Agentic AI Eats the Compliance Stack: RegTech's Defining Week as DORA Goes Live

Bretton AI's $75M round, the EU's first hard DORA enforcement quarter, and a fresh global RegTech survey from VIXIO all landed in the same seven days. The era of paperwork compliance is officially over.

Something quietly seismic is happening in financial-crime compliance. The cozy "we filed the policy, here's a PDF, see you next audit" era has been wheeled out the back door, and in its place stands a regulator with a real-time data feed, an enforcement budget, and, depending on which side of the Atlantic you're on, either an AI-powered supervisory toolkit or a recently inked no-action letter.

As of this week, three storylines have collided to make RegTech the most consequential corner of financial services to watch in 2026: agentic AI moving from pitch deck to procurement, the EU's Digital Operational Resilience Act (DORA) entering its first real enforcement quarter, and a new global survey showing that nearly two-thirds of financial institutions plan to increase RegTech spend this year.

If you run a compliance function in 2026 and you haven't materially changed your operating model in the last 12 months, the data says you're already behind.

Agentic AI Goes From Buzzword to Budget Line

Let's start with the round that financial-crime compliance watchers have been waiting for.

Bretton AI raised $75 million to build out an agentic AI platform for financial crime, with proceeds earmarked for transaction analysis, KYC and KYB reviews, AML and sanctions investigations, and ongoing transaction monitoring, according to coverage from RegTech Analyst. The framing matters: this isn't another "AI-assisted alert triage" story. It's a bet that agentic systems, software that plans, executes, and explains a multi-step compliance task end-to-end, are about to become the default operating model for the AML/KYC stack.

Bretton isn't alone. Earlier this year, IDfy, the Mumbai-based identity verification platform, closed a $52 million Series F led by Neo Asset Management. In February 2026, Napier AI secured £45 million from Crestline Investors to expand its AI-powered financial crime compliance platform. Novatus Global completed a £30.5 million round led by Silversmith Capital Partners to scale its regulatory reporting technology. And Sedric AI, an LLM-powered compliance platform, locked in $18.5 million in Series A funding, per Fintech Futures.

Why the money is moving now

The deal flow tracks a deeper structural shift. Perpetual KYC, continuous, event-driven re-verification, is "the only operating model that scales when ownership structures and sanctions lists are themselves changing daily, which, in 2026, they are," as RegTech Analyst put it in recent coverage. Static, point-in-time onboarding checks simply cannot keep up with a sanctions environment that updates on a near-weekly cadence and a corporate-ownership landscape rewritten by every cross-border M&A close.

Agentic AI is being sold as the answer because it can do something a rules-based engine cannot: take an alert, pull relevant evidence from a dozen internal and external systems, write a defensible investigation narrative, and hand a human investigator a near-final memo. The promise is fewer false positives, faster cycle times, and an audit trail a regulator can actually follow.

DORA's Interventionist Quarter

While the funding announcements got the headlines, the more consequential RegTech story of the past week is happening in Brussels and Frankfurt.

The informal tolerance period that characterized 2025 DORA supervision has finished, with national competent authorities now conducting active enforcement reviews, cross-checking Register of Information data automatically, and issuing the first compulsion payments, according to coverage from Regulation-DORA. The publication describes the current posture as "interventionist supervision", regulators have moved from reviewing paperwork to demanding real-time evidence of resilience, automated reporting, and demonstrable control over ICT risk.

The penalty framework has teeth. Fines can reach 2% of global turnover, with daily penalties for ICT providers, public disclosure of breaches, and the possibility of service suspensions. Individual liability for business leaders has also entered the chat: senior management can face personal fines of up to €1 million for compliance failures.

The Critical Third-Party list

On 18 November 2025, the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) published the first official list of 19 designated Critical ICT Third-Party Providers under DORA. The list reads like a Who's Who of the modern enterprise IT stack: hyperscale cloud providers including Amazon Web Services, Microsoft Azure, and Google Cloud; financial data and technology providers including Bloomberg, the London Stock Exchange Group, and IBM; and IT services and telecom firms including Tata Consultancy Services and Orange.

