Regulators aren't reading your policies anymore. They're auditing your product.
The single most striking shift Baptiste described is how regulators now evaluate compliance frameworks. It's no longer about submitting a 70-page KYC policy and hoping the narrative holds up.
During recent licensing processes, regulators asked Flowdesk for something unprecedented: detailed flowcharts with actual screenshots of every step in their onboarding sequence. What information is collected, in what order, at which stage. Not a summary — the real thing.
"It's the first time I'm being asked that," Baptiste said. "But consistently, across every application I've worked on, the level of scrutiny keeps increasing. They fully understand how we operate now, and they can tell us exactly what they want to see."
This is a fundamental shift. Regulators are no longer auditing what you say you do. They're auditing what your system actually does in production. Your onboarding UX is now a compliance artifact, whether you designed it that way or not.
The implication is clear: compliance has to be involved at the product and UX design stage. If you're retrofitting compliance controls after the onboarding flow is already coded, you're already behind.
DORA changed the game — and most teams weren't ready
If you're at a regulated financial institution in Europe, DORA has probably consumed a significant portion of your last twelve months. But what surprised us in this conversation is just how deeply it's reshaping the compliance function itself.
Baptiste was direct about it: DORA is one of the most complex compliance challenges he's encountered. The documentation burden alone — policies, procedures, incident response plans, third-party risk assessments, dedicated risk registers — mirrors what teams already produce for AML. Except now it's for cybersecurity, and it requires an entirely different skillset.
"Two or three years ago, a CTO with a good grasp of cybersecurity could probably reassure regulators," he explained. "Now you really need someone with a proper cybersecurity background. The level of scrutiny is very, very deep."
What makes DORA particularly important for compliance leaders is the intersection it creates between AML and cybersecurity. A cyber incident isn't just an IT problem anymore — it can instantly become an AML event, a market integrity issue, or a customer protection failure. Compliance and security teams that aren't working hand-in-hand are carrying risk they can't see.
Regulators are treating security audits almost like financial audits now: recurring, evidence-based, with clear remediation timelines. If your compliance team doesn't have a direct communication channel with cybersecurity, build one.
AMLA will end regulatory arbitrage — eventually
The Anti-Money Laundering Authority is rolling out in two phases. Phase one targets approximately 40 of the largest entities — think major crypto exchanges and tier-one banks with the highest risk profiles. Most fintechs and smaller regulated entities won't be in this first batch.
Phase two is where it gets interesting. AMLA aims to harmonize AML requirements across all EU member states, and the direction of travel is clear: upward convergence.
Baptiste put it in practical terms. Out of roughly 90 registered PSANs (crypto-related companies) in France, only about 30% are currently applying for a MiCA license with the French regulator. The rest are likely shopping for licenses in jurisdictions they perceive as faster or more accommodating.
AMLA is designed to end exactly that dynamic. France and Germany currently operate under some of the strictest AML regimes in Europe. The expectation is that other jurisdictions will need to level up to meet those standards, not the other way around.
For compliance teams operating cross-border — which, in fintech, is essentially everyone — the smart move is to build for the highest standard from day one. Designing lighter onboarding flows based on jurisdiction is a strategy with a shrinking shelf life.
That said, both of us are realistic: this is political at the EU level, and full harmonization will take time. But the trajectory is unmistakable.
AI will help. It won't save you.
This is where the conversation got most interesting, because it's where the gap between expectation and reality is widest.
AI is already adding value in compliance workflows. At Flowdesk, AI-powered suggestions help analysts process screening alerts faster — flagging likely false positives based on mismatched nationalities or other clear indicators. It saves time, and the suggestions are increasingly accurate.
But Baptiste was careful to frame where the industry actually stands: "The level of expectations we can have from AI right now is the level of an intern. A good intern, with good instincts, but you need to double-check everything before the file gets validated or refused."
That's an honest assessment, and it matches what we're seeing across the market. We're firmly in semi-automated territory. AI suggests, humans decide. Every decision still goes through manual review.
There's a useful analogy to autonomous driving here. We're at level two — your hands need to be near the steering wheel, and you need to be ready to take back control at any moment. The question everyone is asking is when we transition to level three or four. The answer: not yet, and not without building a serious track record first.
