The Compliance Illusion
Passing the Audit Is Not the Same as Managing the Risk. The Evidence Has Been Saying This for Decades.
In 2024, TD Bank paid $3.09 billion — the largest penalty ever imposed under the Bank Secrecy Act in the United States — for systemic AML compliance failures. The bank was not unsophisticated. It was not under-resourced. It had compliance programmes, training requirements, risk registers, and documented controls. It had, by every formal measure, a compliance function.
What it lacked was a compliance function that actually stopped the conduct it was designed to prevent.
In the same year, global financial penalties reached $4.6 billion — a 522% increase from the previous year. Banks accounted for $3.65 billion of that total. In 2023, Santander UK was fined £107.7 million by the FCA for repeated AML control failures — despite previous warnings that had already produced remediation programmes. In 2022, Danske Bank paid $2 billion for money-laundering violations committed over multiple years through its Estonian branch.
Each of these institutions had compliance. None of them had control.
This is the compliance illusion: the belief — held in boardrooms, risk committees, and audit sign-offs across the regulated world — that a functioning compliance programme means the risk it addresses is being managed. The evidence, accumulated across decades of regulatory enforcement and three significant waves of financial services misconduct, is unambiguous. A compliance programme demonstrates that controls are in place. It does not demonstrate that controls work. And the gap between those two things is where penalties, enforcement actions, and customer harm accumulate.
How the Distinction Got Buried
The conflation of compliance and risk management is not accidental. It is the natural outcome of how compliance functions were built and what they were originally designed to do.
The modern compliance function emerged from the post-financial-crisis regulatory environment of the late 2000s and early 2010s. Its design logic was defensive and custodial: document controls, demonstrate adherence to regulatory requirements, produce evidence that the organisation takes its obligations seriously. Its primary audience was external — regulators, auditors, courts. Its primary output was documentation.
This design logic was not dishonest. In a regulatory environment where enforcement depended on whether an organisation had a policy, the rational response was to adopt one. The problem is that the regulatory environment has moved, and the compliance function has not.
McKinsey’s 2024 compliance benchmarks found a specific and telling gap: many organisations report strong policies, procedures, and training programmes, yet far fewer embed active remediation, continuous monitoring, or board-level accountability. The documentation layer is strong. The operational effectiveness layer is weak.
“It’s no longer enough to intend to comply or to have a policy on paper. Regulators now demand demonstrable governance — documented evidence that you have robust systems, controls, and processes in place and that they are actually working.” Compliance and Risks, February 2026
The DOJ’s 2023 updated guidance on evaluating effective compliance programmes is explicit on this point. Prosecutors are now instructed to evaluate not whether a compliance programme exists but whether it is “adequately designed” and “being applied earnestly and in good faith” — and specifically whether the organisation has “invested adequately in testing” the effectiveness of its controls. The test has shifted from existence to effectiveness. Most compliance programmes were not built to pass the new test.
The Audit Passes. The Risk Remains.
The most revealing feature of the compliance illusion is that it persists even in the face of formal audit processes designed to detect it.
PwC’s Global Compliance Survey found that 59% of organisations report that their compliance functions benefit from improved coordination. In the same survey landscape, only 16% have successfully integrated the data systems required to make those functions operational. Organisations are coordinating their compliance activities. They are not connecting those activities to the operational data that would reveal whether the risk is actually being managed.
59%
of organisations report improved compliance coordination. Only 16% have successfully integrated the data systems required to operationalise that coordination.
PwC Global Compliance Survey / Compliance Week
The Q3 2025 GC Risk Index from Corporate Board Member and Diligent Institute surveyed AI governance and found that 29% of companies report having comprehensive AI governance policies, and another 38 % are drafting them. Yet 44% acknowledge that their policies need refinement, and 33% say they are entirely insufficient. That is a survey of what organisations know about their own governance. The gap between the 29% who report comprehensive policies and the 33% who say policies are insufficient is not a measurement error. It reflects organisations at different stages of the same discovery: that the policy they wrote is not the control they needed.
Gartner’s research on risk management found that only 18% of ERM leaders express high confidence in their ability to identify emerging risks. 82% are operating compliance programmes with known uncertainty about whether those programmes are catching the risks they are designed to catch.
