Risky Times and Cost Pressure Call for Innovation in Bank Compliance

BCG has been conducting regular compliance benchmark studies with banks in North America, South America, Europe, Asia, and Africa over the past five years. This year’s benchmarking report examines best practices for making compliance functions more effective and efficient, with a focus on how industry leaders are addressing governance and operating models, know-your-customer (KYC) processes, transaction monitoring and screening, and application and risk management of both AI and generative AI (GenAI).

Banks are under increasing regulatory pressure to increase the efficiency and effectiveness of their compliance systems. In Europe, the past year alone has seen the passage of the EU’s Anti-Money Laundering (AML) package in July 2024, the EBA guidelines on restrictive measures—better known as EU sanctions—in November 2024, and the EU AI Act in August 2024. At the same time, enhanced customer protection laws and supply chain regulations have added new layers of compliance risk. In the US, the Bank Secrecy Act, whose provisions have expanded over the years, and Office of Foreign Assets Control–imposed sanctions have intensified the need for robust compliance.

Banks also face rising costs to fulfill constantly increasing compliance requirements or simply to keep up with market demands and technology trends. To meet these multiple requirements, banks that are leaders in compliance standards are transforming their compliance functions from cost centers into strategic enablers of business resilience and growth. As a result, the role of compliance is not only to provide advisory and remediation services, but also to steer the organization toward proactive compliance risk management.

The banks at the forefront of change are striving to bring an understanding of compliance risks into the entire organizational structure. They are integrating compliance-by-design into key front-to-back business processes and enhancing their operating models with data-driven and digital solutions that include AI and GenAI. With these practices in place, financial institutions can enhance risk detection, improve efficiency, and ensure regulatory integrity—all while reducing operational costs.

In this year’s study, we examine actions that banks should consider taking in five key areas to build a compliance function for the future:

• Redefine a groupwide risk taxonomy. Banks should integrate compliance with their overall risk management and business strategies.
• Break the spending spiral. With a strategic investment plan in place, banks can manage their compliance costs while maintaining effectiveness.
• Optimize front-to-back AML value streams. Banks should embrace compliance by design through integration of front-to-back AML value streams. Digital levers are powerful tools for achieving this.
• Leverage AI and GenAI in an efficient and compliant way. To remain competitive in an increasingly digital environment, banks need to embed AI and GenAI into their core compliance processes.
• Empower the compliance workforce of the future. The most effective teams will be skilled at combining risk and business operation expertise with advanced technological capabilities.

Redefine a Groupwide Risk Taxonomy

Banks must shift from a fragmented and reactive view of compliance risks to a groupwide risk taxonomy that is aligned with overall business objectives and risk appetite.

A robust, groupwide taxonomy of risks is vital for navigating the increasingly complex compliance landscape. Clear delineation of responsibilities, identifying which risks the compliance function owns and which are the domain of other functions, is crucial for accountability and strategic clarity.

Our study finds that it is universal for a financial institution’s compliance function to cover core risks such as regulatory compliance, sanctions, and anti-money laundering and counter-terrorist financing. (See Exhibit 1.) The vast majority of financial institutions also cover bribery and market conduct within the compliance function, and many extend the function to encompass customer protection (75%), data protection (71%), external and internal fraud (68%), and criminal tax offenses (62%), reflecting a broader risk focus. Other risk areas such as customer tax reporting (56%), third-party and outsourcing risk (50%), business continuity management (43%), and cybersecurity (39%), however, show room for further compliance integration.

As banks expand their compliance processes and integrate risk management, the imperative to achieve greater cost efficiency and clearer governance becomes increasingly urgent. Streamlined structures and clear accountability are essential to attain these goals.

Break the Spending Spiral

More spending does not always mean better compliance. The key is smarter investment in technology and efficiency.

As regulatory expectations mount, banks must execute the dual mandate of enhancing compliance and containing costs. Their historical reliance on ex-post controls in the second line of defense (LoD) is no longer sufficient. Instead, industry leaders today are embedding compliance into their business processes from the outset through a compliance-by-design approach. This proactive model reduces the need to rework, enhances control effectiveness, and enables institutions to scale compliance sustainably without inflating costs.

Even so, investments in compliance must cover the first and second LoDs. First LoD costs vary widely. The amount depends on both the organizational model—for example, whether the LoD is located in a nearshore or offshore center—and the budgeting, as back-office employees often handle multiple tasks, including compliance, without itemizing distinct cost allocations.

To provide clearer cost insights, our analysis focuses on second LoD compliance costs. The median for these costs typically ranges from 1.1% to 1.7% of total bank costs, depending on the bank’s size and complexity. Several factors have a significant impact on these costs. The amount varies according to the location of compliance operations (which may be in either the first or second LoD), the complexity of the business model and customer portfolio, the level of automation and technology use, and the degree of regulatory scrutiny. The bank’s size and geographic footprint, and the types of risks it must cover, also influence costs.

