Governance, Risk, and Compliance: 2024 Regulatory Review

Alessandro Micagni's profile image
Alessandro Micagni
On January 13th, 2025

The 2024 Regulatory Review highlights key changes in Governance, Risk, and Compliance (GRC). These updates redefine accountability, risk management, and compliance, fostering resilience and innovation in the financial sector's evolving regulatory landscape.

Governance, Risk, and Compliance: 2024 Regulatory Review


Governance, Risk, and Compliance (GRC): A Pillar for Financial Sector Resilience


The financial sector operates in an era of unparalleled complexity, where technological disruption, geopolitical shifts, and escalating regulatory demands converge. In response, the European Union has redefined Governance, Risk, and Compliance (GRC) in 2024, introducing transformative regulations that establish a more robust, accountable, and sustainable financial ecosystem.


GRC is no longer a reactive set of practices; it is a strategic framework that weaves governance, risk management, and compliance into the fabric of an organization’s operations. These components act as interdependent pillars to safeguard institutions, enhance transparency, and ensure adherence to evolving regulatory standards. The following breakdown of GRC components illustrates their critical role in the financial field:



Governance: The Foundation of Accountability


Governance in the financial sector provides the framework for decision-making and oversight, ensuring organizations align with their strategic goals while meeting regulatory obligations. It establishes the policies, structures, and accountability mechanisms necessary for ethical and effective operations.


In 2024, governance in the financial sector expands to address:


  • ICT Resilience and Oversight: Regulations like DORA mandate board-level responsibility for information and communication technology risks, embedding digital resilience into governance frameworks.
  • Sustainability Leadership: Directives such as CSRD and CSDDD require corporations to integrate ESG considerations into strategic decisions, linking governance with sustainability.
  • Transparency and Accountability: Enhanced disclosures under MiFID II, MiCA, and AMLR ensure governance processes are clear and aligned with public and stakeholder expectations.

Governance is the backbone of trust, ensuring that organizations act responsibly, both internally and in their external relationships.



Risk Management: Proactive Safeguarding of Stability


The financial sector is inherently exposed to multifaceted risks, including technological vulnerabilities, market volatility, regulatory changes, and environmental threats. In 2024, risk management evolves to not just mitigate but anticipate and adapt to these risks.


Key enhancements to risk management include:


  • Dynamic ICT Risk Mitigation: Under DORA, financial institutions must implement advanced ICT risk frameworks, encompassing automated vulnerability detection, incident reporting, and third-party risk management.
  • Crypto-Asset Market Risks: MiCA addresses the volatility and systemic risks posed by crypto-assets through mandatory licensing, market surveillance, and transparency.
  • AML and Fraud Prevention: AMLR and AMLD6 elevate anti-money laundering frameworks, requiring dynamic risk assessments, real-time transaction monitoring, and cross-border cooperation.
  • Climate and ESG Risks: The integration of ESG factors into risk frameworks under CSRD and AIFMD acknowledges the financial implications of climate change, biodiversity loss, and social inequities.



Compliance: Aligning Operations with Regulatory Mandates


Compliance is the cornerstone of adherence to laws, regulations, and ethical standards. In the financial sector, regulatory compliance safeguards against financial misconduct, enhances market integrity, and protects consumer trust.


The 2024 regulatory landscape necessitates:


  • Unified Frameworks: PSD3, PSR, and FIDA harmonize data sharing, payment services, and digital innovation across Member States, reducing regulatory fragmentation.
  • Heightened Consumer Protections: Updated compliance measures under MiFID II and AMLR prioritize transparency, investor rights, and the prevention of financial crime.
  • Sustainability Reporting: CSRD’s comprehensive ESG disclosure requirements ensure compliance extends to sustainability metrics, reinforcing accountability.

Compliance is no longer confined to checking boxes—it is an ongoing process of aligning operations with regulatory expectations while fostering ethical practices and corporate integrity.


GRC: The Interconnected Ecosystem Driving Resilience and Trust
GRC: The Interconnected Ecosystem Driving Resilience and Trust

GRC: The Interconnected Ecosystem Driving Resilience and Trust


In the financial field, GRC components are not siloed disciplines but interconnected processes that work in unison to drive resilience. Governance establishes the structure and vision; risk management ensures preparedness and adaptability; compliance enforces accountability and regulatory alignment. Together, they form a dynamic ecosystem capable of navigating the complexities of modern finance.


The EU’s 2024 regulatory overhaul demands that financial institutions embrace GRC as a strategic imperative, integrating these components into every facet of their operations. By doing so, organizations not only mitigate risks and ensure compliance but also position themselves as leaders in transparency, innovation, and sustainability, fostering long-term trust and stability in the financial ecosystem.


Below, we explore the 12 major regulatory changes shaping this evolution and their profound implications for GRC frameworks.



1. Digital Operational Resilience Act (DORA): Prioritizing Financial Stability Through ICT Resilience


The Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) transitions ICT governance in the financial sector from a reactive stance to a proactive framework. By addressing systemic vulnerabilities and harmonizing standards across Member States, DORA fortifies the sector against cyberattacks, operational disruptions, and third-party risks.


