A comprehensive review of literature on compliance function post-Basel III

Legislation owed much to the Basel Accords, which represent a major evolution in international banking regulation, developing through several stages over the years. Basel I (1988) introduced the first minimum capital requirement aiming to enhance stability and establish a global regulatory framework. Basel II (2004) expanded and improved capitalisation requirements by introducing greater risk sensitivity using weightings. Basel III (2010) introduced stricter measures to ensure banks’ resilience in times of economic stress and further strengthened capital and liquidity requirements in response to the 2007–2008 financial crisis. Recently, Basel III+ or Basel IV (2024) have been proposed to further consolidate previous reforms and address emerging challenges in the global financial landscape. Among the regulatory frameworks of particular significance for banking institutions are the Capital Requirements Directive (CRD), the Capital Requirements Regulation (CRR), the Mortgage Credit Directive, the Securitisation Regulation, the Payment Services Directive 2, the Anti-Money Laundering Directive, the Wire Transfer Regulation and the Bank Recovery and Resolution Directive (BRRD). In addition, the Investment Firms Regulation and the Investment Firms Directive, which focus primarily on investment firms, as well as the Deposit Guarantee Schemes Directive, aimed at deposit insurers, are also noteworthy. Further key developments come from the European Union’s (EU) sustainable finance framework, including the EU Taxonomy Regulation (EU Taxonomy), the Sustainable Finance Disclosure Regulation (SFDR) and the Corporate Sustainability Reporting Directive (CSRD), which replaces and expands the previous Non-Financial Reporting Directive (NFRD). Moreover, the upcoming European Green Bond Standard and the introduction of climate-related benchmarks represent significant steps towards enhanced transparency and comparability in Environmental, Social and Governance (ESG) investing.

Each of these regulations has followed a distinct developmental trajectory, leading to new responsibilities for the management of financial institutions, as well as the establishment of new internal control functions (e.g. the ICT function, recently recommended by EBA/GL/2019/04). These functions are highly professionalised, increasingly specialised and require multidisciplinary expertise. Given this premise, Compliance Activities (“CA”) require a well-prepared team with diversified skills, primarily encompassing legal and economic-financial competencies. This is evident from several literature reviews that have already addressed the topic of compliance in financial institutions. Among these, the contribution by Edwards and Wolfe (2005) highlights how compliance is fundamental to the functioning and reputation of banks and is now fully integrated into their business practices. More recently, Ibáñez Zapata (2017) identified emerging trends that are reshaping regulatory compliance management, with particular emphasis on the growing role of corporate ethics. The present study positions itself within this international literature, aiming to provide a more updated perspective that takes into account both the most recent regulatory developments and evolving industry trends. Building on these foundations, the study aims to further explore how regulatory and broader environmental changes, particularly those implemented in the following introduction of Basel III, have shaped the evolution and increased the strategic relevance of the Compliance Function (“CF”) within financial institutions. Although the primary focus of this literature review is on the banking sector, the analysis also considers a smaller number of studies relating to other types of regulated financial intermediaries such as investment firms, FinTech companies and insurance institutions, where relevant. This broader scope allows for a more comprehensive understanding of how the CF has evolved across different segments of the financial sector. Therefore, this study differs from previous contributions not only in terms of the time horizon considered, focusing on developments following the introduction of Basel III, but also in the range of financial intermediaries analysed, which include not only banks but also a wider set of financial actors.

To achieve the objective, a dual-methodology approach was used. A systematic literature review, based on the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) framework, led to the selection of 78 articles. Co-authorship and keyword analyses were used to examine the sample’s key characteristics. A country filter focusing on EU member states and the UK was applied to capture developments linked to Basel III and the Single Rulebook, both central to the harmonisation of banking regulation in Europe. However, the sample also includes some studies from other contexts, such as the USA and Brazil. These papers, although not directly within the geographical focus, have been maintained as they provide useful comparative insights into the differences in the implementation of similar regulations and their impact in different regulatory and cultural environments.

Following the identification of the sample, a full reading of the selected papers was carried out to perform a content analysis, through which the main themes addressed in the literature were coded. This coding process allowed for the association of each paper with one of the six thematic clusters previously defined, providing a structured overview of the focal areas related to the CF. Each cluster reflects a distinct and significant dimension of the CF and contributes to clarifying its role and evolving dynamics within financial institutions.

The graphical abstract provides a conceptual overview of the study, synthesising its objectives, methodology and key findings. It is intended to guide the reader through the paper by presenting a concise visual synthesis of its core elements.

The paper is structured as follows: Section 2 outlines the methodology adopted; Section 3 presents and discusses the results of the research; finally, Section 4 sets out the conclusions and limitations of the study.

The study used a dual-methodology approach. First, a systematic literature review was conducted using the PRISMA framework to ensure methodological rigour and transparency in the selection process of relevant literature. Subsequently, a content analysis was performed on the selected corpus to identify and code the main themes emerging from the literature. Based on this coding, the papers were grouped into six thematic clusters that had been defined a priori, drawing upon the authors’ domain expertise and accumulated research experience. These conceptual categories, (described in detail in subsection 3.1), provided an interpretive framework that guided the classification of the selected articles after the coding phase. The papers were then systematically allocated to the predefined clusters, thereby enabling a structured synthesis of recurrent topics and research trajectories, as illustrated in Figure 1.

As is widely known, the systematic literature review is a structured method for synthesising scientific evidence to answer a specific research question, prioritising transparency, reproducibility and comprehensive inclusion of relevant studies (Lame, 2019; Kitchenham and Charters, 2007). The advantage of this approach is that it does not simply list the results of the literature, but critically assesses the quality of the included studies, providing an objective interpretation and in-depth synthesis of the available evidence (Kitchenham and Charters, 2007; Carrera-Rivera et al., 2022) offering a comprehensive and structured overview of the evolution and characteristics of CF in financial institutions post-Basel III.

The data collection process followed the PRISMA guidelines, which are internationally recognised for their ability to ensure transparency and methodological rigour in systematic reviews, as illustrated in Figure 2. The Scopus scientific database and the Google Scholar search engine were used for the purpose of searching relevant articles. A set of specific inclusion and exclusion criteria was established to assure the relevance of the selected research results.

