In theory, compliance and innovation should work side by side, and compliance by design offers a way to achieve this balance. One ensuring the business stays protected, the other driving it forward. But in practice, they often end up pulling in opposite directions.

For many IT teams, the moment a project gains momentum, the brakes come on. Review cycles, documentation, approvals, good practice (GxP) processes built for risk mitigation, not speed. And yet, while these safeguards are essential, the pace of digital transformation isn’t slowing down, quite the opposite.

New technologies are generating massive volumes of data. Regulatory frameworks are becoming more complex. Compliance teams are under pressure to keep up often using outdated, manual processes that were never built for this scale or speed. A friction between those trying to build the future, and those trying to protect it starts to grow.

But it doesn’t have to be this way. Compliance by design shows that instead of treating regulatory alignment as a hurdle to clear at the end, we can bring it into the process from the beginning – and design technology with compliance in mind, not just in response.

Why compliance can feel like the brakes on innovation – and what to do about It

Compliance professionals have been navigating one of the steepest learning curves in financial services.

Over the past decade, the regulatory landscape has expanded at a staggering rate. GDPR, MiFID II, Solvency II, PSD2, SCA, Brexit, each one has introduced new demands, new documentation, and new risks to manage. Since 2008, regulatory obligations have increased by over 500%, hitting financial services where it hurts most and that is cost and complexity.

Banks allocate billions of dollars to compliance activities. Despite this investment, many compliance processes remain manual, repetitive, and time-consuming. Review cycles, approvals, feedback loops, documentation trails, they may be necessary, but they’re also inefficient. The reality is that many compliance teams are overwhelmed by volume and still reliant on workflows that haven’t changed fast enough to meet demand.

Technology has the potential to change this, but there is a catch. Many compliance teams are aware of the opportunity, yet lack the time or support to build the technical capabilities required to act on it. Digital transformation sounds promising, but it also requires skills that go beyond basic digital literacy. We’re not talking about how to navigate a video call or use shared drives. We’re talking about understanding how to assess cloud architectures, data flows, and automated controls through a regulatory lens.

And that’s where the disconnect often starts. Compliance knows change is needed. IT knows there’s a better way forward. But aligning both sides requires more than good intentions, it calls for a new approach altogether.

This is where compliance by design can make all the difference. Rather than treating compliance as a checkpoint at the end of the development process, this model integrates regulatory thinking into technical design from the outset. As a result, systems are not only built to meet compliance requirements, but also use those requirements as a framework for building better, more resilient technology.

Communication between IT and compliance teams – best practices

Ask compliance for their input 

One of the biggest reasons new tech projects stumble internally is that people feel left out of the decision-making process. And when that “someone” is your compliance team, the stakes are even higher.

Too often, IT teams involve compliance as a final hurdle. The group you hand a finished product to, hoping it gets the stamp of approval. But that approach tends to backfire. Christopher Migliaccio, lawyer and founder of Warren and Migliaccio LLP, put it plainly: “Don’t treat compliance like a ‘final boss.’ Make them a design partner from day one.” He speaks from experience – involving his legal team early during a cloud-based document system rollout helped catch HIPAA-adjacent issues before launch. “IT appreciated it, because it saved them a rebuild later,” he adds.

That kind of foresight saves more than just time. It turns compliance into a strategic asset. Deepak Shukla, CEO of Pearl Lemon Group, shared a similar approach: “When launching new features or tech, we’d bring compliance into early discussions, explaining how data security measures met regulations. It transforms compliance from an obstacle to a collaborator in product innovation.” 

His advice? Frame conversations around shared goals: functionality, privacy, and security. These are priorities both teams care deeply about, they just approach them from different angles.

But involving compliance isn’t just about box-ticking or damage control. It’s about understanding how the tools you want to implement will actually work across the organisation and whether they’ll solve the right problems. That means asking the people who’ll use the tools daily. Before you commit to a new system, take the time to speak with department leads. Will it ease their current pain points? Is it intuitive enough to fit into already-overloaded schedules?

Direct conversations are powerful, but you can also use lightweight methods like employee surveys. Tools like SurveyMonkey or Qualtrics can help gather broad feedback fast. Even setting up a small cross-functional committee can create clarity. The goal isn’t to reach consensus on every detail, it’s to create alignment early, so that both IT and compliance understand what “good” looks like for each function. 

Build a shared vocabulary

Miscommunication – or simply not fully understanding a technical or regulatory concept – can get in the way fast. It works both ways. Even if an IT team is familiar with the regulations in their domain, they may still not be able to grasp all the legal and formal nuances. Just as compliance teams might struggle with tech terms that seem straightforward to developers.

That’s why building a shared vocabulary is worth the effort, particularly in the early stages of cooperation. It doesn’t need to be sophisticated, but simply function as a glossary that both IT and legal teams can refer to when their work overlaps. What matters is that both sides understand what’s meant when someone says, say, “we’re moving from a monolith to microservices approach.”