Global systemically important banks (G-SIBs) spend up to 2.5% of their total costs on the second LoD, owing to the greater regulatory scrutiny they undergo, their relatively complex business models, and the broader geographic footprints they have compared to other banks. Overall, G-SIBs have higher median compliance costs, at 1.7%, and a wider cost range. (See Exhibit 2.)

Most second LoD compliance costs go toward personnel and IT, followed by legal fees, external advisors, and other operational costs. Increasingly, banks are leveraging data and technology to enhance their compliance efficiency and effectiveness rather than simply expanding their staff. IT costs for the second LoD vary significantly by bank size. Regional players spend a median of 11% of their overall second LoD compliance costs on IT, while the corresponding median for large players is 22% and for G-SIBs 26%.

The share of full-time equivalent employees (FTEs) dedicated to compliance also increases with a bank’s size and complexity. G-SIBs allocate the highest share (2.9%) of FTEs to compliance, reflecting their extensive operations and stricter regulatory requirements. Regional players with simpler structures and lower compliance demand levels dedicate a smaller portion.

Optimize Front-to-Back AML Value Streams

Technology alone will not fix broken compliance processes. Before investing in AI, GenAI, and automation, banks must optimize their operating models and embed compliance into front-to-back processes.

Banks are now adopting a compliance-by-design approach, embedding compliance considerations into their core processes in order to strengthen their compliance functions while maintaining operational efficiency. This approach requires them to integrate compliance seamlessly across all business operations to reduce inefficiencies, streamline processes, and foster a proactive risk management culture.

Despite machine learning (ML) models, sophisticated algorithms, and enhanced data integration, banks struggle with various challenges related to transaction monitoring, screening, and KYC processes. Compliance teams are often burdened with excessive alerts in which false positive rates can reach or exceed 90%. The resulting manual workflows and redundant processes prevent compliance teams from focusing on truly high-risk cases.

To tackle these challenges, financial institutions must rethink their approach to AML processes—optimizing the end-to-end value stream across detection and triage, and streamlining the process for handling alerts.

Optimizing Detection and Triage

In dealing with compliance risks, many banks still rely on conventional rule-based detection systems, which often lead to detection gaps, overlapping risk typologies, and high false positive rates. In addition, the tasks of maintaining and calibrating detection rules are becoming increasingly complex, requiring constant tuning to remain effective.

Our study shows that industry leaders are addressing these inefficiencies with the following optimization levers:

• Refining and consolidating detection rules by regularly reviewing scenario coverage, eliminating redundancies, and optimizing parameter calibration frameworks.
• Introducing AI- and GenAI-driven detection models to complement rule-based systems. Although regulatory requirements make rule-based detection an essential part of the process, and 100% of banks use such detection, many banks are starting to deploy AI and GenAI to enhance these systems. Scorecard-based detection models,  which 50% of respondents in our survey report using, assign risk scores to alerts, using feedback loops between case management tools and detection tools. ML-based detection models, which  44% of respondents report using, incorporate supervised and unsupervised learning to identify money-laundering patterns.
• Automating alert preprocessing by bundling related alerts, assigning risk scores, and applying hibernation techniques to filter out low-priority cases prior to manual review.

Streamlining Alert Handling

When a detection system generates an alert, the subsequent investigation process is often manual, fragmented, and highly resource intensive. Many banks lack integrated workflow platforms to orchestrate case management efficiently, leading to prolonged processing times, unclear escalation protocols, and inefficient handling of Level 1, Level 2, and Level 3 alerts about suspicious activities, In addition, investigators often operate without advanced analytical tools, limiting their ability to assess risk effectively.

Our study indicates that leaders in compliance innovation are taking the following actions to address these inefficiencies and to optimize alert handling:

• Implement automatic alert processing and preevaluation. Automated systems generate recommendations—for example, automatically closing low-risk alerts and escalating high-risk cases—and prefill suspicious activity reports with relevant data.
• Enhance investigations with network analysis capabilities. Banks are increasingly using AI- and GenAI-powered tools to uncover hidden relationships and financial crime patterns.
• Streamline Level 1 alert handling. Automated systems can introduce structured checklists to expedite initial reviews.
• Improve escalation guidance. An optimized system can provide clear guidance on when and how to escalate cases between Level 1, Level 2, and Level 3.
• Integrate the workflow orchestration across the entire alert management process. Banks are adopting end-to-end orchestration tools—often low-code platforms that nontechnical staff can access and maintain easily—to streamline handoffs, align roles across all three alert levels, and ensure consistent, auditable alert processing.

Banks that implement automatic alert processing report that they have seen significant improvements in efficiency and effectiveness. In transaction monitoring, early adopters have increased the speed of their Level 1 alert handling by a factor of three, substantially reducing the burden on compliance teams, and doubled the speed of their Level 2 alert handling, ensuring quicker and more accurate risk assessments. (See Exhibit 3.)

