2025 So Far: Key Compliance Trends

As we enter mid-2025, compliance teams face a complex, interconnected regulatory landscape marked by rapid technological change, geopolitical tensions, and an expanding patchwork of rules. In Europe and beyond, new directives (on AI, AML, sustainability, etc.) and increasing third‑party dependencies demand a holistic, strategic approach to compliance. No longer is compliance merely a “tick‑box” exercise; instead, organisations must embed risk management in their business strategies, prioritizing resilience, sustainability and agility.

In this article, we'll cover some of the most pressing issues financial institutions should continue to monitor, and where the opportunities lie to create long-term value in the second half of the year.

The Core Priorities: What’s Still Driving the Compliance Agenda

Across regions, eight priorities remain consistent, even though the weight each carries varies by market maturity, regulatory posture, and geopolitical context.

1. Artificial Intelligence

Artificial intelligence is no longer just a future consideration — it's fast becoming a core component of modern compliance strategies. In 2024, 41% of financial institutions reported plans to allocate over 10% of their digital budgets to generative AI — reflecting a growing confidence in AI’s ability to drive efficiency, improve decision-making, and support real-time regulatory response.

As adoption accelerates, regulators are stepping in to provide clearer guardrails. The EU AI Act, for instance, introduces a risk-based framework for AI systems, with specific expectations for high-risk applications in financial services. Global authorities — including the G20 and OECD — are also shaping emerging norms around AI model governance, auditability, and transparency.

For compliance teams, the path forward is both promising and practical: AI tools offer speed and scale, but also require thoughtful governance. Inventories of AI systems, clear risk assessments, and explainability for high-impact use cases are becoming standard expectations.

At Kodex AI, we see this shift as an opportunity to reimagine compliance. Our agentic AI approach ensures human oversight, regulatory alignment, and purpose-built intelligence — helping financial institutions adopt AI safely, strategically, and with confidence.

2. Cybersecurity & Operational Resilience

Cyber threats and IT outages are growing concerns. The EU’s NIS2 Directive (transposed by Oct 2024) greatly expands security requirements for firms in all “critical sectors” (including banking and cloud services), mandating strong risk management, incident reporting within 24 hours, and hefty fines (up to €10M or 2% of global revenue for essential entities). The EU’s Digital Operational Resilience Act (DORA), effective January 2025, similarly requires financial firms to test IT systems, build contingencies, and ensure third‑party providers meet security standards. Real‑world events highlight this risk: a March 2024 software glitch at cybersecurity firm CrowdStrike knocked 8.5 million computers offline, the largest IT outage ever, and triggered intense regulatory scrutiny. In response, authorities are bringing major cloud and tech vendors under direct oversight (designating them as “critical third‑party providers” under DORA). Compliance teams should therefore integrate cyber‑resilience into governance – coordinating with IT, conducting regular cyber‑incident drills, and reviewing vendor SLAs.

3. Data Privacy

Data privacy enforcement remains high. In 2024 EU data protection authorities imposed a record €1.2 billion in GDPR fines (bringing the total since 2018 to €5.88B), with tech giants (LinkedIn €310M, Meta €251M, Uber €290M) bearing the largest sanctions. Aside from fines, regulators are probing data subject rights and algorithmic risk (e.g. GDPR compliance in AI). Compliance teams must maintain robust data governance, especially as AI expands data usage, and ensure customer communications are clear. Consumer protection is also rising: authorities demand fair product governance (see the UK’s new “Consumer Duty”) and tighter controls on payment fraud, as noted above.

4. Third-Party & Supply Chain Risk

Reliance on vendors, service providers and complex supply chains is intensifying. Many financial institutions depend on the same few tech and outsourcing vendors (Big Tech cloud, payment platforms, etc.), which creates concentration risk. Regulatory awareness is growing: in Europe and the UK, significant third parties (e.g. cloud providers) are being designated as “critical third-party providers” subject to oversight. The CrowdStrike outage underscores how a vendor glitch can cascade systemically. Compliance and operational teams must therefore map all critical third-party relationships, enforce strict risk controls in contracts, and conduct rigorous due diligence and monitoring. AI-powered risk intelligence tools can assist by continuously scanning vendors for issues across sanctions, corruption, media reports and ESG factors.

5. Financial Crime & Fraud

AML/CFT and fraud control remain perennial priorities. Regulators globally have dramatically increased enforcement: for example, 2024 saw over $3.2 billion in AML fines just for banking institutions. Notable trends include FATF updates on risk assessments and virtual assets, cross-border sanctions enforcement (e.g. EU/UK/US lists), and elevated fraud schemes (including scams leveraging AI). In June 2024, FinCEN warned that “AI will heighten fraud risk,” as fraudsters use sophisticated tools to deceive consumers. In the UK, regulators even now require banks to reimburse customers for unauthorized push‑payment (APP) fraud up to £85,000 per incident. Compliance must fortify the basics (customer due diligence, EDD, effective transaction monitoring, SAR filings, sanction screenings) while deploying advanced analytics (ML/AI) for predictive detection.

6. ESG & Sustainability Compliance

Environmental, Social and Governance factors have moved into core compliance priorities. The EU has rolled out sweeping ESG rules: the Corporate Sustainability Reporting Directive (CSRD) now covers many mid‑sized firms, and the new Corporate Sustainability Due Diligence Directive (CSDDD) (approved March 2024) will require large companies to conduct human‑rights and environmental due diligence by 2027.

