Stepping up to the new compliance reality: what 765 CCOs are telling us

Regulation is expanding, scrutiny is rising, and compliance leaders are being asked to do more with the same or fewer resources. The latest KPMG Global Chief Ethics and Compliance Officer survey, based on 765 CCOs, confirms what many mid-market teams already feel on the ground. This article distills the findings that matter most for intermediate-sized enterprises, with a special focus on technology’s growing role in compliance risk mitigation, from analytics and automation to AI.

The big picture at a glance

• Rising scrutiny, fast. About 84 percent of CCOs expect increasing regulatory expectations and scrutiny over the next two years.
• New rules and data complexity. New regulatory requirements top the list of challenges, closely followed by data analytics and predictive modeling.
• Tech budgets are going up. Roughly seven in ten CCOs expect compliance technology budgets to increase.
• Automation gap remains. A third use bots for repetitive tasks, only 23 percent use predictive analytics for monitoring, and very few leverage AI for complex decisions.
• ESG is still maturing. Only a small share say ESG compliance programs are fully operational.
• Teams are growing. Around 72 percent plan to add compliance headcount.

Source: KPMG Global Chief Ethics and Compliance Officer survey, January 2024.

Technology’s growing influence, with a maturity gap

Investment is shifting to data-first capabilities that reduce manual work, make monitoring continuous, and sharpen reporting to boards and regulators.

What this tells mid-market leaders: the mandate is to build data pipelines you can trust, instrument priority controls, and automate the repeatable 20 percent that creates 80 percent of the grind. AI can be phased in as explainable, well-governed add-ons once data quality, lineage, and privacy-by-design are in place.

Where automation will pay off first

CCOs highlight seven areas that are either being automated or are top priorities for the next two years. These align closely with the daily workload of compliance teams in intermediate-sized enterprises.

Practical implication: start by digitizing the regulatory inventory and mapping it to your business controls, then tie monitoring and testing to that map. This sequence creates traceability from law to control to evidence, which is exactly what regulators increasingly expect to see.

What this means for mid-market compliance leaders

Intermediate-sized enterprises face the same regulatory perimeter as large groups, with fewer dedicated resources. That makes prioritization, standardization, and automation critical. Based on the survey’s signals, five actions stand out:

1. Make cyber and privacy your baseline improvements. Regulators are homing in on personal data collection, use, retention, and disposal, and on resilience. Invest in access management, encryption at rest and in transit, and automated retention and deletion policies. Tie these controls to frameworks like GDPR, ISO 27001, and your sector rules, and report them by design in your dashboards.
2. Build a single view of regulatory obligations. Unify AML, anti-bribery and corruption, antitrust, criminal compliance, sanctions, ESG, and sector rules in one repository. Map each obligation to a control, a control owner, and a test. Do not leave this in static spreadsheets. Use a system that can track versions, jurisdictions, and effective dates.
3. Automate evidence collection. Start with third-party due diligence, gifts and hospitality, conflict of interest disclosures, and high-risk payments. Automate ingestion of proofs, attestations, and screening logs so control owners and auditors can retrieve evidence without email archaeology.
4. Pilot predictive analytics where the data is strongest. Payment anomalies for AML, third-party screening exceptions for ABC, and pricing or discount outliers for antitrust red flags are three sensible early pilots. Keep models explainable, document the features and thresholds, and put human review in the loop.
5. Design privacy-by-design and model governance in parallel. The EU’s AI Act sets expectations around risk classification, data governance, transparency, and human oversight. Bake these principles into any new automated or AI-assisted control before it goes live.

For reference on the AI Act’s trajectory, see the European Council overview of the law and its phased application timing. For an overview of the KPMG survey, see the KPMG Global Chief Ethics and Compliance Officer survey 2024.

• European Council overview: The AI Act
• KPMG survey summary: KPMG Global Chief Ethics and Compliance Officer survey

Connecting the dots to key frameworks

• Anti-bribery and corruption, Loi Sapin II and ISO 37001. Automate risk assessments by country, sector, and transaction type. Digitize third-party due diligence, beneficial ownership checks, and gifts and hospitality registers. Use risk scoring to calibrate enhanced due diligence, then route remediation actions and approvals through workflows.
• Antitrust, Spanish UNE 19603. Automate conflict and competitor mapping, track information-sharing barriers, and monitor discounting and partnering exceptions. Build an auditable trail of competition law approvals for joint ventures, trade association participation, and market data purchases.
• Criminal compliance in Spain, UNE 19601. Map legal obligations to internal controls and evidence sources. Automate incident intake, triage by offense category, and case management for investigations, with separation of duties and immutable logs.
• Anti-money laundering. Automate screening of customers and counterparties, monitoring of high-risk transactions, and risk-based KYC refresh cycles. Feed alerts to an investigations queue with documented decisioning and audit-ready narratives.
• AI governance, AI Act. Classify use cases, identify high-risk systems, register models where required, and document data, testing, monitoring, and human oversight. Maintain a change log and impact assessments for each automated decision system.