In this study, the analysis is based on data collected since 2010, when the Basel III framework was approved, to ensure consistency with contemporary regulation. Moreover, this period has been characterised by profound regulatory and institutional changes, culminating in the establishment of the Single Supervisory Mechanism (SSM). The analysis was limited to studies of institutions in EU member states and neighbouring countries (e.g., the UK) to ensure consistency with the European regulatory environment. English-language articles were selected to improve relevance and comparability, with preference given to peer-reviewed and open-access articles to ensure scientific rigour and transparency. Based on the impact that the receipt of regulations has on the CF and on its tasks and its role within the organisation, keywords have been identified to examine what aspects the literature focuses on. The research was conducted using several strategically selected and combined keywords: Financial institutions; Banks; Internal governance; Internal control functions; Compliance Function; Regulatory Compliance; Basel Committee; Single Rulebook; AMLD; RegTech; and SupTech. To ensure a targeted and relevant selection of the literature, keywords were searched specifically within the title, abstract and keywords section of the article. For more details on string structure, refer to the contents of Appendix I (available in the supplementary files). The selection process was divided into phases: the first phase, which led to the identification of the initial sample, applied inclusion and exclusion criteria to remove out-of-scope works, reducing the data set from 11,779 to 454 articles. The second phase involved manual screening to deepen the collected content and better define the focus of the research topic. The identified sample was then entered into Rayyan.ai citation management software (Ouzzani et al., 2016), which was used for inclusion or exclusion steps based on the key elements of the articles (title, abstract and keywords), leading to the exclusion of 303 studies and the removal of 37 duplicates. In the third and final phase, articles were read in full and further screened based on relevance to the research scope, concluding with a final selection of 78 articles considered relevant to the analysis.

As concern the content and cluster analysis, the study adopted the methodology used by Šerić and Šerić (2021) and Murè et al. (2025). Specifically, the content of the papers was primarily analysed to identify the main themes and coded to reflect the research area. Based on the obtained classification, each research work was associated with one of the specific clusters. Each cluster represents an area of focus that helps to understand the role of the CF within financial institutions. This approach is consistent with the objective of interpreting and synthesising the content of the literature into meaningful clusters and allows for capturing the conceptual and thematic nuances investigated in the literature.

The research focused on several key aspects of CF in financial institutions.

Initially, the literature was reviewed to assess how CA are investigated in the scholarly production, identifying key components like regulatory, legal and operational aspects of CF.

The study also addressed the impact of the Single Rule Book on regulatory harmonisation and CF. In addition, research investigates the connection between CA and these frameworks such as AMLD, CRR, CRD, BRRD, SFDR, CSRD and NFRD. In addition, examination investigates the relationship between CF and other internal control functions, such as Risk Management and Internal Audit. Finally, the exploration moves towards emerging topics dealing with technology impact, known as Financial Technology (FinTech), specifically Regulatory Technology (RegTech) and Supervisory Technology (SupTech) domain.

To achieve the research objective, which involves identifying key emerging research streams and themes during the Basel III to Basel IV period, clusters are established based on a distinction between exogenous factors (Clusters 1 and 2) and endogenous factors (Clusters 3, 4, 5 and 6). From an exogenous perspective, Cluster 1 investigates the influence of regulatory frameworks on CF and CA, while Cluster 2 focuses on Crisis Management, Governance and Compliance Dynamics, aiming to shed light on how the CF operates and adapts during periods of financial institutions crisis. In an endogenous perspective, Cluster 3 focuses on the organisational aspect of CF, while Cluster 4 investigates internal control functions, with a particular emphasis on Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT). Cluster 5 seeks to assess the level of detail scholars attribute to CA; for instance, activities undertaken by the CF from an ex ante perspective encompass regulatory impact assessments, legal opinions and verification activities stipulated in the Compliance Plan approved by the financial institutions governing bodies. Given the recent relevance and priority accorded by regulatory authorities, Cluster 6 explores the application of technology in enhancing the CF and authorities. Furthermore, to enhance clarity and comprehension, cluster 1, 2 and 3 have been subdivided into smaller clusters.

Figure 3 shows how publications evolved over time and the evolution of clusters and topics in literature. As concerns scholarly production, the number of publications exhibited a steady increase from 2014 to 2024. This rise suggests a growing interest from academia and industry in compliance-related topics, likely driven by evolving regulatory frameworks, emerging challenges and the increasing role of technology in compliance management. Overall, the growing number of publications underlines the evolving complexity of CF and the need for continuous adaptation in response to regulatory, economic and technological changes. Cluster 1 has been a consistently relevant topic, forming the basis of compliance studies. Cluster 2 has seen periodic peaks, possibly due to regulatory responses to financial and economic crises. Cluster 3 and Cluster 4 maintained steady contributions, underlining ongoing concerns about Risk Management and anti-money laundering efforts. More recently, there has been an increased emphasis on Cluster 6 reflecting the rise of FinTech, specifically RegTech and SupTech solutions. The upward trend in technology-driven compliance research suggests that automation, AI and data analytics are becoming central to regulatory and organisational strategies, aligning with the broader digital transformation of financial services. Remarkably, no academic contribution systematically addressed the topic of Cluster 5 regarding the effectiveness of compliance annual plan and specific activities of the function in an ex ante and ex post perspective.

To elaborate on this, the data set analyses 78 articles published on 59 scientific journals addressing key issues in the financial, legal and regulatory fields. Table 1 shows the journals that have published the largest number of articles. In particular, in the European Business Organisation Law Review the authors focus on regulatory issues related to corporate structures, company law and capital market theory, offering a legal-economic perspective on business organisations. In Banks and Bank System authors analyse global monetary policies, the role of central banks and international financial institutions, with a focus on banking regulation, payment systems, risk management, governance and mergers and acquisitions in the banking sector. The contributions of Crime, Law and Social Change, investigate financial crime, corruption and organised crime, exploring their economic and regulatory implications. In the Journal of Financial Stability authors publish empirical and theoretical research on the causes and management of financial crises, while, in the banking regulation area, the Journal of Banking Regulation authors provide analytical contributions on bank governance, regulatory enforcement and deposit protection, addressing an audience of academics and regulatory professionals. In the Journal of Financial Regulation and Compliance authors promote interdisciplinary analyses on financial innovation, compliance and policy making.

The broad distribution of articles among these journals highlights the multifaceted nature of the CF and the different perspectives from which it is approached. This variety is primarily driven by three interrelated factors. First, the disciplinary orientation of the topic spans across law, finance, management and technology, resulting in a naturally wide array of academic outlets. Second, the literature exhibits strong methodological diversity: it includes normative legal analyses, empirical studies, case-based approaches and conceptual or policy-oriented reflections. Each methodological lens finds its place in journals that favour specific types of contributions. Third, the editorial priorities of each journal vary significantly, some focus on banking regulation, others on risk governance, technological innovation, or ethics, thus reflecting the evolving identity of the CF as not merely a control mechanism, but a strategic pillar within financial institutions.

In this context, the dispersion of articles does not suggest a lack of cohesion; on the contrary, it underscores the complexity, relevance and increasing strategic importance of the CF in the post-Basel III regulatory environment. Rather than being confined to a narrow technical view, the literature captures CF as a dynamic and multidimensional area of research, which benefits from this plurality of disciplinary approaches and editorial perspectives. This variety ultimately enables a more comprehensive and nuanced understanding of how the CF is transforming within the broader architecture of internal governance in financial institutions.

