Van Leeuwen Law Firm

Positioning Compliance as a Partner in Workable Risk Management

Compliance as a partner in workable risk management does not mean that the compliance function relinquishes its normative position or subordinates itself to commercial objectives. It means that compliance derives its authority from its ability to translate legal obligations, supervisory expectations and internal standards into control arrangements that actually function in day-to-day practice. In the Financial Crime domain, that translation is of great importance, because risks rarely present themselves in the form in which rules are written. A customer file is not merely a collection of mandatory data, but a combination of source of funds, ownership structures, transaction behaviour, geographic exposure, tax context, reputational indicators and changing circumstances. An alert is not merely a technical signal, but a possible indication of anomalous behaviour, system noise, incomplete customer knowledge or insufficiently appropriate scenario design. An escalation is not merely a procedural step, but a moment at which responsibilities, risk appetite, evidentiary support and decision-making quality converge. Compliance that operates as a partner in workable risk management understands this layered reality and prevents the application of norms from being reduced to administrative compliance.

That partner role requires an active position in the design, configuration and continuous improvement of control measures. When compliance is involved only at the end of a process, a corrective dynamic often arises. Product launches, customer journeys, system changes or operational practices are then assessed at a point when choices have already been made, budgets have already been fixed and implementation is already under time pressure. In such a situation, compliance is likely to be perceived as a delaying or blocking function, while the real problem lies rather in its late involvement in the design phase. A workable positioning therefore requires compliance to be connected early to relevant business decisions, so that integrity requirements can be incorporated from the outset into process design, data fields, decision criteria, governance, reporting and exception management. Compliance thereby shifts from correcting after the fact to strengthening in advance, without losing its critical role.

At the same time, the partner role must not be confused with non-committal advice. Within Integrated Financial Crime Risk Management, compliance has a responsibility to help the business make risk-aware decisions, but also to set clear boundaries when proposed choices are not compatible with legal obligations, sanctions risks, reporting obligations, governance requirements or defensible risk tolerance. The added value of compliance then lies in combining usability and limitation. Advice that is exclusively legally correct but fails to take feasibility into account may be ineffective in practice. Advice that is exclusively practical but lacks sufficient normative firmness undermines the reliability of the control framework. A strong compliance function unites both dimensions. It does not formulate an abstract prohibition where a controllable route is available, but it also does not accept operational desirability as a substitute for conformity with standards. This creates a position in which compliance does not stand opposite the business, but alongside it, with an independent responsibility for integrity quality, evidentiary support and managerial defensibility.

Aligning with Commercial Reality Without Losing Normative Sharpness

Alignment with commercial reality begins with recognising that the first line operates in an environment in which customer needs, competitive pressure, turnaround times, revenue targets, service expectations and operational capacity continually influence choices. Financial Crime control does not function in a vacuum. It affects onboarding, customer acceptance, periodic reviews, transaction processing, product development, relationship management, lending, international services, tax structures and exit decisions. Measures that appear logical from a normative perspective can create significant friction in commercial processes when they are not carefully designed. Additional information requests can burden customer relationships. Strict blocks can have disproportionate effects on low-risk customers. Insufficiently differentiated review frequencies can divert capacity away from material risks. A compliance function that understands commercial reality does not ignore these effects, but analyses how they relate to the protective purpose of the norm.

That approach does not mean that commercial arguments are decisive. On the contrary, normative sharpness remains necessary because Financial Crime risks often arise or increase when commercial pressure is insufficiently limited. The need for rapid onboarding can lead to incomplete customer knowledge. The desire to serve complex customer structures can obscure the view of ultimate beneficial owners. International growth can increase exposure to sanctions, corruption risks or tax-related integrity risks. Relationship preservation can lead to reluctance in escalation or exit. Compliance must make such tensions explicit and prevent commercial feasibility from being confused with acceptable risk. A business-oriented compliance function therefore aligns with commercial reality in order to steer more effectively, not to relativise normative requirements. The core lies in developing risk-based choices that are commercially executable while also withstanding regulation, supervision and internal governance.

In practice, this requires a refined manner of advising. Compliance must be able to indicate which friction is necessary, proportionate and explainable, and which friction primarily arises from unfocused policy, poor data, inefficient processes or insufficient differentiation. Not every delay is a sign of strong control. Not every customer question is an integrity risk. Not every deviation requires the same escalation. At the same time, not every commercial opportunity is defensible, even when it appears profitable or strategically attractive. The value of compliance lies in the ability to make these distinctions convincingly. This requires knowledge of regulation as well as a feel for business models, customer segments, distribution channels, products and operational dependencies. Within Integrated Financial Crime Risk Management, this gives rise to a form of normative decision-making that does not stand apart from commercial reality, but uses that reality to assess risks more sharply, target measures more effectively and better substantiate managerial choices.