A pragmatic 90 day roadmap

Day 0 to 30, visibility and scoping

• Establish a master regulatory inventory across AML, ABC, antitrust, criminal compliance, privacy, cyber, and ESG. Assign each obligation to a control and an owner.
• Baseline cyber and privacy controls, identity and access, data retention, vendor security clauses.
• Pick two automation pilots where data is ready, regulatory mapping to controls and third-party onboarding and screening.

Day 31 to 60, pilot and governance

• Automate evidence capture and testing for the two pilots. Stand up a lightweight model governance process, purpose, data, features, testing, monitoring, human override.
• Launch a compliance dashboard for leadership, critical risks, control effectiveness, exceptions, investigations cycle times.
• Train process owners and incorporate compliance metrics in performance objectives.

Day 61 to 90, scaling and assurance

• Extend automation to issues and investigations and regulatory change management.
• Run a privacy-by-design review of new automations. Document data flows, retention, DPIAs where applicable.
• Present results and the business case for the next budget cycle, reduced cycle times, fewer manual hours, improved coverage, faster investigations.

Show business value with the right metrics

Regulators and boards want evidence, not slogans. Consider a simple, decision-useful KPI set that links controls to outcomes.

• Regulatory change time to control update, median days from law update to mapped control change
• Third-party onboarding cycle time, median and 90th percentile
• Percentage of high risk third parties with enhanced due diligence completed on time
• Exceptions cleared within SLA, percentage and median days
• Monitoring coverage, percentage of high risk transactions tested automatically
• False positive rate and precision for alerts, with trend
• Investigation time to closure, median days and variance
• Training completion and assessment pass rates for high risk roles
• Privacy, data deletion success rate and time to honor access requests
• ESG, percentage of reported indicators with automated data lineage to source systems

ESG is still a work in progress

Only a small share of CCOs report fully operational ESG compliance programs. Most are building policy management, regulatory scanning, data and controls, and monitoring of ESG metrics. For mid-market teams, the winning move is to treat ESG like any other risk domain. Bring it into your unified inventory, map disclosures to data sources, and automate metric collection with validation and version control to reduce greenwashing risk.

How Naltilia supports this journey

Naltilia provides an AI powered platform that helps compliance teams streamline and automate regulatory compliance, accelerate processes, and boost team capacity.

• Regulatory risk assessment. Centralize obligations, map them to controls, and prioritize by inherent and residual risk.
• Remediation actions. Track findings to closure with owners, deadlines, and automated reminders.
• Tailor made policies. Generate and maintain policies aligned to your risk profile and frameworks.
• Automated data collection. Pull evidence from systems and workflows so audits are faster and less intrusive.
• Compliance workflow automation. Orchestrate third party due diligence, monitoring and testing, investigations routing, and approvals.

If you are beginning to automate risk assessments, monitoring and testing, regulatory mapping, or third party management, these capabilities align directly with the priorities CCOs highlighted in the KPMG survey. Explore how this could work in your environment at Naltilia.

Frequently asked questions

What are the top two compliance challenges for the next two years? New regulatory requirements and the data analytics required to monitor and report compliance.

Where are compliance tech budgets going? Data analytics first, followed by cybersecurity and data privacy, and process automation. AI is in scope for many teams but usually as a second wave after data and controls are in place.

Which automations deliver the fastest ROI for mid market teams? Regulatory mapping to controls, third party onboarding and screening, and automated monitoring and testing for high risk transactions. These areas shrink cycle times, increase coverage, and produce audit ready evidence.

How do I align automation with Loi Sapin II or ISO 37001? Start by digitizing your corruption risk map and third party due diligence process, generate traceable approvals for gifts, hospitality, and sponsorships, and link every control to a policy and test. Maintain immutable logs and ownership records to demonstrate adequate procedures.

What does the EU AI Act mean for compliance tools? Expect stronger requirements for risk classification, data governance, transparency, and human oversight. Treat any AI assisted control like a high impact change, document the model and data, test for bias, explain decisions, and give humans the final say on consequential actions.

How can we show the business value of compliance technology? Communicate early outcomes, reduced exception backlogs, faster investigations, improved control coverage, and crisper reporting to leadership. A dashboard that ties metrics to risk reduction and cycle time savings resonates with boards and audit committees.

Take the next step

If your team is under pressure to enhance cyber and privacy controls, automate monitoring, and bring regulatory mapping under control, a focused platform can help you move fast without adding headcount.

See how Naltilia can accelerate your compliance program with AI powered risk assessment, automated data collection, and workflow automation. Visit Naltilia to start the conversation.