Compliance Chiefs’ Reality Check: 2025 WSJ CCO Council Summit Takeaways
This year’s Wall Street Journal Chief Compliance Officer Summit in London was a rare moment to take stock of the regulatory whirlwind sweeping across industries. Between catching up with fellow compliance leaders and enjoying some classic networking, the real question lingered—what’s keeping compliance chiefs awake at night? Spoiler: Quite a lot.
One Year On—What’s Changed?
First, a confession. Before stepping into the News Building for this year’s summit, I couldn’t help but wonder—has anything truly changed over the past 12 months? Sure, policy shifts, AI revolutionising workflows, geopolitical surprises, and international trade upheaval should have shaken up the compliance agendas. And indeed, they have. But while new headlines fuel the conversation, the core challenge remains: How do compliance professionals make sense of it all and plan ahead?
The Transatlantic Regulatory Tango
If John Smith, former US OFAC Chief, is in the room, you know the conversation is bound to circle back to sanctions and, by extension, geopolitics. CCO Council was no exception, with lively debate on the current US Administration’s “America First” policy, growing divergence between regulators across the Atlantic, and the ever-present question of what businesses must do to stay compliant in this multi-dimensional world.
One golden takeaway: Focus on actions, not just rhetoric. The noise may be deafening, but enforcement isn’t going anywhere. Export and technology controls are proving just as central to this administration as they were to the last.
And that’s the case beyond OFAC and BIS, too. The much-anticipated DOJ White Collar Enforcement policy update (May 12, 2025) has confirmed what many suspected — white collar enforcement remains a priority, sanctions violations, fraud on investors (bribery and corruption included) are still in the crosshairs, and businesses better keep their risk assessments sharp. For corporate compliance folks, like me, three tenets of the new Enforcement Plan – focus, fairness and efficiency, while emphasising the importance of the compliance programs as a “first line of defence”, is a welcome approach.
Europe, for its part, appears to be embarking on a regulatory makeover in the wake of the Draghi Report, with competitiveness and streamlining regulations at its core. Meanwhile, the UK’s Serious Fraud Office is upping its game in international cooperation (UK-France-Swiss Prosecutorial Pact) and clarifying compliance expectations—though whether the clarity actually materialises is up for debate. What’s clear, however, is that ECCTA 2023 has armed UK enforcers with new tools, and they intend to use them. Multi-jurisdictional resolutions and heftier settlements are a near certainty.
AI and the Data Maze
With AI evolving at breakneck speed, data security has taken centre stage in compliance conversations. But beyond security concerns, compliance leaders are also grappling with the rising challenge of data localisation. The age of seamless global data transfers appears to be giving way to a fragmented reality where nations push for sovereign data centres and stricter oversight.
For some industries, this may be feasible. But for global enterprises—think airlines handling flights between China and the US—it’s a logistical headache. Add to that the continued regulatory scrutiny over WhatsApp, WeChat, and corporate communication monitoring, and it’s clear compliance leaders are juggling a lot.
Yet, AI also promises opportunity. My peers from Microsoft and BT shared fascinating insights on how AI is reshaping their compliance functions—from automating meeting notes to deploying Compliance Helpdesk AI bots and using AI Agents to analyse the investigation and conduct data. Done right, AI could help compliance teams achieve the elusive “do more with less” reality (yes, CFOs, we hear you). We will definitely talk more about this subject in future editions of this newsletter.
A compelling argument from McDonald’s CCO: Companies sit on vast pools of business data, much of it untouched by compliance analytics. If leveraged correctly, it can give compliance a competitive edge, making it a true business partner and value driver.
That said, AI guardrails are essential. Robust privacy impact assessments, rigorous AI training policies, and secure data fencing within organisations are just a few of those. Your risk management should include answer validation, data access, and legal privilege concerns.
And the question I hear a lot nowadays – Will AI eventually take over compliance roles, replacing human professionals? As one of my colleagues succinctly put it—While AI will not replace compliance expertise, employees skilled in AI will replace those who aren’t. And I think that’s right.
Sanctions and Export Controls
If one topic dominates every compliance discussion nowadays, it’s sanctions. And rightly so - you can rarely find a regulatory field more complex than that.
The evolving divergence among the US, UK and the EU approaches adds another layer of complexity for my sanctions and export controls colleagues, turning their work into a delicate balancing act across ever-shifting regulatory landscapes and multiple jurisdictions.
US policies continue to be rooted in national security priorities, with China squarely in focus. The EU, meanwhile, is still grappling with the need for unanimous decision-making on every new sanctions package, while individual member states pursue their own enforcement paths. The UK is forging ahead with enforcement, though self-reported cases remain its primary focus. The one area where the UK needs to improve is transparency in enforcement outcomes. The recent “Ovsyannikov” case highlights why businesses struggle with interpreting the regulatory landscape and learning lessons from the OFSI’s actions.
What’s clear: Divergence among regulators is here to stay, enforcement isn’t slowing down, and deciphering regulatory intent remains an art form.
The best course of action? Start with a good-faith effort to comply with own policies. A sound suggestion from a fellow compliance leader—conduct “lessons learned” analyses for every significant compliance incident - bring everyone together to dissect why things unfolded as they did. And I will add to it, “no blame” culture and psychological safety are essential for the exercise to be effective.
Navigating Uncertainty—A Compliance Imperative
Despite having short-, medium-, and long-term strategies, many companies struggle with planning for uncertainty. Contingency planning and crisis modelling offer valuable tools to anticipate risk blind spots.
From Plan A to Plan B, “What if” scenarios, worst-case projections, and dynamic risk mapping—these are essential exercises for compliance professionals, too. Data analysis certainly plays a role, but true foresight comes from understanding root causes and building proactive strategies. Compliance leaders who successfully blend regulatory insights with forward-looking risk assessments will undoubtedly earn the trust of executives and boards alike.
Final Thoughts
The 2025 WSJ CCO Council Summit was, once again, an invaluable opportunity to swap notes, hear from thought leaders, and reflect on the challenges ahead. A big thank you to WSJ Leadership Institute and the Dow Jones Risk Journal for an excellent event.
In the weeks ahead, I’ll be sharing more insights in this bi-weekly newsletter and on LinkedIn. As always, I welcome your comments and thoughts—let’s keep the conversation going!
alimbay@comhla.co
If you find this article interesting or useful for your compliance journey, visit Alimbay.me for more.
Breaking the Mould (alimbay.me) is my newsletter dedicated to helping compliance professionals navigate the integrity and compliance landscape by highlighting key emerging risks and opportunities.
I aim to publish once every two weeks. The information provided in this newsletter is not intended to and does not render legal, accounting, tax, or other professional advice or services.