Validating Regulatory Expectations Before a Major Compliance Overhaul

Start with the cost of being wrong

A compliance overhaul that misreads supervisory intent is worse than a delayed one. You commit two to three years of build, lock in target operating models, and create internal momentum that becomes politically impossible to reverse. When the regulator later signals you have solved the wrong problem, or solved the right problem the wrong way, the remediation costs more than the original programme.

Validation is not a courtesy call to your supervisor. It is a structured intelligence exercise designed to surface what the regulator actually expects, what they will tolerate, and what they will quietly escalate. Done well, it happens before the business case is signed, not after.

Separate the rule from the expectation

Most senior teams confuse the written rule with the supervisory expectation. The rule is the floor. The expectation is what the supervisor believes good looks like, shaped by recent enforcement, peer reviews, Dear CEO letters, and the personal priorities of the relevant directorate.

Before committing, you need three distinct readings:

1. The technical reading. What does the rule require, literally, as drafted.
2. The supervisory reading. What does your specific supervisor expect, given recent thematic work and the firms they have already actioned.
3. The peer reading. What are comparable firms building, and where is the centre of gravity forming.

The gap between these three is where most overhauls go wrong. Firms over-engineer against the technical reading, under-read the supervisory direction, and discover too late that peers have set a different bar.

Triangulate before you commit

Test the supervisory reading directly

Use your scheduled supervisory contact, but prepare for it differently. Do not ask open questions about expectations: you will get the published policy back. Instead, present a specific design choice and ask whether the direction of travel concerns them. Supervisors will rarely endorse, but they will often warn. The warnings are the signal.

If you do not have a strong supervisory relationship, route the question through your trade association, your external counsel, or a former supervisor now in industry. Each gives you a different angle on the same question.

Read enforcement as a forecast

Recent enforcement actions are the clearest available statement of supervisory priorities. Read the last 18 months of relevant cases not for the fine, but for the findings: what control failures did the regulator emphasise, what governance weaknesses did they call out, and what remediation did they require. That is the template your overhaul will be measured against.

Map the peer position carefully

Peer benchmarking through consultancies is useful but lagging. The more valuable signal comes from people who have recently left programme leadership roles at comparable firms. They will tell you what the regulator actually said in closed-door sessions, what their firm chose to build, and what they would do differently. Two or three of these conversations are worth more than a benchmarking report.

Pressure-test the business case against three scenarios

Before approval, run the proposed overhaul against three regulatory futures:

• The rule tightens. Does your design have headroom, or are you building exactly to today's bar.
• The rule is interpreted more strictly in supervision. Where are your discretionary judgements, and would a supervisor accept them under challenge.
• The rule shifts emphasis. If the regulator pivots from prescriptive to outcomes-based testing, can you evidence outcomes, or only process.

If the programme only works under one scenario, it is fragile. Rebuild it.

What most firms get wrong

The common failure is treating validation as a single conversation with the supervisor at the start, then proceeding as if the answer is fixed. Supervisory expectations move during the build, especially on multi-year programmes. Validation needs to be staged: at concept, at design freeze, at go-live, and at first effectiveness review. Each stage should have a defined question and a defined channel.

The other failure is letting the second line own validation alone. Compliance and risk will give you the technical reading. They will rarely give you the political and supervisory reading you actually need. That has to come from the executive, with intelligence support.

Your next decision

Before the next steering committee, write down the three readings: technical, supervisory, peer. If you cannot fill in all three with specifics, you are not ready to approve the business case. Commission the work to close the gap. Two weeks of validation is cheaper than two years of rebuild.