Pressure-Testing Compliance Readiness Against Real Regulator Enforcement

The problem with "we're ready"

When a compliance team says they are aligned with a new regulation, they usually mean they have read the rules, mapped them to controls, updated policies, and trained the relevant staff. That is necessary. It is rarely sufficient.

Regulators do not enforce text. They enforce interpretation, shaped by supervisory priorities, recent enforcement patterns, the views of specific senior officials, and what they have seen go wrong at peer firms. The distance between the words in the rulebook and the questions a supervisor will actually ask you can be substantial. Closing that distance is the real readiness test.

Where the gap usually sits

Three places, almost every time.

Interpretation of ambiguous provisions. Most new regulations contain phrases like "proportionate," "appropriate," "sufficient," or "timely." Your compliance team has made a judgement call on what each means. The regulator has too, and they may not match. The risk is highest where your interpretation is convenient.

Evidence standards. You may have the right controls. The question is whether you can prove they were operating effectively on a specific Tuesday eighteen months ago. Compliance teams often underestimate what supervisors want to see: not policy documents, but artefacts of the control running, decisions being made, and exceptions being escalated.

Tone and culture signals. Supervisors increasingly assess whether the firm treats the regulation as a constraint to manage or a standard to meet. Board minutes, internal challenge, the seniority of people in the room when issues are discussed, all read as evidence. A technically compliant programme run grudgingly will draw more scrutiny than a slightly imperfect one run seriously.

How to test alignment before the regulator does

Map enforcement signals, not just rules

Pull the last 18 to 24 months of speeches, Dear CEO letters, enforcement notices, and thematic review findings from the relevant authority. Look for the verbs and the examples. What did they criticise? What did they praise? What did they say firms were getting wrong? This tells you where the supervisory edge sits, which is rarely identical to where the rule's edge sits.

Talk to people who have been examined

Peer firms that have already been through a supervisory visit on adjacent rules are the most valuable source you have. Not their compliance officers reading from a script, but their general counsel or chief risk officer talking candidly about what questions actually got asked, what evidence was requested, and where supervisors pushed hard. A handful of these conversations will reset your readiness assessment more than any internal review.

Commission an external challenge

Not another gap assessment from the same firm that helped you build the programme. Bring in someone with recent supervisory experience, ideally a former regulator or a lawyer who has defended firms in enforcement actions on similar rules. Give them your control evidence and ask them to argue the supervisor's side. Where would they push? What would they not accept? What looks thin?

Run a realistic dry-run examination

Not a tabletop exercise with friendly questions. A two or three day exercise where the examiners ask for specific evidence on specific dates, interview real staff without preparation, and stress-test the weakest controls. The point is not to pass. The point is to find what breaks under pressure.

Check the human layer

Supervisors interview people. Pick five staff at random across the relevant functions and ask them, cold, what the new regulation requires them to do differently. If the answers are vague, generic, or contradictory, you have a problem that no policy document will fix.

What good looks like

A firm that is genuinely ready can produce evidence on demand, has a documented interpretation of every ambiguous provision with a rationale, has tested that interpretation against external views, and has staff who can explain the change in their own words. The tone from senior leadership treats the regulation as a standard the firm chose to meet, not a hurdle imposed on it.

Your next move

Before your next board update, ask your compliance lead one question: which three provisions of the new rule are we most likely to be challenged on, and what is our evidence that our interpretation will hold? If the answer is fluent and specific, you are probably in good shape. If it is reassuring but general, you have work to do, and you have time to do it.