In the next phase of the study, an analysis of the most cited articles was carried out using VOSviewer software to identify the key themes. As represented in Table 2, the most cited articles mainly analyse the technology applications, such as RegTech, SupTech, Artificial Intelligence (AI) and Cybersecurity. These studies highlight how technology is refining and automating applications in banking compliance, improving efficiency in regulatory monitoring and risk management processes.

As illustrated in Figure 4, the co-authorship analysis reveals limited interactions among research clusters, with a total of 73 distinct clusters identified across 183 authors. The majority of these clusters are small, typically comprising groups of five authors and no dominant hub or bridging author emerges to connect multiple groups. This structural fragmentation likely reflects thematic specialisation, institutional or geographical boundaries and the relatively recent and diverse nature of the research domain. Overall, these findings suggest that the scholarly community remains dispersed, with significant potential to strengthen cross-group collaboration and knowledge exchange in future research initiatives.

The keyword co-occurrence analysis, as illustrated in Figure 5, was conducted using VOSviewer on the complete data set of 78 articles, applying a minimum occurrence threshold of two, which resulted in a network of 47 keywords grouped into thematic clusters. The analysis shows that keywords such as compliance, regulation, risk management, AML, RegTech, Corporate Governance ( “CG”) and internal controls frequently co-occur, highlighting the strong focus on regulatory frameworks, governance issues, organisational aspects of the CF, internal control functions and technological innovation within the literature.

When compared to the six thematic clusters defined a priori, these results broadly confirm the alignment between the conceptual structure and the actual focus of published research: effect of regulatory frameworks (Cluster 1) are reflected by terms like regulatory compliance and Basel Committee on Banking Supervision (BCBS) 239; crisis management and governance (Cluster 2) appear through CG, banks and risk management; organisational aspects of the CF (Cluster 3) emerge through compliance, compliance management and efficiency; internal control and AML/CFT functions (Cluster 4) are confirmed by keywords such as AML and privacy; and FinTech/RegTech applications (Cluster 6) are represented by RegTech, FinTech, AI and blockchain. However, the relative scarcity of keywords related to operational CA, particularly ex ante and ex post processes (Cluster 5), reveals a gap in the empirical exploration of the day-to-day functioning of the CF. This indicates a valuable opportunity for future research to bridge the divide between conceptual frameworks and operational practice.

This section presents the results of the cluster analysis, discussing the main thematic groups that emerged from the study. The clusters are presented in Figure 6 which provides a functional overview to understand the underlying thread that connects the clusterisation. A detailed description of the clusters and their papers can be found in Appendix II (available in the supplementary files).

It is noteworthy that the clusters identified through qualitative analysis correspond to those emerged from the keyword co-occurrence analysis conducted using VOSviewer. All of this supports the notion that, to some extent, the results of the software effectively reflect the emerging themes highlighted.

International banking regulation has been the subject of much debate, mainly due to the difficulties in enforcing non-binding regulations. Although financial jurisdictions have actively participated in the development of standards such as Basel II and III, they have often failed to fully comply, due to several factors such as conflicts of interest between domestic and international actors. Quaglia (2019) emphasises that despite the crucial role of certain jurisdictions in defining these standards, the distributional implications for smaller local banks and the mobilisation of interest groups have hindered their full implementation.

Bischof et al. (2022), Nienaber et al. (2014) and Ayadi et al. (2016) provide complementary perspectives on the effects of regulation, its effectiveness and its role in restoring confidence in the banking system. In particular, Bischof et al. (2022) demonstrated that the introduction of risk disclosure standards and their rigorous application yield significant benefits for banks while reducing information asymmetry among investors. However, effective regulation requires not only adequate standards but also effective supervisory authorities, which must be adequately resourced and incentives consistent with the regulatory objectives. Literature highlights a trade-off between the benefits and risks associated with varying degrees of regulation. Chronopoulos et al. (2023), through a Difference-in-Differences, analysed the US banking sector demonstrating that reduced supervision ^[1] led to lower compliance costs and increased profitability and operational efficiency but led also to a growing risk, as evidenced by a shift in portfolios towards riskier assets. Nevertheless, as Nienaber et al. (2014) argue, regulation alone is insufficient to ensure legitimacy and trust in the banking sector. They emphasise that additional mechanisms beyond regulatory compliance are necessary to rebuild and sustain customer trust, as consumers assess banks’ reputations based on compliance, personal experiences and third-party opinions.

As concern transparency issues, MiFID II product governance rules are a key regulatory development aimed at improving transparency and investor protection. By introducing stricter requirements to identify the target market of financial products and ensure their suitability, MiFID II aims to prevent mis-selling. While it represents a step forward for investor protection, they introduce restrictions on access to financial products and high redress costs (Colaert, 2020).

Regulation and compliance should be dynamic to ensure stability and trust without affecting efficiency. Financial education, promoted by institutions like the Organisation for Economic Co-operation and Development (OECD) and the Bank of Italy, is key to enhancing household security and market stability. Banks, thanks to their privileged position and direct contact with consumers, can lower information costs by making fundamental knowledge more accessible for households’ economic decisions (Fort et al., 2016).

A global standard for banking regulation and supervision is represented by the Basel Core Principles (BCP). Ayadi et al. (2016) highlight how compliance with the BCP does not significantly impact banking efficiency, while its strict enforcement in emerging markets may hinder resource allocation due to high compliance costs. This underscores the need for regulations tailored to the specific context of each country. In this regard, Garcia and De Mendonça (2023) examined factors influencing compliance with BCPs. Their findings reveal that while the overall supervisory framework per se does not have a significant impact on BCP compliance, two key factors – efficiency levels within banks and their independence from government influence – have a positive and significant effect. In particular, the study emphasises the importance of less regulation, showing that banking markets with greater autonomy and competition are better equipped to achieve higher levels of compliance.

This sub-cluster analyses the challenges in applying international banking regulations, highlighting the crucial but often limited role of effective supervision and adaptation to the local context. The literature emphasises the need for a balance between regulation, efficiency and trust, with a particular focus on transparency and financial education.

Banking regulations aim to ensure global financial stability by placing capital at the core of regulatory frameworks. This focus is intended to positively influence risk management practices and enhance the financial solvency of banks. The bank’s capital base constitutes the main aggregate to which traditional instruments of prudential control refer (Deutsche Bundesbank, 2002; Barrios and Blanco, 2003).

Bouheni (2014) highlighted how banking stability is based on a balance between risk and regulation. Although risk-taking may be encouraged by the strong power of supervisors and stricter capital requirements, which generate a loss of utility and push banks to adopt compensatory behaviour through riskier activities, the study recognises the importance of restrictions in containing overall risk, fostering banking system stability and preventing excessively risky behaviour.