These gains translate into lower operational costs, reduced false positives, and more efficient compliance operations, allowing banks to concentrate their resources on higher-risk cases. By leveraging AI, GenAI, and automation, banks can enhance regulatory compliance while improving their overall financial crime detection capabilities—a win for individual institutions and for the broader financial ecosystem.

Leverage AI and GenAI in an Efficient and Compliant Way

AI and GenAI are powerful tools for compliance functions, but only when used with the right controls and governance.

AI, particularly GenAI, is a strategic priority for banks, as it enhances both the effectiveness and the efficiency of compliance processes. All G-SIBs and 75% of large and regional banks have initiated AI and GenAI pilots in the compliance domain, but only 25% have scaled AI and GenAI into production.

For AI and GenAI to reach their full potential in compliance, a comprehensive AI and GenAI risk management framework is essential. While G-SIBs lead in AI and GenAI risk governance, many regional banks lack mature oversight mechanisms, relying on policy drafts rather than active monitoring and controls. The AI and GenAI risk management framework must not only ensure regulatory compliance and data security, but also address risks such as model drift, unintended bias, and lack of transparency in AI and GenAI decision making. Without these safeguards, banks may expose themselves to regulatory pushback, reputational damage, and operational inefficiencies.

Multiple organizational measures are available to mitigate AI and GenAI risks. Banks now prioritize policy enhancement (72%) and training programs (61%), but only 50% maintain ongoing AI and GenAI model monitoring—a critical gap. (See Exhibit 4.)

Ultimately, unlocking the full potential of AI and GenAI in banking entails balancing innovation and risk management. Institutions that proactively invest in AI and GenAI capabilities and risk mitigation strategies will gain a competitive edge and thereby enhance efficiency, strengthen compliance, and future-proof their operations.

Empower the Future Compliance Workforce

The best compliance teams will combine risk and business operations expertise with technological fluency.

Although AI, GenAI, and automation are revolutionizing compliance, human expertise remains irreplaceable. Effective compliance depends not only on advanced technologies but also on strong governance, well-defined processes, and skilled professionals who can interpret regulations, manage risks, and oversee AI- and GenAI-driven systems.

The skill set that compliance professionals must possess is evolving. Traditionally, compliance teams focused on legal expertise and regulatory interpretation. Faced with rising transaction volumes and increasingly complex financial crimes, however, banks now require professionals who are proficient in risk management, technology, and data analytics to leverage AI- and GenAI-powered monitoring tools effectively.

This shift is not a matter of replacing traditional expertise but of expanding competencies to create a hybrid skill set. As new financial products such as cryptocurrency and instant payments emerge, and as regulatory expectations for tech-driven compliance rise, banks will need to seamlessly integrate advanced technologies with human expertise. Regulatory specialists will remain essential for interpreting laws and tailoring compliance strategies, while data analysts and AI and GenAI experts will help banks optimize detection models and refine risk assessments. AI- and GenAI-driven systems require continuous oversight, calibration, and adaptation—tasks that demand human judgment and expertise.

The Way Forward

Our survey provides clear pointers for the direction that banks should take to meet the compliance challenges of the future. Our top recommendations:

• Adopt an integrated risk management framework to inform the institution’s compliance vision. Banks must establish a comprehensive risk taxonomy and define a clear risk appetite framework. Adopting a unified approach to risk management ensures that compliance functions align with broader enterprise risk strategies, enabling a more proactive response to evolving regulatory demands.
• Implement compliance by design into the target operating model. Fixing processes and optimizing operating models is a key step prior to automation. Embedding regulatory requirements directly into front-to-back business workflows reduces manual intervention, improves efficiency, and ensures that compliance is inherent in daily operations.
• Invest strategically in technology, AI, and GenAI. AI,  GenAI, automation, and advanced analytics are critical to enhancing compliance efficiency and monitoring effectiveness, especially when the bank adopts these technologies in a well-conceived way, with a clear vision and execution certainty. In the context of banking, smart adoption also entails developing strong governance frameworks to mitigate risks such as bias, lack of transparency, and data security, especially in relation to using AI and GenAI.
• Develop a future-ready compliance workforce. Compliance professionals must possess hybrid skills that combine risk and regulatory expertise with technological proficiency. Continuous investment in training and upskilling programs ensures that teams will be able to navigate increasingly complex financial crime challenges while leveraging emerging technologies effectively.

Banks that embrace integrated risk management, compliance by design, and AI and GenAI adoption will redefine compliance as a strategic enabler rather than a regulatory burden. The transformation of compliance is not just about cost savings and efficiency. A strong plan will also ensure proactive risk management, regulatory resilience, and long-term competitive advantage in an evolving financial landscape.