The path to more automation is sequential, not a leap:
- Start with AI as a suggestion engine
- Build track record and performance metrics over time
- Gain confidence through data, not assumptions
- Gradually expand the scope of automated decisions
What's critical — and what the AI Act reinforces — is explainability. If you can't explain why an AI suggested a particular KYB decision, you're exposed, even if the decision was correct. Every AI-assisted decision needs to be traceable and defensible. Black-box outputs, no matter how accurate, won't satisfy a regulator.
Baptiste's warning here was pointed: "It's virtually certain that in the coming months, entities that automated too aggressively will face regulatory enforcement." The temptation to move fast is real, especially when the tools are getting so capable. But moving fast without the right controls is a different kind of risk entirely.
Where AI actually earns its keep right now
If the final compliance decision isn't ready for full automation, where does AI create the most value today? Two areas stood out.
OSINT and open-source intelligence. For institutional onboarding — where counterparties have complex shareholding structures across multiple jurisdictions — AI-powered OSINT is a step change. Instead of an analyst spending two hours manually searching Twitter, public registries, and specialized databases, AI can aggregate and format that research into a structured report before the analyst even opens the case. The time savings are substantial, and the output includes source links for audit trail purposes.
For high-volume onboarding teams, the calculus is different — screening alert automation saves seconds per case but adds up across thousands of reviews. For institutional teams, OSINT automation saves hours per case and fundamentally changes how analysts allocate their time.
Regulatory monitoring. Staying current across multiple regulatory frameworks is a constant challenge. AI tools that scan for new guidelines, contextualize them against your specific entity's situation, and identify which internal procedures need updating are moving from nice-to-have to essential. The vision — and some tools are approaching this — is a pipeline from new regulation to updated workflow, with full documentation of what changed and why.
The data architecture problem underneath all of this
One theme that ran through the entire conversation: fragmented data is still the root cause of most operational compliance pain.
Three years ago, having multiple tools in separate silos with incompatible databases was simply the norm. Making them communicate was, as Baptiste described it, "a nightmare." Progress on API quality and field standardization has made unified data architectures achievable, but it remains a significant engineering effort.
Why does this matter so much? Because regulators now expect dynamic risk scoring — the ability to adjust a client's risk profile in real time based on transaction monitoring alerts, screening hits, on-chain activity, or changes in corporate structure. You can't do that if your KYB data, transaction monitoring, and screening tools are all operating in isolation.
The shift from periodic reviews (checking files every 12 months) to event-driven continuous monitoring is real, and it's only possible with a unified data layer. A change in UBO structure, a new sanctions listing, unusual transaction volume — these should trigger re-assessment automatically, not wait for the next calendar review.
What a best-in-class KYB program looks like now
If you're building or rebuilding your KYB framework in 2026, here are the non-negotiables:
Pre-screening that catches risk early, before your team commits resources to full onboarding. Onboarding flows designed with compliance embedded from the start — documented, auditable, and aligned with your risk-based approach. Automated UBO discovery with human oversight on complex structures. Continuous, event-driven monitoring fed by a unified data layer across your tool stack. AI as an accelerator at every stage, with human judgment as the constant guardrail. And critically, clean offboarding procedures — regulators are starting to look closely at how and why business relationships are terminated, and weak exit documentation is a growing area of scrutiny.
The bottom line
Six things are true simultaneously right now:
Regulators understand your tech stack better than they did two years ago, and they're auditing accordingly. DORA means your compliance team needs a direct line to cybersecurity — or you're carrying risk you can't see. AMLA will compress the gap between Europe's strictest and most lenient jurisdictions, so building for the lowest bar is a losing strategy. AI is useful today for screening suggestions, OSINT, low-risk case reviews, and regulatory monitoring — but anyone removing humans from final decisions without a documented track record is taking a bet they'll likely lose. Your onboarding flow is now a compliance artifact, and if compliance isn't involved at the design stage, the remediation cost later is steep. And fragmented data across siloed tools is still the thing that makes dynamic risk scoring, continuous monitoring, and defensible audit trails functionally impossible.
None of this is abstract. These are the operational realities that determine whether your next licensing application succeeds, whether your next audit is clean, and whether your team can actually scale without the headcount scaling with it.
Baptiste's framing stuck with us: regulators are asking more of compliance teams, but technology has made it possible to meet that standard. A decade ago, analysts were checking font consistency on PDF identity documents by hand. The bar has moved — but so have the tools.
The teams that recognize that aren't just surviving increased scrutiny. They're the ones giving the business confidence to move.
This post is based on a live conversation between Vasco Alexandre, CEO of Dotfile, and Baptiste Forestier, Head of Compliance at Flowdesk.
.png)