Stringent regulation and unconventional (expansionary) monetary policy measures introduced in the post-crisis period have influenced banks’ capital and liquidity management. In response, banks adopted deleveraging and de-risking strategies, in some cases exploiting regulatory arbitrage opportunities. There has also been a partial reduction in corporate lending, with large banks preferring to invest in securities, while smaller banks have increased their retail lending (Baros et al., 2023).

This effect was also highlighted in the study of Deli and Hasan’s (2017) who examined the impact of bank capital regulations on loan growth. The findings indicated that such requirements exerted a negative influence on loan growth, though this effect was observed only among banks with very low capital levels. Conversely, banks with moderate capitalisation were able to mitigate the adverse effects of these regulations. Consequently, the study suggests that stricter regulation may lead to a reduction in the volume of typical bank activities, particularly those related to the lending function.

The following case studies are concerned with the implementation of the Basel III regulations in the Ukrainian financial system. The study by Ramskyi et al. (2017) analyses the transition of the Ukrainian banking sector towards compliance with Basel III regulations. The research shows how the implementation of Basel III improved financial stability and fostered future integration with the European banking system by reducing the number of unprofitable banks, “cleansing process”, but required restrictive measures. Khudoliy and Bronin (2019) provided further perspective by examining the specific response of the Ukrainian banking system to profound economic crises. The adaptation to the Basel III requirements resulted in the implementation of Liquidity Coverage Ratio, the adoption of International Financial Reporting Standard 9 standards and the introduction of the Supervisory Review and Evaluation Process. Together, these measures reinforced the financial stability of the banking system, aligning it with international standards.

In addition, Novokmet and Pavić (2021) analysed the impact of regulation on the Croatian banking system, showing that regulations improve the overall stability and profitability of banks but entail some costs for shareholders who see reduced Return on Equity and for customers, who may experience higher interest rates on loans and lower interest rates on deposits. However, the paper points out that more efficient management could mitigate these negative effects.

The analysis highlights how stringent requirements can strengthen the resilience of the system but also reduce lending activity. Compliance with standards such as Basel III improves banking soundness, albeit at a cost to shareholders and customers.

The BCBS is responsible for developing key guidelines, such as Basel Accords, which aim to promote prudent capital and risk management by banks. In particular, the BCBS Principles 239, introduced in 2013, aim to ensure that financial institutions can monitor risks more effectively through improved data aggregation, promoting a more reliable and efficient risk management process.

Orgeldinger’s (2018) study focuses on the data governance, risk reporting practices and compliance efforts of financial institutions. The results indicate that many significant banks are struggling to meet compliance deadlines, regarding principles of data architecture, accuracy and adaptability. In light of the difficulties encountered by financial institutions in implementing BCBS 239, Martins et al. (2022) focused on management of master data and propose a six-step action plan to help banks comply with BCBS 239 by improving risk-critical data management and compliance. The analysis calls for the CF to adopt an integrated governance and data management approach to create strategic alignment between IT and the various business functions.

BCBS 239 principles aim to improve the management and aggregation of data. Integrated data governance is considered essential to ensure effective compliance and strengthen decision-making and risk management processes.

Financial and non-financial disclosure is one of the most significant challenges facing the banking sector today as it combines increasing transparency requirements with stringent regulatory obligations. Regulators require the inclusion of sustainability in governance and risk management models, as a response European banks are adopting ESG disclosure practices in their financial reports (Dinh et al., 2023). However, Tőzsér et al. (2024) highlighted a gap between European and Hungarian banks, with the latter still lagging behind in transparency and adoption of sustainability standards. This objective finds fundamental support in the European Union’s taxonomy which aims to direct capital towards sustainable economic activities and promote a green transition (La Torre et al., 2024).

However, as Garcia-Torea et al. (2024) pointed out, taxonomy introduces significant implementation difficulties for the banking sector. Banks are required to use sustainability information to guide their investments and have to produce detailed indicators, such as the Green Asset Ratio, to demonstrate compliance with regulatory requirements. This dual burden generates considerable operational complexity, which is amplified by regulatory uncertainty.

The regulatory uncertainty manifests in the lack of clarity on operational rules and in the often-imprecise timing of regulatory enforcement. These ambiguities hinder technical compliance and cause significant changes in banks’ organisational structures and internal processes, forcing them to revise established models to meet new requirements. Moreover, it may impact banks’ reputations and fuel market competition. These effects are more significant considering that supervisors do not always provide the necessary support to facilitate the transition to effective compliance.

This complex picture is part of a broader reflection on the importance of market discipline, to which Pillar 3 of Basel Framework contributes. While Mandzila and Zéghal (2016) emphasised that the main objective of Pillar 3 is to improve transparency, Pilkovà et al. (2021) point out that it is necessary to work on elements such as standardised disclosures, reducing their frequency and including relevant content for stakeholders. With these improvements banks will be able to use Pillar 3 as a means to fulfil their regulatory obligations, but also as a lever to strengthen their confidence and competitive position.

The analysis of the Task Force on Climate-related Financial Disclosures (TCFD) recommendations by Moreno and Caminero (2022), who use text mining techniques to examine the climate-related disclosures of major Spanish financial institutions, show an annual increase in the number of climate-related disclosures. In particular, the oil and energy sectors emerge as the most engaged in disclosures. Assessing the goodness of non-financial statements is crucial to ensure the quality and compliance of ESG information. Makarenko et al. (2020) developed the Q&C BMR index to assess the quality and compliance of ESG information in Ukrainian banks. An analysis of 75 banks in 2018 revealed an average index score of 61.2%, indicating a good level of compliance.

The implications of the Statutory Audit and Corporate Reporting Directive, analysed by Poshakwale et al. (2020), also deserve special attention. The requirement for greater disclosure has undoubtedly improved the quality of reporting, but has paradoxically incentivised an increase in risk, especially among large banks, as it has required the disclosure of complex, off-balance sheet transactions. This phenomenon reflects the urgent need to harmonise regulation and operations, preventing the increase in disclosure requirements from becoming a counterproductive factor.

In conclusion, financial and non-financial disclosure is not only a compliance obligation, but a strategic opportunity to rethink the role of the banking sector as a central player in the sustainable transition. Banks must find ways to effectively manage regulatory uncertainty by complementing their disclosure activities with tools that promote not only compliance but also innovation, transparency and sustainability.

Banks play a key role in the global financial system, serving as major intermediaries and pillars of economic stability. As pointed out by Scholtens and Van Wensveen (2003), they perform the key function of reducing information asymmetries between different market players, ensuring liquidity and promoting efficient capital allocation. However, in an increasingly complex and regulated financial landscape characterised by rapid technological change and new emerging risks, banks are called upon to continuously adapt.

