As regulatory expectations evolve, compliance assessment is moving beyond documentation alone. Increasingly, organisations are expected to demonstrate not just that controls exist, but that they are effective, defensible and delivering the intended outcomes. The Global State of RegTech 2026 report – authored by RegTech Analyst and Parker & Lawrence Research – took the time to discuss the importance of moving beyond documented compliance.
As part of the research for the report, Parker & Lawrence Research interviewed market leaders in the space to discuss the importance of rethinking compliance assessments.
On this occasion, the firm spoke with Mike Falvey, co-founder and partner of Argus Pro, who provides a compliance assessment platform focused on maturity, effectiveness and evidence across regulatory frameworks.
This interview was part of the wider Global State of RegTech report conducted by RegTech Analyst and Parker Lawrence Research. To download the full report, click here.
Accountability regimes have fundamentally changed what it means to sign off a compliance framework. Under the UK’s Senior Managers and Certification Regime (SM&CR) and its equivalents in other markets, personal liability for compliance failures is now explicit.
It is no longer sufficient to confirm that policies are documented and controls have been designed. Senior managers must now be able to demonstrate that those controls are actually working, and that distinction is proving far more difficult to establish than many firms anticipated.
Traditional maturity assessments have long been the industry’s default tool for benchmarking compliance postures. They can confirm that a control exists, that a process has been defined, that a policy sits somewhere in a document repository. What they are structurally ill-equipped to show is whether any of that translates into operational reality. For senior managers with prescribed responsibilities under accountability regimes, that gap carries genuine personal risk. If a control fails and a regulator comes looking, the scrutiny will not centre on whether the framework was documented. It will focus on whether reasonable steps were taken to verify that the framework was working.
This challenge arrives at a moment of considerable pressure for compliance functions. The pace of regulatory change is accelerating, supervisory models are shifting from periodic review towards continuous oversight, and the teams responsible for managing these obligations are largely being asked to absorb the additional workload with flat or declining resources.
Argus Pro co-founder Victor Chauhan said, “With traditional assessments, you can get a maturity score and understand control coverage. But that misses whether they’re actually working.”
The problem with the current model
A high maturity score does not equate to a functioning control framework. For firms operating under close supervisory attention across obligations such as the Digital Operational Resilience Act (DORA), anti-financial crime requirements, data governance, cyber resilience and AI governance, the gap between what is documented and what is operational is becoming increasingly difficult to ignore.
The workshop model compounds this problem. Facilitated sessions are efficient, but they tend to surface what participants believe senior managers want to hear. Operational-level issues such as inconsistent application of controls, informal workarounds and data completeness gaps rarely emerge cleanly from a structured room. The result is an assessment that captures how the framework is understood by those in attendance, not how it functions day-to-day across the organisation. Internal audit and external advisory engagements can help close that gap, but the traditional model is resource-intensive, periodic in nature, and often too broad and slow-moving for firms managing complex, multi-jurisdictional regulatory perimeters.
Culture and data quality sit at the root of much of this. Compliance failures frequently occur not because controls were absent, but because incentives, normalised workarounds and behavioural patterns gradually undermined them. Data failures create a parallel problem: if a firm cannot trace where data originates, how it is transformed, where it travels, and whether it arrived complete, it cannot credibly demonstrate that its controls are operating as intended.
Introducing Aegis Compass
Aegis Compass is Argus Pro’s structured compliance assessment platform, built to address precisely this set of problems. The platform converts regulatory requirements into multi-respondent assessments with weighted scoring, visual dashboards and targeted remediation outputs. It is designed not merely to confirm whether controls exist, but to surface whether they are working.
The platform’s assessment frameworks are built directly from legislative, regulatory and guidance instruments rather than from generic control checklists. Current coverage spans cyber security and digital operational resilience drawing on DORA and requirements across 30 jurisdictions; anti-financial crime anchored to the FATF 40 Recommendations with national legislation and guidance layered on top; and AI governance built around the EU AI Act and ISO 42001 with jurisdiction-specific requirements incorporated where relevant.
Each question maps back to its source requirement, enabling firms to trace assessment activity to the underlying regulation. For firms operating across multiple jurisdictions, the platform identifies the delta between global standards and local requirements. Argus Pro describes this as a FATF-plus approach, allowing organisations to manage a scalable core framework while capturing local regulatory nuance where it matters.
Critically, Aegis Compass scores both maturity and effectiveness. Maturity indicates whether policies, procedures and controls exist and have been formalised. Effectiveness assesses whether those planned activities are actually producing the intended results, a distinction rooted in ISO 9000:2026 and calibrated to the higher evidential bar that regulated firms now face. Where effectiveness scores fall short, the platform flags that the organisation needs to investigate why the framework is not delivering as designed.
Triangulation and targeted remediation
Rather than relying on a single respondent or a facilitated workshop, Aegis Compass collects responses from multiple stakeholders across functions, locations and seniority levels, then compares them to surface discrepancies. If internal audit, business continuity and frontline compliance teams answer the same question differently, that variance becomes visible and actionable. Anonymity protections are built in: where respondent categories are small, individual answers are suppressed, helping surface honest responses without exposing individuals unnecessarily.
On remediation, the platform distinguishes between types of control weakness. A gap may require training, a policy change, a process redesign, stronger data lineage, clearer ownership or a technology fix. Rather than simply identifying where remediation is needed, the reporting pinpoints what kind of intervention is most likely to address the root cause. That precision matters when remediation costs are high and regulatory scrutiny is intense.
The platform also incorporates hybrid AI capability with human oversight at its centre. Argus Pro maintains a structured registry of regulatory instruments mapped to clause level. When a rule changes, the platform identifies which specific obligations have shifted, links them to the clauses already assessed, and pinpoints which elements of a firm’s prior assessment are now affected. Reassessment therefore becomes targeted rather than wholesale. Natural language processing supports ingestion of regulatory changes, generative AI compares updates to internal policies and identifies gaps, and machine learning is being applied to detect patterns across structured and unstructured data to support identification of emerging risk typologies.
Argus Pro co-founder Michael Falvey said, “It’s using the AI for the productivity, not for the decision maker.”
Why this matters
The maturity and effectiveness distinction is the product’s most significant contribution. Maturity scoring has been the dominant model in compliance assessment for years and it retains real value, but it answers a different question from the one regulators and senior managers are increasingly required to answer. Argus Pro’s positioning in the space between regulatory intelligence and operational testing is well-judged and credible. Many adjacent tools map and track obligations; fewer help firms demonstrate that those obligations are being met in practice. That is where Aegis Compass sits, and it is a clear and defensible market niche.
The multi-jurisdiction capability adds further practical relevance. The FATF-plus approach, anchoring to global standards and identifying the delta against local requirements, is directly useful for firms expanding into new markets or managing controls across complex regulatory perimeters.
The compliance market is moving from documented to evidenced, and under modern accountability regimes, that shift is personal. The question is no longer whether a framework exists. It is whether it works and whether you can show it. Documented is no longer defensible, and that is the gap Argus Pro has built Aegis Compass to close.
Read the original post from Parker & Lawrence Research here.
Copyright © 2026 FinTech Global
