The Growing Gap Between Compliance Policies and Operational Reality
Compliance management
Risk management

Most regulated businesses have a compliance policy. They have an AML policy, a KYB policy, a sanctions screening policy, a PEP policy, a transaction monitoring policy. These documents exist, they are reviewed periodically, they are signed off by senior management, and they sit on a shared drive or a compliance management system somewhere accessible to anyone who asks.
The problem, and it is a significant one, is that having a policy is not the same as applying it. And the distance between what a policy says a business does and what the business actually does in practice is, according to the EU's own supervisory data, one of the most persistent and consequential compliance failures across the European financial sector.
This is not a small or peripheral problem. It is the defining compliance challenge of this regulatory era. In July 2025, the European Banking Authority published its fifth biennial Opinion on money laundering and terrorist financing risks affecting the EU financial sector. The findings were unambiguous. Customer due diligence shortcomings are the leading cause of AML/CFT breaches across all sectors, accounting for 61 percent of violations reported to the EBA's EuReCA database. Credit institutions in particular tend to have policies in place but fail to apply them effectively. And 70 percent of competent authorities report high or rising ML/TF risks in the fintech sector, with firms appearing to prioritise growth over compliance.
This article is about understanding why that gap exists, how it manifests across different areas of compliance, and what closing it actually requires in the context of the regulatory changes arriving before 2027.
What the Gap Actually Looks Like in Practice
The compliance policy-to-practice gap does not usually look like deliberate non-compliance. It rarely involves a decision to ignore a known obligation. More often, it looks like one of these things.
A customer due diligence policy that requires enhanced due diligence for politically exposed persons, but where the analyst conducting the check does not have clear guidance on what "enhanced" means in practice, what sources to consult, or how to document the outcome. The policy exists. The EDD does not, at least not in the form the policy describes.
A transaction monitoring policy that states suspicious activity will be reviewed and escalated within defined timelines, but where the alert volume has grown beyond the team's capacity to actually process alerts within those timelines, and the queue has become a backlog no one formally acknowledges.
A KYB onboarding policy that requires verification of ultimate beneficial owners through official registry sources, but where the actual process relies on client self-declaration because the team does not have a tool connected to the relevant registries. The policy says registry verification. The practice is a form.
A sanctions screening policy that mandates daily re-screening, but where the underlying screening infrastructure was last calibrated two years ago and the alert management workflow has not been updated to reflect the EU's Instant Payments Regulation requirements.
None of these gaps exist because compliance teams do not care. They exist because policies are written to describe what an institution should do at its best, and operational reality is shaped by resource constraints, tool limitations, volume growth, and process design choices made under commercial pressure.

What the EBA's Data Shows Us About Where the Gap Is Widest
The EBA's 2025 Opinion draws on EuReCA submissions covering 2022 to 2024. The picture it paints is specific and worth understanding in detail, because it tells us where the gap between policy and practice is concentrated.
Customer due diligence is the most common failure point, accounting for 61 percent of AML/CFT breaches across all sectors. The EBA found that concerns about CDD measures deteriorated meaningfully, with the proportion of competent authorities flagging CDD weaknesses rising from 34 percent to 48 percent between 2023 and 2024. Almost every regulated institution has a CDD policy. Almost every CDD policy describes a process for verifying customer identity, understanding the purpose of the business relationship, and applying appropriate risk ratings. The gap is in the execution of that process at the level of individual cases, particularly when volume is high, the customer is complex, or the jurisdiction is unfamiliar.
The treatment of politically exposed persons is another area where the EBA found persistent and documented failures. Its data shows that 203 material weaknesses related to PEP controls were logged in EuReCA between 2022 and 2024. One competent authority reported finding PEP-related deficiencies in at least 36 percent of full-scope inspections, even after remediation was requested. PEP policies in most regulated institutions require enhanced due diligence for current and former PEPs and their close associates. The AMLR (Regulation (EU) 2024/1624) requires EDD that considers the source of wealth and funds, includes heightened ongoing monitoring, and requires senior management approval for PEP relationships. The gap between those requirements and what actually happens during an onboarding call where a client mentions a politically connected director, but the analyst is not sure whether that connection meets the PEP threshold, is exactly the kind of gap that produces a material weakness finding.