In addition, to implementing regulations established by institutions such as the European Central Bank (ECB), as well as by international bodies like the Bank for International Settlements and supervisory frameworks such as the SSM, banks must rigorously balance regulatory compliance with innovation to remain competitive in a rapidly evolving financial environment.

Operational resilience, now more than ever, is distinctive: it implies adopting proactive strategies to respond to an increasingly demanding regulatory environment, while safeguarding investor and customer confidence. The ability of banks to act as a bridge between monetary policy and economic activity, integrated with advances in financial technologies such as RegTech and SupTech, makes them not only essential players but also innovators in building a more transparent and fairer financial system.

In an increasingly competitive and dynamic world, organisations often turn to external suppliers to handle activities and processes that they would not be able to tackle on their own. However, over-reliance on outsourcing raises significant issues regarding control, costs and the preservation of in-house expertise.

Burdon and Harvey (2016) claimed for the necessity of understanding the changing regulatory environment to comprehend how compliance culture is framed and how it can be measured. Some organisations excessively rely on external consulting, due to the complex environment in which financial services compliance teams find themselves. Due to regulatory demands, compliance managers should balance resources more effectively in the long term, which may include short-term use of consulting services.

Indeed, an increase in financial regulation has resulted in heightened competition among financial services firms. Michael et al. (2021) observed that financial institutions tend to outsource compliance services rather than develop them in-house, given the higher productivity of external consultants.

Studies indicate that outsourcing practices can create a vicious cycle: the constantly evolving regulatory landscape results in an increased reliance on external consultants, which can in turn lead to further regulations and costs.

CG serves as a cornerstone for aligning the diverse interests of stakeholders and fostering sustainable corporate value through mechanisms of transparency, accountability and honesty (Aida, 2022). It balances the need for stringent regulatory oversight with the protection of entrepreneurial freedoms, navigating challenges inherent in regulating the eligibility and actions of key management figures (Arrigoni and Rivolti, 2022). A landmark response to these challenges is the Sarbanes-Oxley Act of 2002, which enforces measures such as auditor independence to enhance financial reporting quality. Its success, highlighted by Nazarova et al. (2020), is rooted in its methodology for identifying control weaknesses and promoting transparency and sustainability. Similarly, Enterprise Risk Management, although questioned by Marc et al. (2018) in its practical value, reveals that prolonged use enhances corporate value by refining capital allocation and risk response strategies, albeit with limited immediate impact on growth.

However, as evidenced by the case of the Romanian listed banks, a high level of compliance with the CG Code is not sufficient to reduce risks. Deliu (2020) emphasised that compliance must be accompanied by an improvement in risk management and communication with stakeholders, to increase transparency and mitigate compliance risks.

Risk governance further intertwines with CG, particularly through key figures like Chief Risk Officers (CROs), whose influence is pivotal in high-pressure environments. Li et al. (2022) underscored that CROs not only reduce corporate risk but also enhance operational efficiency, particularly in dynamic or litigation-prone industries. Effective governance also integrates compliance seamlessly, as noted by Malik (2024), who ties risk governance to regulatory adjustments (RAs), i.e. changes to capital requirements imposed by regulators, in public banks. The research reveals that while RAs ensure alignment with standards, they may impose operational burdens. Proactive integration of CF into governance can mitigate the need for such adjustments, reducing inefficiencies and reputational risks while maintaining stability.

Effective CG requires substantial integration of risk management and compliance functions, going beyond mere formal adherence to codes. Tools such as the Sarbanes–Oxley Act and key roles such as CROs demonstrate that transparency, communication and active supervision are crucial to reducing risks and ensuring operational efficiency.

The global banking crisis and recent cases of financial collapse, such as Silicon Valley Bank (SVB), underscores the critical role of CF, governance and corporate social responsibility (CSR) in preserving financial stability.

Ahmad et al. (2023) highlighted how non-compliance with the UK CG Code has a negative impact on shareholder value, particularly during times of crisis, weakening financial resilience. Indeed, internal control mechanisms prove to be a crucial factor in protecting shareholders’ interests, strengthening banks’ ability to cope with economic turbulence.

Arrigoni and Restelli (2024) highlighted another critical dimension of the crisis: the role of depositor confidence. Even solid banks can be in trouble if customers lose confidence and suddenly withdraw their deposits. This highlights the importance of the completion of the European Banking Union (EBU) and the establishment of a European Deposit Insurance Scheme, which can ensure stability and reduce systemic risks. Singh (2015) reinforces this perspective by arguing that the centralisation of supervisory and regulatory policies is essential to effectively manage crises of medium-sized financial institutions that are not large enough for resolution intervention but can still destabilise the system. On a broader scale, Culpepper and Tesche (2020) highlighted the impact of the EBU in reducing the scope for action by national policymakers, while fostering consolidation in the sector through the acquisition of high-quality assets by leading banks, such as Banco Santander and Intesa Sanpaolo. However, the asymmetry in power between large and small banks raises questions about market competition.

A practical case of structural intervention is the reform implemented in Ukraine between 2014 and 2016, known as “cleansing process”. Numerous banks were liquidated mainly due to liquidity losses, fraud, mismanagement and lack of recovery strategies. Although the reform resulted in significant financial and social losses, it reduced the number of unsustainable banks, strengthened long-term stability, improved transparency and governance, while contributing to the achievement of the Target 8.3 of the Sustainable Development Goals in supporting job creation and economic growth (Yankovska et al., 2022).

The impact of bank management on stakeholders is also analysed by Portna et al. (2024). The authors examine the level of social responsibility of Systemically Important Banks (SIBs) in Ukraine highlighting how social responsibility improves the image, transparency and competitiveness of banks in the context of the information economy (network society), while contributing to economic and social stability.

In this context, it is important to emphasise the relevance of a single supervisory system for the stability of the financial system and for social welfare. While conflicts may arise between local and central supervisors, a centralised supervisory system (e.g., the SSM) introduces strict standards, harmonises practices across member countries, reduces regulatory disparities and banking risk. In addition, it offers significant benefits in terms of enhanced risk control and improved stakeholder protection (Carletti et al., 2021).

In supporting the adequacy of CG and CSR principles, the CF and CAs are not merely costs for banks but play a crucial role in preserving financial stability. Effectively addressing banking crises requires a more coordinated and innovative regulatory framework that balances rigorous controls with protective mechanisms aimed at preventing loss of confidence and enhancing the resilience of financial institutions.

Today, CF is a central element of corporate organisation, particularly in the banking and financial sector, which is a leader in the application of compliance management as new banking products, increased government oversight and greater attention to compliance requirements are leading to higher risks and more comprehensive and complex rules and regulations (Pelei and Benedek, 2024).