Developing an Understanding of Product Structures, Customer Needs and Operational Pressure

A compliance function that seeks to contribute effectively to Integrated Financial Crime Risk Management must develop in-depth insight into the product structures within which Financial Crime risks may arise. Products are not neutral. They determine which transaction flows are possible, which parties become involved, which data are available, which customer interactions take place, which deviations become visible and which control points can logically be built in. A payment product has a different risk dynamic from an investment service, credit facility, trade finance solution, trust structure, insurance product, platform service or cross-border tax advisory relationship. Product knowledge enables compliance to understand where risks may actually manifest themselves, which typologies are relevant, which indicators are meaningful and which controls materially contribute to risk reduction. Without that understanding, compliance risks steering on generic requirements that do not sufficiently align with the specific risk drivers of the product.

Business-oriented compliance also requires an understanding of customer needs. In Financial Crime control, the customer is sometimes viewed solely as a source of risk, while customer behaviour is also shaped by legitimate needs, business logic, sectoral practices, international activities, tax structures and operational habits. A complex ownership structure may indicate concealment, but may also arise from regular investment, family, financing or tax considerations. An unusual transaction pattern may point to money laundering risk, but may also be connected with seasonal revenue, supply chain dynamics, project finance or market volatility. A customer who is reluctant to provide information may present an increased risk, but that reluctance may also be related to confidentiality, legal restrictions or poor explanation by the organisation. Compliance must therefore have sufficient understanding of customer context to distinguish between relevant signals and noise. That distinction is essential for proportionate control.

Operational pressure forms the third dimension. The first line works with systems that have limitations, data fields that are not always complete, handovers between teams, capacity constraints, service commitments, customer expectations, manual exceptions and shifting priorities. When compliance does not sufficiently understand that reality, there is a risk that policy or advice appears convincing on paper but fails in execution. A control that depends on data that are not reliably available creates false assurance. An escalation process with too many handover moments delays decision-making and reduces ownership. A review process that insufficiently distinguishes between risk categories consumes capacity without clear risk benefit. Understanding operational pressure does not make compliance less critical, but more precise. It helps determine which measures are executable, which preconditions are required, where automation adds value, where human judgement remains necessary, and where the process must be adjusted so that control does not depend on exceptional effort or individual alertness.

Translating Legal Obligations into Proportionate Business Choices

The core of effective compliance within Integrated Financial Crime Risk Management lies in the ability to translate legal obligations into proportionate business choices. Laws and regulations formulate obligations at a necessarily general level: customer due diligence must be adequate, risks must be assessed, transactions must be monitored, unusual activities must be reported, sanctions rules must be complied with, governance must be adequate and controls must demonstrably operate effectively. For the business, the question then arises what this means in concrete terms for customer acceptance, product design, review frequencies, documentation requirements, risk classification, monitoring logic, escalation criteria, exit policy and management information. Compliance has a translation function here that goes beyond repeating the norm. It must provide direction for choices that are risk-based, executable and defensible.

Proportionality is not a relaxation of obligations, but a method for directing control toward material risks. In a Financial Crime context, lack of proportionality can fail in two directions. Under-control arises when high risks are not examined in sufficient depth, escalations take place too late or commercial interests are given too much room. Over-control arises when low-risk customers are burdened with disproportionate information requests, capacity is spent on marginal signals or controls are added without a clear risk contribution. Both outcomes weaken Integrated Financial Crime Risk Management. Under-control increases integrity risk; over-control leads to inefficiency, customer friction, process congestion and reduced attention to genuinely relevant signals. Compliance must therefore help operationalise proportionality: which risks require intensification, which risks can be managed with standard measures, which exceptions are defensible, and which decision-making must be explicitly recorded.

That translation requires compliance not only to bring legal knowledge to the table, but also to understand the consequences of policy choices. Enhanced customer due diligence can have implications for onboarding capacity, customer acceptance, data quality, system design, commercial planning and audit files. A change in transaction monitoring can lead to more alerts, increased workload, adjusted scenarios, new quality controls and different reporting needs. A stricter sanctions approach can affect correspondent relationships, international customers, contractual obligations and exit processes. Compliance must not merely identify these consequences, but integrate them into advice that enables the business to make a conscious choice. The question is not only what is legally required, but also how that requirement should be designed so that the organisation demonstrably controls risk, acts proportionately and can explain at management level why a particular route was chosen.