Likewise, the EU’s Sustainable Finance Disclosure Regulation (SFDR) and anticipated omnibus “simplification” laws aim to streamline sustainability reporting. Compliance functions must collaborate with sustainability and supply‑chain teams – for example, mapping the value chain for forced-labor risks in anticipation of the new EU Forced Labor Ban, and aligning CSDDD due‑diligence processes with existing CSRD reporting. These ESG mandates are intertwined with risk management: robust compliance programs not only reduce harm and fines but can improve operational efficiency and brand reputation.

7. Regulatory Complexity & Geopolitical Risk

Companies now navigate a maze of overlapping rules across jurisdictions. EU/UK differences (e.g. in data privacy, AI, sanctions) combine with global issues (US crypto law, APAC fintech). Moreover, geopolitical flashpoints — from the war in Ukraine to Middle East conflicts — continually reshape compliance obligations (new sanctions, export controls, foreign asset monitoring). Compliance officers must monitor geopolitical developments, adapt rapidly to shifting sanctions and export rules, and stress-test business continuity under different scenarios. This includes updating compliance due diligence for partners in high-risk regions and coordinating closely with risk, legal and trading desks.

A Period of Regulatory Recalibration

One of the most notable mid-year developments is a broader trend toward regulatory simplification. In Europe, the “omnibus” reform package has removed nearly 80% of companies from the Corporate Sustainability Reporting Directive. In the UK and US, agencies are shifting toward principles-based or outcomes-based supervision, rather than prescriptive rulebooks.

This shift brings both relief and risk.

For compliance teams, simplification offers a window to optimize inefficient legacy processes. But it also demands more judgment, more cross-functional engagement, and a stronger internal culture—especially where regulators shift the burden of accountability to the firm’s leadership.

What Comes Next: Action Items for Compliance Leaders

To operationalize these priorities, compliance officers should take concrete steps now:

• Conduct Comprehensive Risk Assessments: Update the enterprise compliance risk assessment to include emerging risks: AI/ML risks, cyber‑attack scenarios, sanctions changes, supply chain disruptions, climate risks. For each major new threat, determine potential impact and likelihood, and adjust controls accordingly.
  

• Revise AML/CFT Policies: Review AML/CFT and KYC policies to align with the new EU AML Authority and evolving FATF expectations. Strengthen customer risk-rating methodologies and transaction monitoring rules to incorporate new typologies (e.g. de-risking, crypto-based laundering). Perform independent testing and ensure audit trails are maintained for all red-flag investigations.
  

• Update Cyber & Incident Response Plans: Ensure incident response plans comply with NIS2/DORA requirements (including notification templates). Test these plans with cross‑functional drills. Verify that all critical ICT third-party contracts meet security standards (e.g. encryption, access controls) and include right‑to‑audit clauses as envisaged under DORA oversight.
  

• Enhance Third-Party Oversight: Map all third-party service providers and rank them by criticality. For top-tier vendors, conduct deep-dive due diligence (information security audits, financial stability, compliance controls). Establish continuous monitoring of vendor risk (using AI tools where possible). Engage with key providers to understand their own resilience planning and compliance posture.
  

• Strengthen Fraud Controls: Review anti-fraud controls across payment channels. Update payment transaction monitoring rules to detect increasing social-engineering scams. Implement or refine push-payment fraud detection (e.g. voice/phishing detection tech). If not already in place, implement the new UK‑style reimbursement approach for APP fraud: ensure policies are ready to refund victims where legally required.
  

• Integrate ESG and Compliance: Align sustainability and compliance teams. Begin drafting human-rights and environmental due-diligence processes for the CSDDD, mapping high-risk suppliers now. Coordinate with finance to embed ESG metrics into enterprise risk dashboards. Prepare disclosures and control frameworks to meet the broader CSRD/SFDR requirements.
  

• Engage Senior Management: Regularly brief the board/C-suite on emerging risks and compliance performance. Frame compliance not just as a cost, but as a competitive advantage (e.g. “responsible innovation” under AI Act). Develop clear communications (e.g. “elevator pitches”) so that staff at all levels understand key compliance priorities.
  

• Leverage Technology and Analytics: Invest in AI‑enabled risk intelligence to aggregate data on threats (sanctions lists, litigation, news media, etc.) into one view. Use workflow tools to streamline compliance checks (e.g. automated KYC refreshes). Consider co-sourcing or strategic partnerships to access specialized compliance technology or analytics, freeing internal teams to focus on exceptions and strategic issues.
  

• Maintain Regulatory Dialogue: Engage proactively with regulators and industry groups. For example, participate in AML/CFT consultations or NIS2 working groups to influence implementation and stay ahead of guidance. In a fragmented world, close coordination with peers (e.g. via trade associations) helps interpret differences between jurisdictions.

Final Thought

In mid‑2025, compliance officers must balance vigilance with agility. The coming months will test organizations’ ability to integrate new rules (DORA, AI Act, AMLA, ESG, etc.) while combating rising fraud and cyber threats. By adopting a risk‑based, cross-functional approach and leveraging new technologies, compliance teams can turn these challenges into strategic wins. As one expert put it, effective compliance today means being an “enabler” – understanding risks and then helping the business grow within safe bounds.

Ultimately, success in 2025 requires collaboration across legal, IT, finance and operations, and a mindset that compliance is integral to sustainable growth. With proactive planning and clear governance, organizations can not only meet the year’s complex demands, but also bolster their resilience and reputation for the future.