Flexible by Design: Modernizing Compliance for What’s Next

Contents

• A Shifting Landscape
• Designing for Adaptability
• The Rise of State-Level Scrutiny
• AI and Vendor Governance: Two Expanding Frontiers
• Voluntary Standards and Self-Regulation
• Planning for 2026: Invest in Agility
• Flexibility is the Strategy

Last month, I sat down with Brian Stormo of Jenius Bank for a wide-ranging conversation about compliance strategy in a moment of regulatory flux. The session unfolded against a backdrop of policy reversals, stalled rulemaking, and growing state-level activism. It quickly became clear that in today’s environment, the real compliance advantage lies not in having all the answers, but in building systems that are designed to flex.

You can catch the full conversation here:

CBA Webinar 2025

A Shifting Landscape

We began by outlining just how much has changed in recent months:

• The Consumer Financial Protection Bureau (CFPB) asked a federal court to vacate its Section 1033 rule.
• Chase and PNC have indicated a willingness to charge for data access.
• Community Reinvestment Act (CRA) modernization is under threat, with a proposal to roll back to 1995 standards.
• The Fed suggested buy-now-pay-later (BNPL) resembles payday lending.
• CFPB’s Section 1071 implementation remains mired in legal uncertainty.

This level of volatility raises a fundamental question: What does it take to stay compliant when the rules themselves are in flux?

Designing for Adaptability

Brian shared his experience leading compliance at Jenius Bank. One of his clearest takeaways was that you can’t assume permanence. “We have to build something that bends,” he said, highlighting the importance of frameworks that can be re-evaluated as the environment changes.

Rather than chase every proposed rule, forward-thinking teams are:

• Designing modular compliance systems
• Ensuring data accessibility across teams
• Building composable architecture that can evolve

This represents a cultural shift where compliance must be integrated from the start in vendor onboarding, product development, and risk modelling.

The Rise of State-Level Scrutiny

With federal enforcement scaling back in some areas, states are stepping up. We talked about the operational tension this creates: Do you comply with the most restrictive rule nationwide, or localize by state and product?

Brian noted that in practice, it’s rarely black and white. Some requirements (like California’s data subject rights) make sense to apply universally. Others (like Nevada’s spousal credit rules) may need to remain localized. What matters is building systems that let you make those decisions rationally and re-evaluate them over time.

AI and Vendor Governance: Two Expanding Frontiers

We explored two areas where compliance is being stretched: AI and third-party oversight. Regulators now expect institutions to own compliance across their vendor and fintech ecosystems, right down to the fourth and fifth party.

On AI, we agreed that the gap between adoption and regulation is growing. For Brian, the priority is compliance literacy among risk and compliance teams.

Voluntary Standards and Self-Regulation

The conversation turned to the growing patchwork of voluntary frameworks, especially in areas like open banking and consumer data rights. We agreed that public-private partnerships—like those that emerged around Nacha or FDX—can strike a productive balance between industry innovation and regulatory guardrails.

But that balance depends on collaboration across stakeholders: regulators, large banks, mid-sized lenders, fintechs, and data aggregators. A consortium model could help ensure timelines and expectations don’t disproportionately burden smaller players.

Planning for 2026: Invest in Agility

As budget season approaches, we talked about where compliance leaders should focus. Rather than optimizing for specific rules that may or may not materialize, Brian emphasized broader readiness:

• Data agility
• Vendor flexibility
• Compliance upskilling

He added a final point on AI: while it’s tempting to chase every efficiency use case, the real investment is in making sure compliance teams are prepared to oversee AI with the same rigor they bring to traditional controls.

Flexibility is the Strategy

Brian summed up his case for a nimble compliance management system (CMS) with, “We can’t build something that is going to assume that the next regulation is going to stand the test of time”.

I think that reinforced what many in the industry already suspect: the era of linear regulation is over. Compliance is now about building adaptive systems that can evolve as the rules do.

Whether it’s AI, privacy, third-party risk, or emerging state laws, the institutions that lead will be those that build for change.

Build nimble. Think modular. Embed early. That’s how compliance becomes a competitive advantage.