Advising at the Intersection of Business, Tax, Legal, Compliance and Audit

Financial Crime risks increasingly move across functional boundaries. A customer structure can simultaneously have commercial relevance, raise legal issues, trigger tax integrity questions, require compliance assessment and later become subject to audit testing. A sanctions risk may arise from geographic exposure, contractual provisions, payment routes, ownership relationships and operational execution. A transaction monitoring finding may activate legal reporting obligations, tax signals, customer relationship decisions, reputational risks and governance questions. In such situations, compliance that advises exclusively from within its own functional silo is insufficient. The strength of business-oriented compliance lies in the ability to bring different perspectives together without losing its own responsibility. Compliance thereby becomes a central link in integrated decision-making around Financial Crime risks.

Advising at this intersection requires compliance to understand which questions are asked by other functions and which limitations are attached to their perspectives. The business looks at customer value, feasibility, competitive position and process impact. Tax looks at tax structures, substance, transparency, reporting obligations and possible indicators of abuse. Legal looks at contractual position, liability, authority, legal enforceability and interpretation of statutory standards. Audit looks at design, existence, operating effectiveness, traceability and evidentiary support. Compliance looks at integrity risk, supervisory expectations, policy conformity, escalation, risk classification and control quality. None of these perspectives is sufficient on its own to support complex Financial Crime decisions. Value arises through connection. Compliance must be able to help organise these perspectives into a decision that is substantively robust, practically executable and testable.

Language is of great importance in this respect. Different functions often use the same concepts with different meanings. For the business, acceptance means that a customer can be served commercially. For compliance, acceptance means that the integrity risk is controllable within established boundaries. For legal, acceptance may mean that the legal conditions have been sufficiently addressed. For audit, acceptance means that the decision-making can be traced and tested afterwards. When those meanings are not made explicit, apparent agreement arises while the underlying assessment diverges. Compliance that understands the business can make these differences visible and translate them into concrete decision-making criteria. Within Integrated Financial Crime Risk Management, this strengthens the quality of governance: decisions become less dependent on implicit assumptions, functional dominance or informal alignment, and more grounded in explicit considerations that the organisation can explain, execute and defend.

Preventing compliance from being perceived as a purely inhibiting function

When compliance within Financial Crime control is perceived as a purely inhibiting function, this is rarely solely the result of normative strictness. More often, that perception arises because the connection between norm, risk, measure and business impact is not made sufficiently explicit. The first line then experiences additional information requests, blocks, escalations, customer delays or policy requirements without sufficient visibility of the underlying integrity objective. In such a situation, compliance appears not to contribute to better risk management, but primarily to delay, uncertainty and procedural burden. That perception can become particularly persistent when compliance interventions are formulated generically, make little distinction between risk profiles, or fail to align with the operational phase in which the business finds itself. In the Financial Crime domain, that risk is significant, because measures often intervene in core commercial processes such as onboarding, customer maintenance, transaction processing, relationship management and product development. When compliance appears in those processes solely as the final approval gate, the image almost inevitably emerges of a function that becomes visible only when something is not permitted, cannot proceed or must be done again.

Preventing that inhibiting perception requires compliance to make its interventions not only substantively correct, but also explainable, predictable and applicable. A business-oriented compliance function must make clear why a measure is necessary, which risk it controls, which legal or supervisory expectation underpins it, and what room may exist for proportionate alternatives. This changes the nature of the conversation. Instead of a tension between commercial progress and compliance obstruction, a substantive assessment emerges around risk management, customer friction, evidentiary support and managerial defensibility. This requires language that is understandable to the business without becoming legally or compliance-substantively diluted. It also requires consistency. When comparable cases are treated differently without a clear rationale, compliance is quickly perceived as unpredictable. When criteria are clear in advance, decision-making is traceable and exceptions are carefully substantiated, the likelihood increases that the business will view compliance as directional rather than inhibiting.

At the same time, compliance must accept that not every negative perception can or should be avoided. A function that contributes effectively to Integrated Financial Crime Risk Management will sometimes have to delay, limit, escalate or deem a commercial route incompatible with the organisation’s integrity risk profile. The objective is therefore not to make compliance comfortable or frictionless, but to distinguish necessary friction from avoidable friction. Necessary friction arises when additional safeguards, further customer information, higher-level decision-making or even termination of a relationship are required to keep Financial Crime risks controllable. Avoidable friction arises when processes are unnecessarily complex, policy is insufficiently differentiated, data are not properly available, responsibilities remain unclear or compliance is involved too late. The strength of business-oriented compliance lies in reducing that avoidable friction, so that normative sharpness is preserved where it is materially required. Compliance thereby becomes not less strict, but better targeted, more convincing and more effective within Integrated Financial Crime Risk Management.