Transaction monitoring is a third area of concentrated failure. The EBA found that 52 percent of competent authorities cited inadequate transaction monitoring capabilities as a concern. This is particularly striking because transaction monitoring is one of the most widely discussed, most heavily invested, and most frequently updated areas of compliance technology. The gap here is not usually about whether a monitoring system exists. It is about whether the rules configured in that system reflect the current risk profile of the business, whether the alert rate is manageable enough for genuine investigation to occur, and whether the team has the capacity to handle alerts before they age into unanswered backlogs.
Read also: What to automate first in your compliance process
The RegTech Problem Hidden Inside the Gap
One of the most important findings in the EBA's 2025 report, and one that does not get enough attention, is the data on RegTech and compliance tool failures.
More than half of all serious compliance failures reported to the EuReCA database involved the improper use of RegTech tools. The EBA identified 277 material weaknesses linked to RegTech technologies, systems, and tools across financial institutions in 2023 and 2024. Fifty-five percent of competent authorities consider RegTech outsourcing to be a significant risk. Forty-six percent identify risks from automated solutions implemented without adequate monitoring or human oversight. Thirty-six percent report that institutions lack the in-house expertise to govern the tools they have bought.
This finding points to a specific kind of policy-to-practice gap that compliance teams do not often talk about openly: the gap between what a RegTech tool is configured to do and what a well-designed compliance process actually requires.
When a financial institution buys a transaction monitoring platform and configures it with generic rules at implementation, those rules represent the institution's compliance posture at that moment. If the institution's transaction profile changes, its customer base evolves, or its geographic footprint expands, the rules do not update themselves. The policy says the institution monitors for suspicious activity. The tool continues applying rules that were calibrated for a business that no longer exists. The gap is not visible from the outside. It becomes visible when an alert is missed, when a SAR is filed late, or when a regulatory examination finds that the monitoring logic does not match the risk profile described in the institution's own risk assessment.
The same gap exists in KYB tooling. A KYB policy that requires registry-level verification of beneficial owners is only as good as the data sources the KYB tool is actually connected to. If the tool relies on cached or aggregated data rather than live registry queries, the policy describes a verification standard that the tool cannot deliver. The institution believes it is verifying ownership. It is actually reviewing a snapshot of what ownership looked like when the cache was last updated.
The Governance Gap: Why the Policy Exists But the Practice Does Not
Behind all of these specific gaps is a structural cause that is worth naming directly: the compliance function is often not positioned, resourced, or governed in a way that would allow it to close the distance between written policy and operational practice.
The AMLR addresses this directly in its governance provisions. From July 2027, every obliged entity must appoint a compliance officer with sufficiently high hierarchical standing, personally responsible for the day-to-day operation of the AML/CFT programme and specifically responsible for reporting suspicious transactions to the FIU. The management body must be informed of compliance findings and must take responsibility for the overall framework. One member of the management body must be specifically designated with responsibility for ensuring compliance with the AMLR.
This governance architecture is designed to close a very specific gap: the gap between a compliance function that writes policies and a management body that treats those policies as an assurance document rather than an operational commitment. When compliance is positioned as a support function that produces documents, and when management engagement with compliance is limited to sign-off on policy documents at annual review, the conditions for the policy-to-practice gap are structural. The policy reflects what the compliance team believes should happen. The practice reflects what the operational teams actually do, often under different pressures and with different information.
The EBA's Guidelines on the role of AML/CFT compliance officers set clear expectations that the compliance officer must have sufficient authority and resources to carry out their function effectively, including the ability to escalate concerns to the management body and to propose necessary measures. A compliance officer whose escalations are routinely deprioritised, whose requests for additional resource are declined, or whose concerns about operational gaps are not acted on by the management body is not functioning within the governance model regulators expect.
The Sanctions Compliance Dimension of the Gap
Sanctions compliance is an area where the policy-to-practice gap has become increasingly visible to EU regulators, and where new guidance has been introduced specifically to address it.
The EBA's Guidelines on internal policies, procedures and controls to ensure the implementation of Union restrictive measures, applicable from 30 December 2025, were published in November 2024 precisely because the quality of institutions' internal policies, procedures and controls to comply with restrictive measures varied widely across member states. The EBA found that compliance with EU restrictive measures differed significantly in practice even where the legal obligations were the same, and that institutions often lacked adequate systems to implement complex sanctions regimes effectively.
