Monday, November 17, 2025

Cost/Benefit analysis of compliance

Jean-Christian Le Meur

Compliance is expensive. In many companies it is one of the fastest growing budget lines, more staff, more external advisers, more tools, more audits. It is tempting for boards or CFOs to conclude, we are spending too much on compliance.

But that question is incomplete. The real comparison is not compliance vs no compliance, it is structured, proactive compliance vs the cost of getting it wrong. In case after case, non compliance is vastly more expensive, financially, operationally and strategically.

1 What does compliance cost a company?

There is no single global figure, but several data points give a clear sense of magnitude:

Compliance teams spend around 4,000 hours per year achieving or maintaining compliance.
That is roughly €340,000 a year in fully loaded cost before you count legal, internal audit, risk, and business line work.

Share of costs or revenue:

In financial services, benchmark studies show that compliance can represent 13 to 19 percent of annual operating costs or revenues, depending on firm size.
Deloitte notes that, compared with pre financial crisis levels, banks’ operating costs spent on compliance have risen by over 60 percent.

Hidden internal costs:

Surveys consistently show that most compliance professionals spend a majority of their time on a small number of tasks such as collecting evidence, monitoring controls and tracking regulatory changes, rather than advising the business or improving processes.

Order of magnitude by company size:

For a mid size company, it is reasonable to see hundreds of thousands to several million euros per year in direct compliance costs, people, tools, external advisers, plus indirect costs like delayed launches, blocked deals, or gold plated processes that slow the business down.
For large banks, the cost can exceed 100 million euros per year.
At the scale of SMEs, the cost of managing compliance due diligence of clients can be enormous relative to revenue and headcount.

2 The global bill, over 200 billion dollars a year, just for financial crime

LexisNexis Risk Solutions estimates that financial institutions now spend more than 206 billion US dollars per year on financial crime compliance alone, KYC, AML, sanctions, transaction monitoring, investigations. That number is only for financial crime and only for financial institutions.

On top of this you have:

GDPR and privacy compliance across sectors
Anti corruption, competition law, criminal compliance, export controls
ESG, CSRD and sector regulations in pharma, energy, telecom and more

Add these layers and a conservative picture is that overall regulatory compliance globally sits comfortably in the high hundreds of billions per year.

Sources:

LexisNexis True Cost of Financial Crime Compliance study: https://risk.lexisnexis.com/insights-resources/research/true-cost-of-financial-crime-compliance

3 Why is compliance so costly?

It is tempting to blame too many rules, but the real driver is often how companies manage them.

Fragmented, manual processes

Evidence is scattered across emails, shared drives, ticketing tools and local folders.
Teams re collect the same documents for every audit or certification.
Key controls are tracked in spreadsheets, with a high risk of errors.

Explosion of data and regulations

Financial institutions report that employee hours spent on compliance have risen by over 60 percent in recent years as regulatory change accelerates.
The same pattern appears in ESG, data protection and sector rules, more new texts, more updates, more overlapping frameworks.

Specialised skills and scarce talent

Salaries for senior compliance officers are rising, and most firms expect further increases.
When you combine legal, regulatory, data protection, internal control and industry knowledge in one role, it is simply expensive.

Inefficient tooling and duplication

Many companies pay for multiple tools, policy management, whistleblowing, GRC, vendor due diligence, that do not talk to each other, which leads to duplicated effort and inconsistent data.

Compliance officer reviews an AI generated dashboard displaying risk heat maps and cost savings projections, while colleagues discuss policy updates in a bright modern office.

4 Compliance is a cost centre, but non compliance is a value destroyer

When firms do not comply, the bill explodes:

BNP Paribas paid about 14 billion US dollars to US authorities in 2014 to settle sanctions and AML violations. Source: U.S. Department of Justice press release, 2014, https://www.justice.gov/opa/pr/bnp-paribas-agrees-plead-guilty-and-pay-89-billion-connection-illegal-transactions.
Volkswagen’s Dieselgate emissions cheating has cost the company more than 32 billion euros in fines, refits and legal costs, and the litigation is still not fully over. See for example Reuters coverage of cumulative costs, https://www.reuters.com/.
Amazon was hit with a 746 million euro GDPR fine from the Luxembourg data protection authority for unlawful targeted advertising practices. Amazon disclosed the sanction in its regulatory filings, widely reported by Reuters, https://www.reuters.com/.

Each of these single cases wipes out what a proactive compliance program would have cost over many years. So yes, compliance is a recurring cost. Non compliance is a bet the company risk, a single decision or a series of shortcuts can generate liabilities that dwarf years of compliance budgets.

Non compliance also hits the top line:

Public scandals and enforcement actions damage brand and trust, especially in B2C sectors or when victims are consumers, patients or investors.
Large corporates and public bodies may refuse to deal with companies perceived as toxic counterparties or high risk third parties, which removes access to tenders and partnerships.
Regulators can impose business restrictions: limits on growth, product bans, temporary suspensions of licences or approvals.

Those opportunity costs are rarely quantified, but they can easily exceed the direct financial penalty over time.

Simple flow diagram illustrating the balance between compliance costs on the left and layered benefits on the right, connected by an arrow labeled AI automation in the center.

Frequently asked questions

Is there a rule of thumb for mid size companies’ compliance budgets? A reasonable range is hundreds of thousands to several million euros per year depending on sector risk, jurisdictions, certifications, and the extent of automation.

What makes compliance disproportionately expensive for SMEs? Many obligations are fixed, for example due diligence, policy frameworks, training, and they do not scale down with revenue or headcount, so the cost takes a larger share of operating expenses.

How can we reduce cost without increasing risk? Centralize evidence, standardize controls, rationalize tools to a connected platform, and automate repetitive tasks like monitoring and attestations. This reduces duplicate work and audit scramble time.

Does spending more guarantee fewer fines? No. What matters is structured, risk based compliance that is documented, monitored and continuously improved. Spending is necessary, but design and execution quality drive outcomes.

How often should we reassess the program? Annually as a baseline, and whenever major regulations change or your business enters new jurisdictions or product lines.

Ready to shift from manual, fragmented processes to structured, proactive compliance that lowers total cost of ownership while reducing risk? Naltilia’s AI platform centralizes controls, automates evidence collection and orchestrates workflows so your team focuses on high value analysis. Schedule a demo and see how quickly the economics of compliance can improve: https://calendly.com/iratxe-naltilia/30min

Back to blog