Increasing support for integrity measures through better alignment with practice

Support for integrity measures does not arise automatically from the formal validity of rules. Within Financial Crime control, regulation may be mandatory, policy carefully adopted and governance formally established, while practical acceptance in the first line remains limited. This occurs when measures are experienced as externally imposed, insufficiently aligned with customer processes or too remote from the reality in which commercial and operational decisions are made. Support therefore requires more than communication after the fact. It requires involvement in the way measures are designed, explained, implemented and maintained. A first line team that understands why certain customer information is necessary, why specific indicators carry greater weight, why escalation criteria have been tightened or why certain transactions require additional assessment will be more inclined to apply those measures seriously and consistently. When that understanding is absent, the risk of minimal compliance arises: activities are performed because they are mandatory, not because their meaning is understood.

Better alignment with practice begins by recognising the points at which integrity measures actually land. A policy change is not implemented in a policy document, but in customer conversations, systems, workflow tools, decision trees, review forms, monitoring queues, escalation meetings and management reports. A measure that is logical in the abstract may still fall short in execution when customer advisers have insufficient guidance for action, data fields do not align with the required assessment, systems do not support proper recording, or escalation routes are too slow for commercial decision-making. Compliance that understands the business incorporates this execution reality into the development of measures. This means asking not only which norm must be safeguarded, but also who performs the measure, at what point in the process, with what information, under what time pressure, with what authority and with what evidentiary requirements. This practical precision increases the likelihood that integrity measures will not be experienced as an abstract burden, but as part of professional risk management.

Support is further strengthened when compliance makes visible that integrity measures serve not only to protect against supervisory criticism, but also contribute to better customer selection, more reliable processes, sharper decision-making and protection of the organisation against misuse. In the Financial Crime domain, that broader meaning can easily recede into the background when discussions are dominated by obligations, deadlines, findings or remediation. A business-oriented compliance function brings the conversation back to the question of which risks are actually being reduced and what value that has for the organisation as a whole. Integrated Financial Crime Risk Management is thereby not presented as a collection of controls alongside the business, but as a condition for sustainable customer service, reliable growth and managerial legitimacy. In this context, support does not mean that every measure is popular. It means that the measure is understood, that its proportionality can be explained, that execution is feasible and that the functions involved recognise its importance within the broader system of Financial Crime control.

Supporting the first line in making risk-aware decisions

The first line bears a central responsibility for identifying, assessing and controlling Financial Crime risks in day-to-day business practice. That responsibility can only be fulfilled effectively, however, when the first line has clear frameworks, usable guidance, sufficient knowledge, appropriate tooling and access to timely compliance expertise. In many organisations, tension arises because the first line is formally responsible for risk management, but in practice remains dependent on complex regulation, specialist interpretations and changing supervisory expectations that are not easily translated into concrete customer or transaction cases. When compliance does not adequately address that tension, first line responsibility quickly becomes a paper premise. The business must then make decisions on customer acceptance, additional information, transactions, exceptions or escalations without sufficient clarity on the normative and risk-based criteria that apply.

Supporting the first line does not mean that compliance takes over responsibility for business decisions. It means that compliance enables the first line to make better, better substantiated and better recorded decisions. This requires guidance that goes beyond general policy rules. The first line needs concrete interpretation: which signals require further assessment, which customer structures are risk-sensitive, which transaction rationales are plausible, when additional documentation is necessary, when escalation is required, which exceptions are possible, and which minimum rationale must be recorded in order to explain a decision later. Compliance can provide direction by making typologies, case examples, decision criteria, sample rationales and escalation indicators available. This does not make the first line more dependent on compliance, but better equipped to act in a risk-aware manner within its own mandate.

This support is especially valuable in decisions where commercial interests and integrity risks intersect. This includes customers with complex ownership structures, cross-border transactions, sectors with heightened vulnerability, tax structures with reputational sensitivity, sanctions-sensitive geographic elements, anomalous transaction patterns or relationships in which existing customer value places pressure on an objective risk assessment. In such cases, it is not sufficient to refer the first line to policy. A decision-making process is needed in which facts, risk indicators, commercial context, legal constraints, tax considerations, compliance criteria and auditability are assessed in conjunction. Compliance that understands the business supports this process by bringing sharpness without paralysing practice. It helps distinguish between acceptable risks that can be controlled with appropriate measures and risks that fall outside the defensible range. As a result, first line decision-making becomes stronger, more consistent and more defensible within Integrated Financial Crime Risk Management.