For a regulated financial institution, the practical implication is unavoidable: every contract, control, exit plan, and incident-reporting workflow tied to those 19 vendors is now squarely in the supervisory crosshairs. RegTech vendors that can map third-party concentration risk, automate ICT incident reporting, and produce auditable evidence of resilience testing have effectively been gifted the buying cycle of the year.

AMLA's Methodology Year

Layered on top of DORA is the parallel build-out of the EU's Anti-Money Laundering Authority (AMLA).

AMLA, headquartered in Frankfurt, took up operations on 1 July 2025. As of February 2026, AMLA confirmed it would be fully operational by 2028, with plans to finalize its risk-assessment methodology in 2026 and start the supervisory selection process in 2027, according to AMLA's own communications and Grant Thornton's tracking. From 2028, AMLA will directly supervise 40 high-risk financial institutions across the EU.

The Authority's first major public conference, "Building Trust, Enhancing Integrity: A New Chapter in the EU's Fight Against Financial Crime", is scheduled for 9 June 2026 at the Alte Oper in Frankfurt. Expect a methodology preview, expect institutions to read every word of it, and expect every European AML/KYC RegTech vendor's pitch deck to be rewritten around it the following Monday.

The Numbers Behind the Spend

A new global RegTech survey unveiled by RegTech Analyst and Parker & Lawrence Research, with launch webinar on May 14, 2026, put hard numbers on what compliance leaders have been muttering privately for months. The Global State of RegTech 2026 report drew on responses from 300 senior compliance decision-makers at financial institutions, contributions from 100 RegTech vendors, qualitative regulator interviews, and bottom-up market analysis. Speakers at the launch included Roseanne Spagnuolo, chief research and data officer at VIXIO, and Stephen Lovell, VIXIO's chief product and technology officer.

The headlines: 95% of financial institutions said they have scaled enterprise use of RegTech across at least one regulatory domain. 62.7% of firms plan to increase RegTech spending in 2026. 48.3% expect to adopt new vendor solutions. 39% plan to expand use cases with existing providers. 27.7% are exploring in-house development strategies.

Global RegTech investment reached approximately $18.6 billion in 2024, with the market projected to surge from $14.94 billion in 2024 to $106.92 billion by 2035 at a 19.59% CAGR, according to Fortune Business Insights.

The RegTech as Core Infrastructure Thesis

Read those numbers together and a clear picture emerges: compliance technology has stopped being treated as a project line item and started being treated as core infrastructure. The 95% figure is the one to dwell on. A few years ago, RegTech adoption was something boards asked about quarterly. Now it's table stakes, the conversation has shifted to coverage breadth, integration depth, and whether the vendor's AI features can survive a regulator's bias audit.

The EU AI Act Twist

There's a wrinkle worth flagging for every CCO and CTO weighing an agentic AI procurement: the EU AI Act, now fully in force, classifies AI systems used in financial crime compliance as high-risk. That triggers specific obligations around transparency, human oversight, data quality, model documentation, and bias testing.

The practical consequence is that the same agentic AI platform pitching itself as a productivity miracle to the compliance team needs to satisfy a parallel set of obligations to the model-risk team and the data-protection officer. Vendors that can ship a coherent AI Act compliance story alongside their financial-crime use case will close deals significantly faster than those who treat it as a separate workstream.

What to Watch

Three short-term signals worth tracking. The first DORA enforcement headlines: watch for the first publicly disclosed fine or compulsion payment. That number will reset every board-level DORA conversation in Europe. AMLA's methodology paper: whatever AMLA publishes around the June 9 conference will become the de facto European AML risk-assessment template by year-end. Agentic AI integration depth: funded RegTech vendors will increasingly compete on how deeply their agents can act inside core banking systems versus living alongside them. The depth of integration, not the prettiness of the demo, will decide the winners.

The compliance team that wins the next 18 months is the one whose stack speaks to the regulator's stack in real time. As of this week, that's no longer aspirational. It's the price of admission.