Regulatory implementation, rather than being a one-way and linear process of organisational translation of regulatory objectives, is a complex and reflexively interactive process influenced by both external and intra-organisational dynamics (Kashyap and Iveroth, 2021).

In this context, the role of CF goes far beyond mere compliance, profoundly influencing the structure and functioning of organisations.

According to Velez et al. (2020), the introduction of stringent regulatory measures, such as the post-2008 crisis reforms, redefined organisational dynamics. The obligation to meet capital requirements and to implement control tools, such as stress tests, prompted banks to review their strategies and internal processes. Compliance is not only a means to ensure capital stability but becomes a benchmark to guide organisational decisions, aligning risk control with business objectives. Cernisevs et al. (2023) reinforce this view, highlighting how the adoption of KPIs based on risk indicators transforms the organisational structure of financial institutions into a more resilient and proactive system.

Compliance, therefore, is no longer seen as an externally imposed obligation, but as an opportunity to integrate transparency and innovation, involving all business functions and contributing to more effective and sustainable governance.

In the scientific literature, the topic of compliance culture has gained relevance, reflecting the growing role of this function within organisations.

Kenny (2014) provided an analysis of compliance culture within banking organisations, highlighting its main critical issues. The author focuses on the phenomenon of “dependency corruption”, where individuals fail to fulfil their obligations due to conflicts of interest, as seen in rating agencies. In addition, compliance officers are often perceived as 'obstacles’ within the organisation, as their role tends to limit profit opportunities and risky behaviour. The analysis emphasises the need to introduce practices that clearly protect whistleblowers, to counter the spread of a culture of silence. In this perspective, CF emerges as an organisational function deeply influenced by the internal environment and requires the development of a systemic vision that enhances its role and potential.

The study by Burdon and Sorour (2020) analyses the culture of the CF. The authors conceive compliance as a dynamic process shaped by the interaction between regulators and companies. Specifically, compliance culture is described as a cyclical evolution, fuelled by three types of institutional pressures: coercive, regulatory and mimetic (DiMaggio and Powell, 1983). This holistic approach encourages organisations to work together with regulators, considering the social and economic implications of their compliance practices.

Hopt (2021) drew attention to the need for a cultural change in banking governance. The author proved to be truly far-sighted, considering that just three years later, the ECB published its “Draft guide on governance and risk culture” (ECB, 2024), in which it emphasised that governance and risk culture are essential elements for the good functioning of any organisation, influencing its structure, culture and people. The corporate organisation can no longer be solely oriented towards the interests of shareholders but must embrace a broader vision that includes all stakeholders.

The importance of compliance culture has made CF becomes a key element in promoting transparency and independence, reforming boards of directors and integrating supervision and control processes into corporate strategies.

The CF in banking sectors is influenced by a combination of regulatory requirements and societal pressures, which act as major levers for ensuring compliance of financial institutions. De Souza and De Souza (2024) examines the drivers of the CF in banking institutions in the UK and Brazil identifying key drivers such as regulatory requirements, regulatory transposition, social demands (and pressures) and potential reputational risks. Analysing banks’ annual reports (2016–2017) and compliance policies, the study shows that while UK banks demonstrate greater maturity and proactivity in managing reputational risks, Brazilian banks display a more reactive approach, focused on compliance with minimum legal requirements. Indeed, Brazilian banks’ references to CF’s enhancement illustrate growing awareness and efforts to address social demands. Furthermore, jurisdictional differences, operating contexts, regulatory requirements (highly regulated countries vs those with newer regulations) and legal enforcement demonstrate how reputational risks can affect compliance transparency and disclosure practices, going beyond mere regulatory adherence.

To support the management of compliance-related practices and processes, banking institutions and corporations adopt compliance management systems (CMS). The paper by Quick and Sayar (2021) highlights that the adoption of CMSs supported by an “'assurance” provided by a third party, such as auditing firms, increases the confidence of banking managers, improves compliance risk management and facilitates more informed business decisions. Holter Antonsen and Madsen’s (2021) developed and applied a maturity model to an investment company to assess the development of CF. The model describes an evolutionary path of the CF from being reactive and inconsistent to becoming a proactive and integrated part of corporate practices. This evolution is driven by best practices, including monitoring compliance risk, establishing and regularly updating policies, employee training, interaction with other business functions, periodic process audits and the utilisation of technology to enhance efficiency and outcomes. The risk of non-compliance with regulations is the risk of incurring judicial or administrative sanctions, significant financial losses or reputational damage as a result of violations of laws, regulations, or self-regulatory rules or codes of conduct (Bank of Italy, 2006). Effective management of this risk is essential to ensure business continuity and maintain stakeholder confidence. Against this background, Bognár et al.’s (2023) study proposed two distinct approaches to assessing compliance risk, each with specific advantages and limitations. In particular, Bognár and Benedek (2021) proposed the Failure Mode and Effects Analysis (FMEA) method to classify compliance risks in a structured manner. This approach assesses risks using three main factors: severity of consequences, frequency of occurrence and probability of detectability. The combination of these three factors determines the Risk Priority Number (RPN), where a higher RPN value indicates a higher priority for intervention. An interesting result of the study concerns the differences in assessments between internal and external experts. While internal experts tend to assess compliance risks uniformly influenced by in-depth knowledge of business processes, the external expert offers a critical and independent perspective. In 2023, Bognár et al. proposed an extension of the FMEA method, called Partial Risk Map (PRISM) which focuses on assessing partial risks that can remain hidden and lead to severe detections. While both methods consider the three main factors of severity, frequency and detectability; PRISM is based on Pairwise Comparison for a more accurate and flexible assessment which leads to the identification of the PRISM Number to classify compliance incidents and plan mitigation actions. Unlike the FMEA, which focuses on known risks and uses predefined scales for evaluation, the PRISM also incorporates lesser-known risks. CF is a strategic lever that strengthens corporate structure, enhances stakeholder trust and balances innovation, sustainability and regulation. In this sense, it is the glue that unites governance, strategy and corporate responsibility.

Another crucial aspect for this function is highlighted by Giovanelli and Rotondo (2016) who show how CF plays a decisive role in the definition of remuneration policies. To meet international standards and ensure adequate risk management, banks need to reorganise their decision-making structures, prioritising transparency and aligning remuneration and business objectives. However, challenges remain, such as improving the governance of control functions and eliminating practices that are inconsistent with sustainability principles.

The concept of internal control has been subject to various definitions and interpretations globally, often influenced by the regulatory and institutional context. Henk (2020) analysed the evolution of internal control through a literature review highlighting the different definitions according to regulatory and institutional context. In the USA, internal control is mainly related to financial reporting reliability due to strong regulatory pressures such as the Sarbanes-Oxley Act U.S. Congress (2002). While elsewhere it is considered a broader system that integrates risk management and CG. The author raises the need for a clearer and unified definition to reduce ambiguities and potential misinterpretations.