What this looks like at the operational level is an institution that has a sanctions screening policy, but whose screening is configured to a list that may not include all relevant EU designations, or that runs screening at a frequency that does not match the daily requirement introduced by the EU Instant Payments Regulation. Or an institution whose sanctions policy describes a workflow for handling matches, but whose analysts lack the training or the authoritative guidance to distinguish a genuine hit from a false positive, leading either to over-escalation that overwhelms the compliance team or to dismissal of alerts that should have been investigated.
The EBA guidelines make clear that a governance framework must be in place to ensure that policies, procedures and controls are adequate, effective and proportionate to the institution's restrictive measures exposure. Proportionality is important here: the standard is not the same for every institution, but it must be genuinely connected to the institution's actual risk profile, not simply copied from a template.
The 2027 AMLR Deadline and What It Means for the Gap
The Anti-Money Laundering Regulation (AMLR) and the Anti-Money Laundering Directive 6 (AMLD6) apply from 10 July 2027. The Anti-Money Laundering Authority (AMLA), now operational in Frankfurt, is publishing its Regulatory Technical Standards throughout 2026, which will define the detailed CDD requirements, risk factor guidelines, and governance standards that all obliged entities must have embedded by that date.
What the AMLR does, structurally, is shift the regulatory standard from one where having a policy was often sufficient evidence of compliance to one where demonstrating that the policy is applied in practice becomes the central supervisory question. The AMLR requires compliance officers to produce business-wide risk assessments approved by the management body. It requires five years of records demonstrating how individual customer relationships were verified, monitored, and reviewed. It requires ongoing monitoring of business relationships that can be evidenced as genuinely risk-based rather than calendar-driven. And it requires that senior management approval for high-risk relationships, including PEPs and high-risk third-country connections, is documented in a form that can be examined years after the decision was made.
Each of these requirements presupposes that the operational gap described in this article has been closed. A business-wide risk assessment that does not reflect how the institution actually operates is not an AMLR-compliant risk assessment. A five-year record of customer monitoring that consists of annual tick-box reviews rather than genuine risk-based re-verification does not meet the standard. And a PEP policy that is not applied in practice will produce exactly the kind of material weakness finding that the EBA's EuReCA data documents so consistently.
The implication for 2026, which is the preparation year before the AMLR's application date, is that closing the gap between policy and practice is not just a good idea. It is the threshold requirement for being compliant in 2027.
The Policy-to-Practice Gap: A Comparison by Compliance Area
The table below maps the most common policy-to-practice gaps documented in supervisory findings, published EBA data, and the regulatory standards of the current EU framework. Each row describes what the policy typically says, what the practice often looks like in reality, and the regulatory standard that creates the obligation.
Compliance Area | What the Policy Typically Says | What the Operational Reality Often Looks Like | Regulatory Basis |
|---|---|---|---|
Customer due diligence | Verify identity using reliable, independent sources; assess purpose and nature of business relationship | CDD conducted through client self-declaration forms, with registry checks only for flagged cases | AMLR Art. 20, AMLD4/5 CDD requirements; CDD shortcomings account for 61% of AML breaches in EuReCA |
Enhanced due diligence for PEPs | Apply EDD including source of wealth and funds investigation; senior management approval required | PEP screening conducted but EDD steps not completed or documented consistently; senior approval not sought where threshold unclear | AMLR Art. 34; 203 PEP-related material weaknesses in EuReCA 2022 to 2024 |
Beneficial ownership verification | Identify UBOs through official registry sources; verify natural persons at 25% threshold | Beneficial ownership collected through client-provided ownership charts without registry cross-check | AMLR Art. 52 UBO identification; threshold shifts to 25% or more from July 2027 |
Transaction monitoring | Monitor transactions against risk-sensitive rules calibrated to current risk profile | Rules configured at implementation not updated as business grows; alert backlogs not formally tracked or disclosed | PSD2 Art. 95; AMLR; 52% of CAs cite inadequate monitoring capabilities |
RegTech tool governance | Compliance tools are overseen by qualified personnel and audited for effectiveness | Tools deployed and largely unsupervised; no programme for rule recalibration or output testing | AMLR; EBA guidance; 277 material weaknesses linked to RegTech in 2023 to 2024 |
Sanctions screening | Screen customers against EU consolidated list; re-screen at least daily | Screening conducted on transaction-by-transaction basis not aligned with Instant Payments Regulation customer-screening model; list updates lag real-time designations | EU Instant Payments Regulation; EBA restrictive measures guidelines (from 30 December 2025) |