If such was the case, the glossary might describe microservices as sandboxed modules with clear borders, and explain that it is similar in form to data compartmentalisation. The point isn’t to remove detail; it’s to make sure everyone’s got a common frame of reference, so conversations don’t get lost in translation.

Over time, that shared language makes it easier to flag potential compliance issues early on, before plans are finalised. It also builds mutual trust in the compliance by design process.

Translate the functional concepts

Weaving further into the scenario above, let’s say that the IT team is planning to roll out a microservice architecture for a payments’ module. To support compliance from the start, they should provide clear, high-level context on three key areas:

• what the service will do (e.g. handle payments), 
• what kind of data it will process (say, card tokens only), 
• and where it will sit within the broader system.

That bit of framing in an initial conversation goes a long way. It gives compliance teams the foundation they need to map the functionality to relevant regulatory standards (like PCI-DSS in this case) and evaluate potential implications for data protection or risk exposure.

It also helps to understand the format in which compliance teams are likely to respond after running their initial analysis. Microsoft shares three pointers that regulatory affairs’ teams might share to keep the conversation focused and practical:

• Business risk assessment.
• Policy statement, which is a clear explanation of the policy an architectural choice will impact, along with requirements and objectives.
• Design and/or technical guidance, in the form of concrete, actionable suggestions IT can use when architecting the solution.

This shared structure makes it easier for both sides to work with the same mental model, align on goals early, and catch any red flags before they become costly to fix.

Show how technology can help them reduce admin work and meet compliance

One of the clearest ways to build trust with compliance is to show – not just tell – how the right technology can make their work easier, not harder. For teams under pressure to meet rising regulatory demands with limited resources, reducing admin isn’t a nice-to-have; it’s necessary.

When implemented well, digital tools do more than automate low-level tasks. They give compliance professionals the space to focus on work that actually requires their expertise like interpreting new regulations, advising on product risks, and ensuring that innovation doesn’t come at the cost of control.

This shift isn’t about replacing jobs. It’s about shifting the role of compliance from box-ticking to business partnering. And IT is in a unique position to help lead that change.

The benefits aren’t hypothetical. AI-powered compliance tools have already begun proving their worth. HSBC, for example, introduced machine learning to enhance transaction monitoring. As a result, their teams identified two to four times more suspicious incidents, while cutting false positives by 60%. That didn’t just reduce the manual review workload, it improved fraud detection and made the customer experience smoother.

That kind of outcome resonates with compliance. It shows how the right technology can help them meet their obligations more efficiently and raise the standard of oversight.

The key is to connect the dots clearly. If you’re proposing a new tool, demonstrate how it maps to their existing workload, and how it could eliminate repetitive tasks that currently take up hours each week. Whether it’s automating audit trails, streamlining reporting, or introducing real-time data access, the focus should be on freeing people up for higher-value work.

Use guided training 

Lastly, make sure that your training isn’t one sided, i.e., doesn’t turn into a two-hour lecture for compliance teams. Instead, run workshops that combine learning with doing. Break down topics or categories into bite-sized chunks. We recommend starting with a short explanation of each area, and if possible, give people a chance to try it out themselves. That kind of hands-on practice is better for knowledge retention, because people remember what they’ve done, not just what they’ve been told.

Also, bear in mind that not everyone will be equally comfortable with technology. You need to adjust the tech-savviness of your training to the degree of expertise. For instance, if you’re introducing a cloud communications platform, some employees will already know the ins and outs, while others might not be familiar with how they operate.

Pair the most tech-savvy regulatory affairs team members with colleagues who are less confident in the area, so they can offer support in real time. 

Communicating technology to legal teams – the first step towards compliance by design 

There’s plenty of advice out there on how compliance teams should communicate regulatory requirements to IT, but far less on how tech teams should explain their own plans, architectural decisions, or innovations to legal and compliance stakeholders.

And yet, that piece is just as critical. When IT teams don’t clearly articulate the ‘why’ behind a new solution or how it maps to regulatory frameworks, it becomes much harder to secure buy-in. Compliance teams may not understand the risks or benefits. Also, when it comes to using technology to streamline their own work, they might also be unable to spot the invaluable opportunities to use technology.

The goal is to make sure your compliance department has access to tech experts who understand the broader business and legal context. And, perhaps more importantly, know how to translate the technical perspective into something tangible for non-engineers.

At Holisticon, we’ve seen firsthand how productive it can be when IT and regulatory teams speak the same language. As a technological partner, we help organisations design systems that meet technical and compliance goals, and secure alignment from the start.

Passion And Execution

Who We Are

At Holisticon Connect, our core values of Passion and Execution drive us toward a Promising Future. We are a hands-on tech company that places people at the centre of everything we do. Specializing in Custom Software Development, Cloud and Operations, Bespoke Data Visualisations, Engineering & Embedded services, we build trust through our promise to deliver and a no-drama approach. We are committed to delivering reliable and effective solutions, ensuring our clients can count on us to meet their needs with integrity and excellence.

more about Holisticon Connect