The audit measures documentation, process adherence, and the existence of controls. What the regulator eventually measures — in enforcement actions, in prudential reviews, in post-failure inquiries — is whether harm was prevented. These are different measurements. The audit and the enforcement action are not always consistent because they measure different things.
The Pattern in Enforcement Actions
The consistency of the enforcement record on this point is striking. The same structural finding appears across jurisdictions, sectors, and decades: organisations that sustained significant regulatory penalties almost always had compliance programmes in place. The programme was insufficient not because it was absent but because it was designed to demonstrate compliance rather than achieve it.
HSBC was fined £57.4 million by the PRA in 2024 for failing to accurately identify customer deposits eligible for FSCS protection between 2015 and 2022. The PRA found that 99% of eligible beneficiary deposits were incorrectly marked as ineligible. Seven years. The compliance function did not catch it. The audit process did not catch it. The regulator caught it.
Santander UK received warnings from the FCA about its AML controls before the £107.7 million fine in 2023. Remediation programmes were produced. The underlying weakness persisted. The remediation documented the intent to address the problem. It did not solve the problem.
This is APRA’s finding about ANZ’s non-financial risk management, verbatim, applied to a different institution in a different jurisdiction: a remediation programme running for years, producing documentation, governance forums, and policies, while “APRA has yet to observe significant improvements.” The pattern is not sector-specific or jurisdiction-specific. It is structural.
“Is enough attention being given to compliance? Or is it just ‘box ticking’?” Commissioner Hayne, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, 2019
The boxes were ticked. The risk was not controlled.
Why the Illusion Persists
Understanding why sophisticated organisations consistently confuse compliance with control requires taking seriously the incentive structure that makes the confusion rational.
Compliance documentation is verifiable. It can be audited, signed off, and filed. Risk management effectiveness is hard to verify prospectively. You can only know with confidence whether a control worked after a failure has occurred over a meaningful time horizon. In an environment where auditors and regulators evaluate inputs rather than outcomes, the rational investment is in inputs.
This is Michael Power’s “comfort production” argument from The Audit Society: Rituals of Verification (Oxford University Press, 1997), now 28 years old and entirely intact: the assurance industry is paid to produce verifiable documentation and legitimacy signals, not to test whether controls actually prevent harm. The external auditor who certifies compliance is not certifying that risk is controlled. They are certifying that the organisation has produced the documentation required for compliance.
When the incentive shifts — when a regulator can impose a $3 billion penalty, a billion-dollar capital add-on, or a Court Enforceable Undertaking based on the demonstrated ineffectiveness of controls — organisations respond. TD Bank’s $3.09 billion penalty produced a wholesale restructuring of its AML function. APRA’s CEU produced ANZ’s Program PACT. The remediation that decades of voluntary compliance improvements failed to produce arrived within months of enforcement actions with real consequences.
The compliance illusion persists not because organisations are incompetent. It persists because the institutional environment has been structured to reward the appearance of control more reliably than its substance.
AI Compliance Is Replicating the Pattern in Real Time
The Q3 2025 GC Risk Index finding that 67% of organisations either have comprehensive AI governance policies or are drafting them describes the documentation layer of AI compliance forming at speed. Organisations are writing policies, adopting frameworks, pursuing ISO/IEC 42001 certifications, and completing NIST AI RMF profiles.
What they are not doing, in most cases, is building technical controls that enforce those policies at the point where AI systems act. The policy says the AI system will not make discriminatory decisions. The technical architecture lacks a runtime control that intercepts the decision before it executes and tests it against the constraint. The compliance documentation exists. The control does not.
This is the same gap that produced Santander’s AML failures, HSBC’s deposit-protection failures, and seven years of governance deficiencies at ANZ. The mechanism is identical: a policy layer that satisfies the documentation requirement, disconnected from an operational layer that would actually prevent the harm.
There is an additional complexity in AI that makes the gap with its predecessors more dangerous. Traditional compliance failures occur in processes with human actors at decision points. There are natural points of intervention. AI systems making sixty decisions a minute in autonomous workflows have no equivalent natural intervention point unless one is engineered into the architecture.