Compliance officer authority | Compliance officer has sufficient standing to escalate concerns and propose measures to the management body | Compliance concerns routinely deprioritised; escalations not documented or resolved | AMLR Art. 11 compliance officer governance; EBA guidelines on AML/CFT compliance officers |
Ongoing monitoring | Re-verify higher-risk business relationships on a risk-based schedule; trigger ad-hoc reviews on material changes | Annual review cycle applied uniformly regardless of risk tier; ownership and registry changes not monitored between reviews | AMLR ongoing monitoring requirements; risk-based approach mandated throughout |
Record retention | Maintain complete compliance records for five years from end of business relationship | Records dispersed across email, shared drives, and disconnected tools; difficult to reconstruct cohesive history for an examiner | AMLR Art. 77 five-year retention requirement |
SAR filing and documentation | Investigate alerts within defined timelines; document investigation steps; file with FIU where suspicion confirmed | Alert backlogs prevent timely investigation; investigation steps undocumented; SAR filing decisions not recorded with sufficient reasoning | AMLR Art. 74 compliance officer personal responsibility for FIU reporting |
What Closing the Gap Actually Requires
Compliance teams that are honest about the gap between their policies and their practice consistently find that it does not have a single cause. It is usually several things happening at once: insufficient tooling in one area, insufficient team capacity in another, and insufficient management engagement with compliance as an operational rather than a documentary function.
Closing the gap starts with a genuine diagnostic. Not a policy review, which tells you what the policy says, but an operational audit that traces how a sample of real cases actually moved through the CDD, screening, monitoring, and review process and compares that journey to what the policy describes. The distance between those two things is the gap.
The regulatory pressure to close that gap is not hypothetical. The EBA's data shows that supervisory off-site reviews increased by 41 percent between 2022 and 2024, and that increased supervisory engagement led directly to a 40 percent increase in discovered breaches in the same period. Regulators are looking more closely, more often, and at a wider range of institutions than they were three years ago. The gap that has been manageable under lighter-touch supervision is the gap that produces enforcement findings under the closer scrutiny that is now standard.
The AMLR's governance requirements, particularly the compliance officer's personal accountability for the SAR filing decision and the management body's obligation to be genuinely engaged with AML/CFT oversight, are designed to make the gap visible at the highest level of the institution before it shows up in a supervisory inspection. They create an accountability structure that is harder to sustain if the operational reality does not match the written policy.
About SpeedyDD
SpeedyDD is a KYB and due diligence platform. Our mission is to help complex regulated businesses, PSPs, EMIs, CSPs, iGaming operators, and the financial institutions that serve them, maintain audit readiness as a default state rather than as something reconstructed when a regulator or banking partner asks for evidence.
SpeedyDD connects to more than 3000 corporate registry data sources across more than 200 countries and territories, integrates directly with The KYB for registry data retrieval, and logs every verification decision, approval, and escalation automatically. The result is a KYB and due diligence record that matches what the policy describes and can be demonstrated to match, rather than one that requires a compliance analyst to reconstruct a narrative from disconnected files. You can learn more here

Frequently Asked Questions
What does the "compliance policy-to-practice gap" actually mean?
The compliance policy-to-practice gap refers to the distance between what a regulated institution's written compliance policies describe as its processes and what actually happens in practice when those processes are applied to real cases. It encompasses situations where policies exist but are not followed consistently, where the tools used to implement a policy do not meet the standard the policy describes, where volume or resource constraints prevent the process from being completed as written, or where staff lack the training or guidance to apply the policy correctly. The EBA's 2025 Opinion on ML/TF risks documents this gap as the primary driver of compliance failures across EU financial institutions.
Why do financial institutions that have compliance policies still fail supervisory inspections?
Because regulators examine what actually happened in practice, not what a policy says should have happened. When a supervisor reviews an institution's customer due diligence records, they look at whether the enhanced due diligence documented in a case file matches the standard the policy describes, whether the transaction monitoring alerts were genuinely investigated within the timelines the policy specifies, and whether the beneficial ownership information collected reflects the kind of registry-level verification the policy requires. Policies that describe aspirational standards rather than operational procedures create the conditions for this gap.
