Performing the wrong play

Written By Stefania Cirignano
For our latest risk assessment insights, visit Complyse
For our latest risk assessment insights, visit Complyse
 
Image of woman's eye with title overlaid. Title reads "Risk Assessment Reframed: Performing the wrong play"

Why compliance theatre's real problem is not the theatre, it is the script

Ending compliance theatre will be our rallying cry at the forthcoming ICA Conference: firms producing audit trails and populating dashboards instead of doing the substantive risk work the risk-based approach requires, with a Business-Wide Risk Assessment that is fit for purpose at its centre.

This diagnosis, however, assumes there is a genuine obligation behind the performance, and the firm is failing to discharge it. There is a second-order version that is worse, harder to see, and increasingly material.

What if part of the script the theatre is performing against is not in the regulation at all?

Borrowing from the current fever around AI: financial crime compliance has accumulated a body of what might be called industry hallucinations, constructs that function as if they were primary regulatory obligations, when their anchoring is in guidance, supervisory practice and convention rather than in statutory rules. They are not without basis. They emerged because the risk-based approach is genuinely hard to operationalise at scale, and supervisors, guidance bodies and firms collectively converged on shortcuts that made it tractable. But their basis is more contingent than firms' compliance architecture typically reflects.

The argument is not against evidencing, or against guidance, or against the conventions themselves. It is narrower: when conventions are mistaken for primary obligations, the substantive risk-based analysis they were meant to enable starts to be displaced by the conventions themselves.

Three stabilised conventions worth examining

The annual review cadence. Ask any compliance professional about reviewing high-risk relationships and the answer comes back without hesitation: annually, at minimum. It appears in firm policies, vendor configuration, and audit findings. Annual review is not, however, currently a primary statutory obligation. The MLRs require ongoing monitoring on a risk-sensitive basis without specifying frequency. The annual cadence has hardened through JMLSG guidance (which, as HM Treasury-approved guidance, carries significant weight in demonstrating compliance), FATF expectations, Wolfsberg standards and supervisory enforcement framing into a de facto expectation. Historically, however, the cadence has operated more as a stabilised convention layered onto the underlying obligation than as the obligation itself. Treating the two as identical risks the cadence driving the analysis rather than the other way round.

The "high-risk customer" category. The vocabulary is so universal that questioning it feels grammatical. The regulation does not define a unified high-risk customer category. It identifies specific customer-level EDD triggers (PEPs under regulation 35, customers established in high-risk third countries under regulation 33(1)(b)) and otherwise predicates risk on situations, relationships and transactions. Firms have aggregated these heterogeneous triggers, together with discretionary risk judgements, into a single operational class. The aggregation is operationally tractable but conceptually lossy: it collapses mandatory triggers, jurisdictional triggers, and risk judgements into one bucket, which then drives a single uniform treatment.

The EDD-equals-high-risk equivalence. In most firms, "EDD-required" and "high-risk customer" are treated as the same set. The MLRs do not require these to be equivalent: EDD triggers are prescribed; the risk rating is the firm's own output. Guidance and supervisory practice have produced near-equivalence in operation, and any firm that decoupled them would face questions from audit and supervisors. But the categories are not coextensive, and the routine collapse obscures the cases that matter most, the customer who is high-risk on cumulative exposure with no single mandatory trigger, and the customer whose EDD trigger is procedural rather than risk-driven.

How conventions stabilise, and why it matters

The mechanism is structurally similar to AI hallucinations, with one important difference: the conventions are co-authored. Practitioners inherit policies built on prior assumptions. Vendors encode them into operational architecture. Consultancies package them into repeatable models. Supervisors actively use the same vocabulary in enforcement and thematic findings, which industry takes as confirmation. JMLSG, in turn, formalises industry practice into HMT-approved guidance. The convention is jointly produced, not industry-imposed and supervisor-tolerated. That joint authorship is part of why the conventions are so embedded: every actor has a stake in their persistence.

Most MLROs will probably recognise at least part of this dynamic, even if they would not describe it in these terms.

The problem is not that the conventions exist. The problem is what happens when the convention and the underlying obligation are no longer distinguished from each other.

The performance becomes invisible. The standard being performed against and the standard a critic would apply are the same convention. Audit signs it off. The Board reviews and approves it. Supervisors often accept it because the same vocabulary exists across the industry. There is no external vantage point from which to see the play has drifted.

The performance manufactures the obligation. An audit trail of annual reviews becomes the record that "the firm complies", cited in supervisory submissions and benchmarks as confirmation the obligation is real. The convention self-stabilises through its own performance.

The performance crowds out the work the risk-based approach actually requires. Annual reviews of every PEP consume bandwidth that should be applied to the dozen relationships where exposure drivers genuinely stack and controls are weak. The displacement falls on exactly the analysis the regulation does require.

Why this matters now

None of this means supervisors expected firms to assess every relationship from first principles. They accepted tier-based shortcuts as a reasonable proxy for two decades. That tolerance is eroding. The FCA's 2025 multi-firm review on Business-Wide Risk Assessment criticised firms for conflating regulatory risk factors with risk drivers, and for treating customer risk ratings as a substitute for risk-event analysis. The EU AMLR, applying from July 2027, is more pointed: Article 20(2) requires individual analysis based on the specific characteristics of the client and the relationship. A purely tier-driven model becomes increasingly difficult to defend in that context. The vocabulary that protected firms is becoming the vocabulary that exposes them.

Making the risk-based approach work

The response is not to dismantle the conventions. It is to re-anchor them. Risk attaches to situations (actor, action, pathway, consequence) not to customer status. Customers contribute exposure to risk events through specific drivers. Controls attach to risk events. EDD is triggered by prescribed cases or identified higher-risk situations.

A tier-based view can survive in the operating model, but the tier should be derived from the underlying risk model rather than substituting for it. The methodology should show why a customer is rated high-risk: which exposure drivers, which risk events, which control gaps. Evidencing then becomes a residue of substantive work, rather than the substantive work being shaped to fit the template.

A diagnostic

Three questions for any existing financial crime methodology:

  1. Where does the construct of "high-risk customer" sit in our framework, and what is the chain of authority back to a primary obligation?

  2. Where does the obligation to review high-risk relationships annually sit, and is that cadence the output of our risk model or an input we have assumed?

  3. If we distinguished, in our framework, between primary statutory obligations and stabilised conventions, what would change in how we allocate effort?

The discomfort produced by those questions is the diagnostic test. If the framework cannot survive them, the compliance activity organised around it is, at least in part, performance against a script that has drifted from the regulation it claims to implement. That has been operationally tolerable for twenty years. It is becoming less so.

The fever around AI hallucinations may pass. The structural problem in financial crime compliance will not, until the industry develops the same critical reflex about its own confidently-asserted constructs that it is currently demanding of large language models.

If the industry is serious about ending compliance theatre, and serious about making the risk-based approach actually work, it may first need to ask whether it has been performing the right script along the way.

Stefania Cirignano
Previous

Market abuse and financial crime: The FCA is quietly merging two worlds
Next

Consumer Duty Board reports: The hard work lies ahead