Encouraging early involvement of compliance in design and change

Early involvement of compliance in design and change is an essential condition for avoiding the need to repair Financial Crime control after the fact. Many deficiencies in Integrated Financial Crime Risk Management do not arise because organisations lack policy, but because compliance requirements are introduced only after product choices, process design, system configurations or commercial assumptions have largely been determined. At that point, the opportunities to control integrity risks elegantly and effectively are often limited. Adjustments then become stopgap solutions: additional manual controls, extra approval layers, temporary workarounds, remediation actions or additional documentation requirements. Such measures may be necessary, but they often make control heavier, less efficient and more difficult to demonstrate than if Financial Crime requirements had been incorporated from the outset into design decisions.

Compliance must therefore have a fixed position in change programmes that are relevant to customer acceptance, product development, digitalisation, data use, transaction monitoring, sanctions screening, outsourcing, platform models, tax services, international expansion and operational redesign. That position must be substantive, not ceremonial. It is insufficient for compliance to be formally allowed to review through a late-stage review or standard sign-off. Added value arises when compliance can influence early which data are recorded, which risk criteria are built into processes, which decision points require escalation, how exceptions are registered, how monitoring is configured, which management information is needed and how evidence remains available later. At that stage, compliance can prevent risks from being embedded in processes that are difficult to correct afterwards. Compliance thereby shifts from reactive control to preventive quality enhancement.

Early involvement also requires discipline from governance. Projects and change initiatives often have their own pace, commercial pressure and technical dependencies. Without a clear obligation to involve Financial Crime aspects in good time, the risk arises that compliance is consulted only when delay or escalation threatens. That is not only inefficient, but also risky. A product designed without sufficient customer due diligence logic, a system that does not record relevant data, a customer journey that discourages escalation, or an outsourcing model in which responsibilities are insufficiently documented can later lead to structural deficiencies. Compliance that understands the business must therefore not only respond to individual projects, but help structure change processes so that integrity questions are part of the design criteria from the beginning. Within Integrated Financial Crime Risk Management, this means that compliance does not stand at the edge of change, but helps shape the conditions under which change can take place responsibly.

Business-oriented compliance as a prerequisite for effective Integrated Financial Crime Risk Management

Business-oriented compliance is not a matter of style, but a prerequisite for effective Integrated Financial Crime Risk Management. Financial Crime risks do not arise in compliance policy, but in the interaction between customers, products, transactions, systems, employees, third parties, geographic exposure and commercial decision-making. A compliance function that insufficiently understands this reality may be able to formulate standards, but will struggle to align control with the places where risks actually arise. This creates a gap between formal compliance and material effectiveness. Policy documents may be complete, control frameworks may be extensive and reports may appear convincing, while in practice the business experiences insufficient direction, fails to recognise risk signals in time or applies measures without genuine understanding of purpose and proportionality. Business-oriented compliance reduces that gap by connecting normative requirements with operational execution.

Within Integrated Financial Crime Risk Management, compliance thereby receives a dual mandate. On the one hand, it must guard against regulation, supervisory expectations, internal standards and managerial risk tolerance being eroded by commercial pressure, process convenience or operational habituation. On the other hand, it must prevent control from becoming an accumulation of measures that may be formally defensible, but are insufficiently risk-oriented, insufficiently executable or insufficiently meaningful for daily practice. That dual mandate requires a high degree of professional maturity in the ordinary sense of the word: substantive firmness, contextual insight, independent judgement, communicative skill and managerial sensitivity. The business-oriented compliance function must be able to advise, challenge, explain, prioritise, connect and limit. It must speak the language of regulation, but also the language of customer processes, commercial choices, operational capacity, data quality, auditability and governance.

The effectiveness of Integrated Financial Crime Risk Management ultimately depends on whether the organisation is capable not only of identifying integrity risks, but also of controlling them in a workable manner at the points where decisions are made. Business-oriented compliance makes that possible because it does not merely confront the first line with obligations, but supports it in making better risk decisions. It helps the board and management understand where friction is necessary, where complexity can be reduced, where controls must be tightened and where commercial choices are no longer defensible. It strengthens the connection between business, tax, legal, risk, audit and governance by making decision-making more explicit, more consistent and more testable. Compliance thereby becomes not less independent, but more relevant. Not because distance from the business is abandoned, but because proximity is combined with normative sharpness. Precisely that combination makes business-oriented compliance a foundational condition for Integrated Financial Crime Risk Management that not only appears convincing on paper, but also withstands practice.