What did the EBA's 2025 findings actually say about the gap between policy and practice?
The EBA's July 2025 Opinion on ML/TF risks, drawing on EuReCA data from 2022 to 2024, found that customer due diligence shortcomings account for 61 percent of AML/CFT breaches across all sectors. The EBA specifically noted that credit institutions tend to have policies in place but fail to apply them effectively. It found 277 material weaknesses linked to RegTech tools and systems in 2023 to 2024, and identified that over half of serious compliance failures reported to EuReCA involved improper use of RegTech tools. It also found 203 material weaknesses in PEP controls over the same period, with one competent authority finding PEP deficiencies in at least 36 percent of full-scope inspections.
What is the most common operational gap that leads to AML breaches?
Customer due diligence is the most commonly breached area, accounting for 61 percent of violations in EuReCA. The most frequent manifestations are: CDD conducted through client self-declaration rather than independent verification sources; beneficial ownership collected without registry cross-referencing; enhanced due diligence steps described in policy but not completed in practice; and PEP identification that fails to consistently apply the threshold the institution's own policy describes. These are not policy failures. They are implementation failures, which is exactly what makes them so persistent.
Is the gap between policy and practice a sign of deliberate non-compliance?
Rarely. The EBA's own assessments and the wider pattern of supervisory findings suggest that most institutions with compliance gaps are not deliberately failing to comply. The more common cause is a combination of resource constraints that mean the compliance team cannot process the volume of cases the policy standards require, tool limitations that mean the technology is not delivering what the policy describes, inadequate training that means staff do not apply policies consistently, and governance gaps that mean the management body is not engaged with operational compliance reality closely enough to recognise or address the gap.
How does the AMLR change the regulatory treatment of the policy-to-practice gap?
The AMLR, applicable from July 2027, significantly raises the evidentiary burden on obliged entities. It requires compliance officers to produce business-wide risk assessments that reflect how the institution actually operates, not what it aspires to do. It requires five-year records of how customer relationships were verified, monitored, and reviewed. It requires genuine risk-based ongoing monitoring rather than calendar-driven review cycles. And its governance provisions, including the compliance officer's personal accountability for SAR filing and the management body's designated responsibility for AML/CFT oversight, create an accountability structure that is harder to sustain if operational practice does not match written policy.
What should a compliance team do if they suspect a significant gap between their policies and their operational practice?
The most productive first step is an operational audit rather than a policy review. An operational audit traces how a sample of real cases moved through each compliance process and compares that journey to what the policy describes. The audit should include sampling of CDD files to assess whether verification sources used match what the policy requires, review of transaction monitoring alert handling times against policy timelines, assessment of PEP identification and EDD completion rates, and a review of the regulatory change register to confirm that policy updates have been translated into operational procedure changes. The findings of that audit provide the basis for a remediation plan that addresses the specific gaps rather than simply updating policy language.
How does the RegTech implementation gap contribute to compliance failures?
The EBA found that more than half of serious compliance failures reported to EuReCA involved improper use of RegTech tools. The most common manifestations are: tools deployed without adequate configuration for the institution's specific risk profile; rules in transaction monitoring systems not updated as the business evolves; screening lists not refreshed at the frequency the institution's policy or the regulatory framework requires; and tools overseen by staff who lack the expertise to assess whether the tool is functioning as intended. Buying a RegTech tool and configuring it at implementation closes part of the gap. Governing it as a live compliance control, auditing its output, and updating its rules as the business changes, closes the rest.
What does "risk-based" ongoing monitoring actually require in practice?
Risk-based ongoing monitoring requires that the frequency and intensity of re-verification for each customer relationship is determined by the risk rating assigned to that relationship rather than by a uniform calendar schedule. In practice this means higher-risk customers, including those in high-risk sectors, high-risk jurisdictions, with complex ownership structures, or with PEP connections, must be reviewed more frequently than standard-risk customers. It also means that automated change detection, such as alerts on registry status changes, ownership changes, or new sanctions designations, should trigger ad-hoc reviews outside the scheduled cycle. The AMLR's risk-based approach to ongoing monitoring explicitly requires this differentiation, and regulators assess whether it is applied by examining whether the monitoring records for higher-risk customers show materially greater frequency and depth than those for standard-risk customers.
