From Control Burden to Strategic Capability: What Comes Next for RegTech

By Andrew Quinn - Managing Director & Co-Founder at FIDEO

1. Introduction

In 2024, TD Bank agreed to pay over $3 billion in penalties after US regulators identified significant failures in its anti-money laundering controls. The issue was not the absence of policy - it was the breakdown of execution: fragmented monitoring, weak escalation, and an inability to detect patterns of suspicious activity in time.

This was not an isolated case.

From Europe to North America, enforcement actions continue to point to the same structural weakness - compliance frameworks that are well designed in principle but ineffective in practice.

Controls exist, but they do not scale.

Data is collected, but not fully understood.

Risks emerge faster than organisations can respond.

The underlying problem is that traditional compliance models were not built for the speed, complexity and data intensity of modern financial systems. Periodic reviews, manual workflows and siloed systems are increasingly out of step with real-time financial activity.

That is why RegTech is moving from incremental improvement to structural necessity. 

We see RegTech not as a technology overlay, but as a capability layer.

The real opportunity is to redesign compliance so that automation enhances judgement, improves consistency and allows firms to respond to regulatory change with confidence rather than constraint.

2. KYC and AML are becoming intelligence-led, not just digital

The first major shift in RegTech is visible in customer due diligence and financial crime controls. For many institutions, KYC has historically been a documentation exercise — gather information at onboarding, refresh it periodically, and escalate exceptions when they arise.

That model is becoming harder to defend.

Global standard setters continue to reinforce a risk-based approach, while regulators increasingly expect firms to demonstrate not just that checks are performed, but that risks are actively understood and managed. This is pushing firms toward more dynamic, intelligence-led approaches to KYC and AML.

In practice, this means integrating identity verification, sanctions screening, adverse media, transaction monitoring and customer behaviour into a more continuous risk assessment model. 

Advanced RegTech tools can support real-time scoring, network analysis and automated case triage - but the real value lies in how they reshape workflows.

A practical example illustrates the shift. 

A mid-sized payments firm expanding into multiple jurisdictions faces rising onboarding volumes and increasingly complex customer profiles.

In a traditional model, this results in duplicated checks, growing backlogs and high false-positive rates. In a RegTech-enabled model, processes are integrated, risk scoring is dynamic, and escalation is targeted. Analysts spend less time on repetitive tasks and more time on complex, high-risk cases. 

The outcome is not less control, but better control - applied more proportionately and with greater consistency.

3. Regulatory reporting is moving from production to architecture

The second major transformation is in regulatory reporting. Many firms still approach reporting as a downstream activity - interpret requirements, gather data, reconcile differences and submit under tight timelines.

That approach is becoming increasingly unsustainable.

Supervisors are moving toward more standardised, data-driven and machine-readable reporting frameworks.

Expectations around data lineage, traceability and governance are rising, and the tolerance for manual reconciliation is falling.

This creates a different kind of RegTech challenge. 

The priority is no longer just automating report production, but redesigning the underlying data architecture. Firms need clearer ownership of data, consistent definitions across systems, and stronger control frameworks that ensure accuracy from source to submission.

AI-supported tools can add value here — assisting with regulatory interpretation, mapping obligations to data, automating narrative reporting and identifying anomalies. But their effectiveness depends on the quality of the underlying data environment.

A wholesale bank managing multiple regulatory returns across jurisdictions provides a useful case study.

Rather than automating each reporting stream independently, the bank invests in a unified data model, shared definitions and integrated control processes. Reporting becomes less of a periodic challenge and more of a continuous capability. 

This is where RegTech begins to materially reduce operational burden while improving regulatory confidence.

4. SupTech is redefining what “being compliant” means

RegTech does not operate in isolation.

It is evolving alongside Supervisory Technology (SupTech) — the increasing use of data, analytics and technology by regulators themselves.

Supervisors are becoming more data-driven, more proactive and, in many cases, more predictive.

This changes the nature of regulatory engagement. Issues that might previously have gone undetected for longer periods can now be identified earlier through data analysis and cross-firm comparison.

For firms, this raises the bar.

Compliance is no longer just about meeting requirements at a point in time. It is about maintaining a level of operational transparency and control that can withstand continuous scrutiny.

Frameworks such as the EU’s Digital Operational Resilience Act (DORA) reinforce this shift, placing greater emphasis on resilience, third-party risk, and the ability to evidence controls  practice.

In this environment, RegTech becomes essential not just for efficiency, but for credibility. Firms need to demonstrate that their controls are not only designed effectively, but are operating consistently and can be evidenced clearly.

5. What comes next?

The next phase of RegTech will be defined less by experimentation and more by integration.

 We expect four themes to shape that evolution:

• More dynamic, risk-based approaches to KYC and financial crime;

• Greater convergence of data across compliance, risk and operations;

• Increased use of AI to support, rather than replace, decision-making; 

• More continuous and data-driven supervision.

The institutions that succeed will not be those with the most advanced tools in isolation.

They will be the ones that connect technology to operating models, operating models to governance, and governance to capability.

Regulation is evolving too quickly for static frameworks or one-off transformation programmes.

Firms need structured, practitioner-led approaches that build lasting capability -across financial crime, regulatory reporting, data, AI governance and operational resilience.

The real promise of RegTech is not that it reduces the importance of compliance. It is that it allows compliance to operate with greater clarity, speed and confidence - supporting innovation while maintaining trust.

That is the shift from control burden to strategic capability. And it is the shift that will define the next generation of financial services.

[1] TD Bank Group, 2024 Annual Report - provision of approximately CAD $4.5 billion (~USD $3.3 billion) related to U.S. AML investigations.