trying to revise some of the capital standards. If those capital standards go back up, to me, that’s the single most challenging areas to try to rebuild capital that you may have spent because you didn’t think you needed to hold it. So, I think that’s the area that I would focus on if I were at a financial institution of what to expect going forward.

Devlin: That’s a great point, because that could be a fairly sizable change in that percentage number or ratio, however you want to describe it. And it doesn’t seem like that’d be something that’d be easy to actually rebuild, versus it’s not about a policy, you have to find that capital. So, that’s a great point.

So I was wondering, we’re wrapping up here, there’s time for one more question. I was wondering if I could ask both of you to answer this one. So based on the survey, is there one compliance risk or trend that you think the industry still isn’t fully appreciating, or just maybe something that you found particularly interesting in the survey? Starting with Amy.

Repp: Sure, thank you. I think the industry as a whole, we still are underestimating how interconnected our risks are, and staying on top of things we’ve been doing for a long time while also evaluating and understanding emerging things, AI, increase in fraud concerns, cyber payments, etc., state level regulations. Oftentimes those are looked at or considered as unique or separate issues, and in practice, they’re colliding inside the same institution, for sure, through data systems, people, etc.

I think the real challenge is not just tracking individual risks, but building a program, a culture that sees across departments, divisions, etc., to connect those risks and respond in a responsible way because we definitely are seeing a little bit more flexibility or openness to handling the institution the way management sees fit as long as it maintains responsibility for its choices. And you see that in the risk-based approach to running the institution.

Devlin: That’s a great point, and an interesting idea about that more holistic approach and that realization that there aren’t just certain types of risks that live in a vacuum. They all interact and maybe exacerbate or maybe mitigate, so it’s a really fascinating way to think about it and a valuable way to think about it.

So Chris, ending on you, what’s one thing you’d like to point out before we wrap up here about maybe what the industry isn’t appreciating or just an interesting take on the survey?

Boersma: So, I think there’s definitely areas that financial institutions still haven’t fully complied with that they still struggle with. One area I want to talk about is vendor management. So, I would say financial institutions probably do a pretty good job at doing their due diligence with the primary vendors, but I think that they’re still struggling with the nth degree, so the fourth degree, the fifth degree. So those vendors, those critical vendors that are supporting your primary vendors, those are the ones you also have to due diligence on too. And I think a lot of institutions still struggle with this, so I would say that’s one area that we really need to get a little bit better at.

Devlin: Thanks to both you, Amy and Chris for sharing your perspectives with us today on this ProSight Banking Strategies podcast. To our listeners, thanks for spending your valuable time with us, and if you liked it, please spread the word. And do check out the compliance outlook survey report at prosightfa.org. I’m Frank Devlin.

The views expressed by the speakers are the speakers’ own and do not reflect the views of ProSight Financial Association, BAI, or RMA. The views expressed and information shared are of a general nature and are not intended to address the circumstances of any particular individual or entity. No one should act upon any such views or information shared during this podcast without appropriate professional advice after a thorough examination of the particular situation.