The CRD mandates that banks establish solid governance frameworks that encompass efficient processes for identifying, monitoring and reporting risks, as well as sufficient internal control systems (ECB, 2024).

The EBA Guidelines on internal governance (EBA/GL/2021/05) emphasise the need for developing a risk culture encouraging risk control and compliance within the bank and a comprehensive internal control framework.

The Institute of Internal Auditors recommends the adoption of the Lines of Defence Model which is considered fundamental for effective risk management and which is also approved and supported by the ECB (2024) in the supervised institutions. The three lines of defence model assign specific roles within the internal control governance framework; however, it operates as an integrated system in which the various functions collaborate closely to ensure effective risk management and regulatory compliance throughout the organisation.

The first line of defence involves business lines assuming risks and maintaining direct, ongoing responsibility for their operational management. The second line consists of the Risk Management function, which independently identifies, measures, monitors and reports risks at individual and group level. In addition, the CF ensures adherence to laws, regulations and standards while providing guidance to manage corrective actions to address non-compliance. The third line of defence is represented by the internal audit function, which conducts independent reviews of the first and second lines, evaluates the effectiveness and efficiency of the bank’s governance, risk management and internal control systems and reports to the management.

AML/CFT regulations require banks to identify, prevent and report suspicious financial flows. However, as Merz (2024) highlighted, the criminalisation of money laundering activity has often resulted in mere compliance with regulators’ demands, aimed at avoiding sanctions and reputational damage. This has resulted in the costs and burden of compliance falling mainly on the shoulders of the private sector (Turner and Bainbridge, 2018).

According to Verhage (2017) and Ferwerda et al. (2018), the lack of information sharing between regulators and financial institutions, coupled insufficient feedback on reported but atypical transactions, hampers the overall effectiveness of the system. In response, compliance officers proposed the introduction of a blacklist of customers, which would help prevent “bank shopping”, where suspicious customers try to exploit banks with fewer restrictions. A shared list would help to quickly identify these individuals, thereby strengthening the overall protection of the financial system.

Moreover, financial regulation faces new challenges with the emergence of decentralised technologies such as Decentralised Finance (DeFi). Benson et al. (2024) propose that regulators adopt a balanced approach, based on minimum licensing requirements, open transaction registers and Anti-Money Laundering and Know Your Customer standards, to promote transparency and compliance without stifling innovation.

In parallel, advanced technologies, such as Artificial Intelligence and Machine Learning (AI/ML), are assuming a key role in AML prevention and financial risk management. Gupta et al. (2022) emphasised the importance of data quality in developing effective machine learning models to detect suspicious transactions. In particular, they highlight how the accurate definition of a key event, such as the Suspicious Activity Report (SAR) date, is crucial to improve the efficiency of the model. This approach can reduce the prediction time and increase the effectiveness of the detection process, enhancing the models’ ability to predict illicit activities in a timely manner.

According to Turksen et al. (2024), AI/ML solutions offer significant benefits, such as the ability to identify fraud or suspicious activity in real time. However, concerns related to accountability, transparency and explainability of models are slowing their adoption. Fraud prevention legislation is placing more emphasis on real-time fraud detection, while technical solutions for fraud prevention are becoming increasingly complex, using machine learning and collecting vast amounts of data (Găbudeanu et al., 2021). The main problem lies in the conflict between GDPR privacy requirements, which calls for anonymisation measures and AML/CFT tools, which aim to track and monitor transactions to prevent money laundering and terrorist financing. The challenge is to balance both requirements without compromising either privacy or effectiveness in countering financial crime, particularly in emerging technologies such as blockchain (Karasek-Wojciechowicz, 2021).

Among the most complex forms of money laundering, those linked to international trade transactions represent a growing challenge for control systems. This includes Trade-Based Money Laundering (TBML), defined as “the process of disguising the proceeds of crime and shifting value using trade transactions in an attempt to legitimise their illicit origins’ (FATF, 2006), which represents one of the most serious challenges for the global financial system due to the nature of illicit practices concealed within legitimate transactions hinder money tracing. Marzouk (2022) highlights how the UK’s post-Brexit strategies, geared towards intensifying trade relations with developing countries, amplified TBML risks for UK banks. Lack of expertise, resources and regulatory incentives exacerbate the complexity of suspicious transaction discovery, requiring a review of AML measures to mitigate the risks associated with high-risk jurisdictions.

Countering terrorism financing (CFT) is another significant issue, as terrorist financiers are highly sophisticated and well versed in compliance systems, making it extremely complex for financial institutions to identify them, (Teichmann and Falker, 2024). Nevertheless, as Beekarry (2011) pointed out, banks are motivated to engage in AML efforts to preserve public trust and maintain a solid reputation.

Despite progress, the fight against money laundering and terrorism financing is not without controversy. The tension between technological innovation, privacy protection and regulatory constraints requires careful balancing. Only through coordinated action between regulators, financial institutions and technology developers will it be possible to successfully address these threats, improve the effectiveness of AML systems and create a safer environment for the global financial system.

The analysis conducted revealed a gap in the academic literature. In contrast to the other areas explored, this topic is scarcely investigated, with an almost total absence of scholarly contributions that delve into how CA are implemented before and after the regulatory event.

The 2008 global financial crisis had a significant impact on the financial sector, leading to a drastic drop in customer trust in banks and an intensive regulatory output on banking and financial activities. In response, in recent years, innovative technologies have been widely used to improve supervision of prudential and conduct risks and reduce compliance costs.

FinTech has been recognised as an autonomous sector in 2017, when the Financial Stability Board (FSB) defined it as ‘technology-enabled innovation in financial services’. In parallel, the (Institute for International Finance, 2015) introduced RegTech as a subcategory of FinTech which adopt technologies that enable regulatory requirements to be met more efficiently and effectively than traditional methods.

FinTech has improved customer banking experience through technology ecosystems that can analyse large volumes of consumer behaviour data and offer personalised solutions (Anagnostopoulos, 2018).

According to Singh (2024), RegTech solutions save time, costs and mitigate operational risks by facilitating real-time fraud detection through the processing of huge amounts of data. However, McNulty et al. (2023) raised doubts as to whether these technologies, while reducing compliance costs, might weaken financial regulation and supervision. The main challenge, therefore, lies not in automating regulatory processes, but in using technology to make legal and regulatory frameworks more effective.