“Traditional GRC models reinforce this gap. Many programs are designed to document controls and address known risks but are less effective in environments defined by rapid change and interdependence. Static assessments become outdated quickly.” MJH News, Enterprise Risk Management in 2026, April 2026
As of mid-2026, the binding EU AI Act obligations requiring organisations to move from documentation to demonstrated effectiveness have been proposed for deferral until December 2027. The compliance layer is forming faster than the enforcement regime that would test whether it is real.
What the Distinction Actually Requires
Separating compliance from control is not a philosophical exercise. It has specific operational implications.
A compliance programme demonstrates that a control exists. A risk management programme demonstrates that the control works — which requires testing under conditions that would reveal failure, not conditions optimised for audit sign-off.
In practice, this means: compliance reviews that include live system testing, not just documentation review. AI governance frameworks that specify technical enforcement mechanisms rather than just policy statements. Incident response processes that are tested before incidents occur. Remediation programmes assessed for effectiveness rather than completion, and assessed by parties without a commercial interest in reporting improvement.
It means asking, before approving a compliance programme, not “does this demonstrate that we are complying?” but “does this demonstrate that the risk is being managed?” Those are different questions. The first can be answered with documentation. The second requires evidence of operational effectiveness — and the infrastructure to generate that evidence continuously, not just at audit time.
The Uncomfortable Conclusion
The compliance illusion is comfortable because it is economically rational and institutionally supported. The documentation is cheaper to produce than the control. The audit is cheaper to satisfy the regulator. The policy is easier to write than the architecture that enforces it.
What makes it an illusion — rather than simply a practical compromise — is that organisations and boards genuinely believe the compliance programme is managing the risk. Not as a cynical performance, but as a sincere conclusion from the evidence available to them: the audit passed, the policy was adopted, the training was completed, the score moved in the right direction.
The evidence that this belief is wrong is in the enforcement record. $3.09 billion for TD Bank. $4.6 billion in global financial penalties in 2024 alone, a 522% increase from the prior year. Eleven ASIC enforcement actions against ANZ in just over a decade, most after compliance programmes had been running for years.
The compliance programme did not fail. The belief that the compliance programme was managing the risk — that was the illusion. And it is the one that costs the most.
References
Academic and Theoretical Sources
Power, M. (1997). The Audit Society: Rituals of Verification. Oxford University Press.
Meyer, J.W. and Rowan, B. (1977). Institutionalized Organizations: Formal Structure as Myth and Ceremony. American Journal of Sociology, 83(2): 340–363.
European Commission (2025). Digital Omnibus Proposal COM(2025) 836 — proposal to defer EU AI Act Annex III high-risk obligations to December 2027. 19 November 2025.
Regulatory Actions and Enforcement
US Department of Justice / FinCEN (2024). TD Bank Pleads Guilty to Bank Secrecy Act Violations — $3.09 billion penalty. DOJ / FinCEN, October 2024.
Financial Conduct Authority (UK) (2023). Santander UK fined £107.7 million for AML failures. FCA Final Notice, November 2023.
Prudential Regulation Authority (UK) (2024). HSBC fined £57.4 million for FSCS deposit protection failures. PRA Final Notice, 2024.
ASIC (2025). 25-314MR Federal Court orders $250 million combined penalties against ANZ. ASIC media release, 19 December 2025.
APRA (2025). APRA accepts Court Enforceable Undertaking from ANZ and increases capital add-on to $1 billion. APRA media release, 3 April 2025.
Hayne, K. (2019). Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry: Final Report. Commonwealth of Australia.
Research and Survey Sources
PwC (2024). Global Compliance Survey. PricewaterhouseCoopers / Compliance Week.
Corporate Board Member / Diligent Institute (2025). GC Risk Index Q3 2025. Corporate Board Member and Diligent Institute.
McKinsey & Company (2024). Compliance Benchmarks: Policies, Procedures and Active Remediation Gap. McKinsey Digital.
Gartner (2025). ERM Leader Confidence Survey. Gartner Research.
Fenergo (2024). Global AML and Compliance Fines Analysis: First Half 2024. Fenergo.
US Department of Justice (2023). Evaluation of Corporate Compliance Programs (updated September 2023). DOJ Criminal Division.


