This collaborative paper from Chartis and Dun & Bradstreet considers the impact of expanding regulations on companies’ onboarding/KYC processes, and how firms can respond effectively to the new pressures they face.

Jump to: The regulatory impact | What are the pressures? | Looking ahead | Next steps

Onboarding critical as the regulatory landscape changes

In recent years, global regulations have expanded significantly in both scope and coverage, encompassing a broader range of economic activities and drawing in a wider array of firms. While these regulatory requirements were once primarily the domain of financial institutions, increasingly, financialized large corporations are taking on similar regulatory responsibilities. This shift has brought new challenges, especially in the area of onboarding, where companies must not only verify client identities and ensure compliance with anti-money laundering (AML) and Know Your Customer (KYC) standards, but also establish processes for meeting the specific regulatory demands relevant to their industry.

As regulatory frameworks continue to evolve, onboarding has become a critical process that goes beyond initial client assessments. Firms are now required to conduct ongoing due diligence and establish robust frameworks for compliance monitoring and risk assessment, often in real time. For non-financial corporations, adapting to these requirements has meant implementing new governance structures and acquiring specialized expertise. Consequently, onboarding is no longer a one-time event but rather an ongoing practice that supports broader regulatory compliance and risk management efforts across diverse sectors.

Firms such as payment service providers, gaming companies and telecoms firms are already managing complex KYC, customer due diligence (CDD) and enhanced due diligence (EDD) processes. But a larger collection of regulations is beginning to draw more firms into the mix.

Back to top

The regulatory impact: the US and Europe

The US remains the key player in the compliance and regulatory landscape. Its ability to harness the power of the dollar as the global reserve currency has enabled it to dictate terms of trade and finance. Compliance with US regulations is often seen as an unbreakable requirement for firms, regardless of geography.

In the past few years, the US has seen a surge in regulatory activity across various sectors, including environmental, social and governance (ESG) standards, cybersecurity and financial regulations.

If the US is the leader in terms of finance and trade sanctions, Europe has often led the way on ‘softer’ regulations around sustainable finance, personal data and privacy, and ESG.

As such, the US often leans on aggressive financial and sanctions compliance, with the EU following suit, while Europe is often first to build out strategies for these other areas, which the US subsequently adopts. This can be seen in personal data regulations such as the California Consumer Privacy Act (CCPA) in the US, which more or less mimicked the EU’s General Data Protection Regulation (GDPR).

Indeed, these two have created a broad, interlocked web of regulations with which international firms must comply. Some of the key changes in US/EU regulations are summarized by Chartis in Table 1 below.

Back to top

What are the pressures and how are corporates responding?

Keeping up with constantly changing regulations across different jurisdictions can be overwhelming. However, firms have also come to understand that regulatory risk is an inherent consideration in every part of a business. Every type of risk impacts a business to some extent (see Figure 1).

Following the financial crisis, financial institutions built large compliance teams to manage their sanctions obligations, creating dedicated resources to meet increasingly complex regulatory demands. Modern corporates, however, often lack the capacity to do the same, due to constraints in budget and staffing and operational priorities. Expanding compliance teams at the scale of traditional financial institutions could compromise corporate efficiency, adding layers of oversight that slow down decision-making and impact core business functions. Instead, many corporates are turning to technology-driven solutions to streamline compliance with sanctions and other regulatory obligations. By leveraging advanced compliance tools, these companies aim to balance robust regulatory adherence with operational efficiency, avoiding the overhead created by extensive in-house compliance staffing.

In managing this kind of complexity, advanced tools and automation are key, as they can be used to identify, analyze, monitor, mitigate and report. And by using advanced data analytics, businesses can predict common compliance issues.

Firms have expanded their ingestion and processing of more varied data sources. Integrated compliance platforms that consolidate data from various sources into a single system can allow more effective data sharing, while application programming interfaces (APIs) can be used to enable real-time data exchange.

One of the top priorities in compliance is ensuring relevance – identifying data sources that align closely with the firm’s unique requirements. This means selecting data that fits an institution’s specific markets, verticals and customer profiles, creating a tailored ‘fingerprint’ of data needs. However, data is inherently dynamic – internal company information and external regulatory requirements are continually evolving. Companies must stay agile to accommodate these shifts, selecting data sources that can adapt to regulatory updates and reflect ongoing changes in customer and market information. This approach allows firms to maintain compliance while continuously aligning with current regulatory and business landscapes, reducing the risk that outdated or irrelevant data will compromise their compliance efforts.

Back to top

Looking ahead

Moving forward, a primary concern for firms is uncertainty. Institutions have never been immune to the effects of politics, and geopolitics in a multipolar world are even more intense. The Russia-Ukraine war has intensified scrutiny of supply chains and energy security, while also increasing the complexity of sanctions and introducing new areas of compliance (such as ESG).

The future of these regulations, and the direction of regulation in general, are uncertain. US elections can to some extent be viewed as a conflict between deregulatory and more regulatory-focused priorities, but aside from the change associated with elections impacting various levels of government, the direction of change is in some ways deeper than that. Recent Supreme Court rulings, such as the striking down of the Chevron doctrine, suggest a potential shift away from more regulatory authority (or at least regulatory power without the full and/or implicit backing of the US federal government). A weaker or less aggressive SEC or OFAC may also reduce the threat of regulatory compliance in the EU, which has always been less willing to implement significant fines.

Instead, we may see a more nuanced approach in which the direction of regulation is qualified and balanced against broader judicial trends and geopolitical pressures. The landscape of compliance and regulation will remain complex and evolving, with institutions needing to navigate an increasingly unpredictable environment. This is most relevant in new areas of compliance such as ESG and climate risk, as nascent regulations may be more at risk of change or variation in how strictly they are enforced. This makes the future environment one of extreme uncertainty.

As regulatory landscapes grow more complex and public expectations around responsible business practices increase, firms must adopt a proactive approach to risk management, collaborating across departments to address key challenges in data governance, onboarding and supplier oversight. Business units, compliance teams and data officers should work together to create a view of risk that informs onboarding and monitoring practices across the enterprise.

Back to top

Next steps and recommendations

• Strengthen onboarding for regulatory preparedness. Onboarding processes should go beyond initial compliance checks, integrating regulatory requirements for areas such as data privacy, ESG and human rights into the onboarding pipeline. This will allow firms to identify and address potential risk factors early, particularly in areas where formal requirements may not yet apply but responsible business practices demand they be addressed.
• Ensure that ESG and human rights oversight are included. Even if regulatory mandates are not in place, companies should assess these risks as a best practice, extending this assessment beyond primary suppliers and into their supply chains. This can build resilience, and aligns with both potential regulatory changes and consumer expectations.
• Use data-driven risk impact assessments. Leveraging data for predictive risk assessments could be cost-effective and strategically beneficial. For example, assessing the risk exposure of key facilities in disaster-prone areas can allow companies to take pre-emptive action to prevent substantial losses. This approach extends to evaluating operational risks across the supply chain, ensuring that resilience is built on data rather than reactive measures.

By treating responsible business practices as core to their risk strategy, firms can position themselves as leaders in both compliance and corporate responsibility.

The information provided is for suggestion purposes only, based on best practices, and provided as-is. Dun & Bradstreet is not liable for the outcome or results of specific programs or tactics undertaken based on our white paper. Please contact a legal adviser if you are in need of legal advice regarding regulatory compliance.

Back to top