Moreover, Lee (2020) pointed out that the adoption of these technologies could conflict with privacy, data protection and ethical issues. On the other hand, Serrado et al. (2020) demonstrated that the Information Security Framework is an excellent tool to help banks comply with the GDPR, while recognising that AI contributes to increase the competitiveness of financial markets by providing benefits to consumers. In line with these observations, Loiacono and Rulli (2022) pointed out that RegTech can support resolution authorities in developing plans and managing financial crises. In addition, stakeholders benefit from increased efficiency, transparency, accuracy and reduced compliance costs. However, risks include cyber threats, algorithmic bias and processes dehumanisation (Grassi and Lanfranchi, 2022).

A further important application of blockchain lies in strengthening the principle of strict compliance in letters of credit. Due to its transparency and immutability, blockchain can reduce the uncertainty associated with the standard of substantive compliance by ensuring more precise and uniform documentary checks (Bui and Pribula, 2023).

Regulators use AI to detect fraud, prevent money laundering and counter terrorist financing (AML/CFT), in line with Recommendation 15 of the Financial Action Task Force (1990), which encourages the adoption of new technologies for improving risk management activities. A significant example comes from the Monetary Authority of Singapore, which has implemented machine learning algorithms to detect suspicious transactions and assign risk scores.

According to Prisznyák (2022), however, the validation of machine learning models in combating money laundering and illicit financing cannot be done without the support of human resources. Furthermore, Becker et al. (2020) indicates that the literature on RegTech applications in finance is fairly distributed across different use cases. However, in practice, market solutions are primarily focused on compliance management (40%). This gap between theory and practice may stem from the high costs and time expenditure associated with compliance management for financial institutions.

In this scenario, it is important to design information security awareness programmes to overcome user non-compliance with information security policies in banks. Bauer et al. (2017) demonstrated that Information Security Policies is critical to minimising information security incidents.

The versatility of compliance can also be seen in high-frequency trading, where the banks must manage algorithms’ impact on financial markets while ensuring transparency and regulatory compliance. The German High-Frequency Trading Act demonstrates how technology can support compliance by providing clear signals for monitoring and improving transparency. Coombs (2016) pointed out that such regulations produce positive effects, not only in regulatory monitoring but also in promoting a more responsible corporate culture.

In conclusion, FinTech, RegTech solutions and AI/ML/DL technologies offer numerous applications in the banking and financial sector, helping to simplify and optimise the operations of financial institutions.

This study follows the works of Edwards and Wolfe (2005) and Ibáñez Zapata (2017), presenting different findings that reflect the increased dynamism observed among financial sector institutions. The analysis highlighted key themes including the link between CF and governance, the impact of emerging technologies and the role of corporate culture in risk management. In addition, the co-occurrence analysis of keywords highlighted the main trends and challenges in the evolution of CF but underlined an obvious gap in the literature concerning the specific operational activities. In particular, an adequate treatment of the preparatory (ex ante) and monitoring and control (ex post) activities that characterise the day-to-day work of the CF in financial institutions, specifically banks, did not emerge. This gap reflects a partial view, often confined to theoretical and regulatory aspects, which neglects the operational dimension crucial to the effective management of non-compliance risk. The criticality that emerged reinforces the argument concerning the separation between academia and banking practice. Academic research and the day-to-day operations of banks are disconnected, preventing a useful dialogue that integrates theory and practice and depriving the CF of the support it needs to improve its operational effectiveness. Additionally, it is important to note that the majority of literature analysed focuses the attention on banks due to their pivotal role in the financial systems.

The work undertaken clearly reveals a common thread among all the analysed papers: the CF should not be viewed solely as a means to ensure adherence to the regulations that all financial institutions must follow, but also as a risk management support element and a strategically crucial component for the success of banks. This is because the activities of the CF have a profound impact on how an organisation operates, assisting banks in revising their business models, management strategies and risk management policies, while maintaining the stability of the financial institutions. Recent banking crises, like the failure of SVB, have further underlined the importance of risk culture (BCBS, 2023). Therefore, the theme of risk culture (European Central Bank, 2024) should be complemented by that of “compliance culture”. Consequently, if banks adopt an Integrated Internal Control System, they not only comply with regulations but also enhance their reputation and become more resilient.

It is also noteworthy that the advent of emerging technologies is revolutionising compliance management for both financial institutions and the regulatory authorities responsible for their supervision. The analysed articles highlight how RegTech solutions enable the automation of complex processes, improve operational efficiency and reduce costs in an increasingly digitised environment, positioning themselves as key tools for building a more resilient financial system. These solutions, based on AI and big data analytics, enhance fraud detection and bolster risk management capabilities, as well as customer profiling and monitoring for both new and existing clients. However, these innovations pose significant challenges, such as ensuring operational continuity, algorithmic transparency, privacy protection and cybersecurity.

From these perspectives, regulation alone is not a universal solution. While it contributes to the stability of the system, rigid application can also have negative implications for operational efficiency, particularly when applied without considering the institutional context or the level of market development. To enhance the outcomes anticipated from regulation, regulators and banks should collaborate more effectively in the interest of various stakeholders who are increasingly exposed to emerging risks that they may not fully understand.

In support of the previous discussion, it is important to reflect on the role of the CF in minimising the likelihood of sanctions imposed by Supervisory Authorities (Guerello et al., 2018) and in safeguarding the reputation of financial institutions (Murè et al., 2021).

The analysis relies on documents written entirely in English language and peer-reviewed, potentially excluding relevant insights from industry reports or case studies that are not publicly accessible. It is specifically focused on institutions within the EU regulatory framework and Basel principles. This approach limits the applicability of findings to regions influenced by the application of Basel, potentially failing to capture the compliance challenges faced by institutions, such as those in emerging markets or under less harmonised frameworks. Furthermore, the study examines literature published between 2010 and 2024, thus excluding earlier works that might provide historical context on the evolution of CF.

The analysis highlights a clear gap in academic literature, as the implementation of ex ante and ex post CA remains largely unexplored. This absence suggests the existence of a significant theoretical gap, which deserves more attention from the academic community. It appears necessary to develop studies that assess the effectiveness of preventive and corrective measures, as well as their impact on the efficiency of internal controls and organisational culture.

Despite these limitations, the paper provides a structured and detailed examination of CF in the European banking sector, offering valuable insights into their evolution, current challenges and future directions.

It is thus clear that the CF will continue to play a central role in the evolution of the banking sector. The ability to meet the challenges posed by digital innovation and new regulations will depend on collaboration between financial institutions, regulators and technology developers. This integrated approach will not only ensure regulatory compliance but also turn CF into a strategic lever to promote innovation, sustainability and trust. Ultimately, CF must be viewed not as a cost, but as an opportunity to build a fairer, more transparent and future-oriented financial system.

The authors have no conflicts of interest to disclose. All authors have seen the study and approved to submit to the journal.

The authors would like to thank their colleagues Dr V. Antonelli and Dr A. Crisafulli, PhD students at the Chair of Compliance and Internal Controls in Banks at their university (La Sapienza) who provide feedback for this work.