What DORA Actually Requires: An Article-by-Article Breakdown
Most compliance teams have read the summary decks. Fewer have worked through what Article 25 actually mandates for third-party ICT risk...
Gap Analysis Is Not Controls Testing - and Treating Them the Same Breaks Both
Compliance teams routinely conflate regulatory gap analysis with controls testing. The result is wasted effort and examination findings that should have been caught...
Basel IV's Standardised Approach to Operational Risk: What Changed
The shift from AMA to the Standardised Measurement Approach eliminated model discretion. That has real capital implications for mid-tier banks...
Reading the FFIEC's 2024 Model Risk Management Update: What Examiners Will Check
The 2024 FFIEC guidance on AI model validation contains language that is deliberately ambiguous. Here is how examiners are interpreting it in practice...
Why Manual Gap Analysis Breaks Down at Scale
When your compliance team maps 600 regulatory obligations by hand, the bottleneck is not effort - it is clause disambiguation and cross-reference resolution...
Archer vs. ServiceNow GRC: A Compliance Team's Honest Assessment
Both platforms cover the basics of obligation tracking. Where they diverge matters when you are running multi-framework compliance at a regulated financial institution...
FCA Consumer Duty at One Year: What the Supervision Letters Revealed
The FCA's first wave of Consumer Duty supervision letters were more specific than most compliance officers expected. Three recurring gaps dominated...
How Transformer Models Extract Obligation Clauses from 400-Page Regulations
Parsing regulatory text is harder than parsing legal contracts. Regulations use conditional language, cross-reference structures, and jurisdictional carve-outs that standard NLP pipelines fail on...
BSA/AML Obligations When a Fintech Expands Its Payment Products
Adding wire transfers to an ACH-only product is not an incremental change under FinCEN's rules. It triggers a reassessment of your entire AML program scope...
Examination Preparation: Managing the Evidence Request List Without Losing 3 Weeks
Regulators submit Matters Requiring Attention lists and document request letters that can run to 80+ items. How you organize your response in the first 48 hours determines the rest of the examination...
MiFID II Best Execution Monitoring: The Controls That Actually Get Tested
ESMA's 2024 supervisory briefings identified best execution documentation as a repeat deficiency across EU investment firms. The gap is almost always in the monitoring methodology, not the policy itself...
CRD VI Third-Country Branch Requirements: What Non-EU Banks Operating in Europe Need to Do
CRD VI's intermediate parent undertaking requirements and third-country branch provisions take effect in stages through 2026. Early planning is not optional - the structural changes required take 12 to 18 months to implement...