Key Provisions and Applications


  1. Proactive ICT Risk Management:
    • Financial institutions must regularly audit ICT systems, identifying vulnerabilities not only in their infrastructure but also across third-party dependencies like cloud providers.
    • Real-World Impact: A bank reliant on SaaS solutions for core banking operations must ensure these providers adhere to strict redundancy and resilience protocols.
  2. Incident Reporting and Accountability:
    • Major incidents, such as service outages, require reporting to National Competent Authorities (NCAs) within 72 hours.
    • Critical Analysis: While this framework ensures transparency, many institutions face operational bottlenecks in preparing detailed reports within tight timelines.
  3. Third-Party Governance:
  • Institutions must create comprehensive registries of critical ICT providers and perform regular audits.
  • Potential Pitfalls: Smaller firms may struggle with the costs of implementing due diligence processes, leading to over-reliance on unchecked vendors.

Strategic Recommendations


  • Prioritize automation in ICT audits and anomaly detection to enhance real-time monitoring capabilities.
  • Renegotiate contracts with third-party vendors to include explicit resilience standards, ensuring shared accountability.


2. Markets in Crypto-Assets Regulation (MiCA): Building Trust in Digital Finance


The Markets in Crypto-Assets Regulation (MiCA) (Regulation (EU) 2023/1114) establishes a comprehensive governance framework for crypto-assets, addressing fragmented regulations and ensuring investor protection.


Key Provisions and Applications


  1. Issuer Transparency and Governance:
    • Issuers must submit white papers detailing project risks, governance structures, and reserve asset disclosures for asset-referenced tokens (ARTs).
    • Example: A stablecoin provider must publish details on collateralized assets to ensure stability, particularly during high-redemption periods.
  2. Market Integrity Controls:
    • Strict bans on insider trading and manipulative practices foster fairness.
    • Insight: While these controls are commendable, the lack of clear enforcement mechanisms for decentralized finance (DeFi) projects remains a significant gap.
  3. Environmental Accountability:
  • Energy use disclosures for crypto projects promote sustainability.
  • Critical Insight: This measure may deter high-energy blockchain projects but lacks incentives for transitioning to energy-efficient models.

Strategic Recommendations


  • Invest in blockchain analytics to enhance transaction traceability and align with MiCA’s reporting requirements.
  • Advocate for regulatory frameworks addressing DeFi, ensuring consistent oversight of decentralized platforms.


3. Anti-Money Laundering Regulation (AMLR): Strengthening Financial Integrity


The Anti-Money Laundering Regulation (AMLR) (Regulation (EU) 2024/1624) introduces centralized oversight through the Anti-Money Laundering Authority (AMLA) and harmonizes practices across Member States.


Key Provisions and Applications


  1. Centralized Oversight by AMLA:
    • AMLA directly supervises high-risk entities, coordinating with national regulators to reduce discrepancies.
    • Example: A multinational fintech operating in multiple EU Member States can streamline compliance reporting through a unified supervisory framework.
  2. Beneficial Ownership Transparency:
    • Centralized registries ensure clear visibility into corporate ownership structures.
    • Critical Insight: While beneficial for transparency, challenges persist in verifying data accuracy, especially for cross-border entities.
  3. Crypto-Asset Compliance:
  • Mandatory Know-Your-Customer (KYC) protocols and transaction monitoring enhance crypto-asset traceability.
  • Potential Gap: The prohibition of anonymous wallets may push illicit activities to less-regulated jurisdictions outside the EU.

  • Strategic Recommendations

  • Develop advanced analytics tools to detect suspicious transaction patterns in real-time.
  • Partner with blockchain verification platforms to simplify beneficial ownership disclosures.


4. Corporate Sustainability Reporting Directive (CSRD): Setting New Benchmarks in ESG Accountability


Overview


The Corporate Sustainability Reporting Directive (CSRD) (Directive (EU) 2024/1640) introduces comprehensive requirements for ESG (Environmental, Social, Governance) disclosures, expanding the scope of entities affected and demanding independent verification of sustainability data. This directive fundamentally shifts ESG reporting from a compliance-driven task to a strategic pillar of corporate governance.


What CSRD Brings


  1. Double Materiality: Companies must evaluate and disclose both the financial risks posed by sustainability issues and their societal and environmental impacts.
    • Example: A food company discloses how climate-induced supply chain disruptions affect costs and how its operations impact biodiversity.
    • Insight: While double materiality ensures comprehensive accountability, smaller firms may struggle to implement such robust reporting without sufficient guidance or resources.
  2. Third-Party Assurance: Independent verification enhances credibility but increases operational costs for entities unfamiliar with auditing sustainability metrics.
    • Example: A tech firm must validate its carbon neutrality claims through accredited bodies.
  3. Broader Applicability: Covering 50,000+ entities, including non-EU companies with significant EU operations, the scope reflects the EU's intent to set a global ESG benchmark.
  • Critical Perspective: While this ambitious inclusion strengthens global ESG alignment, enforcement consistency across Member States remains a challenge.

Implications and Recommendations


  • Governance: Boards must integrate ESG goals into broader corporate strategies and ensure their credibility under third-party scrutiny.
  • Actionable Steps: Develop frameworks for real-time ESG data collection to streamline reporting. Invest in digital tagging tools for the European Single Electronic Format (ESEF).


5. Payment Services Directive III (PSD3) and Payment Services Regulation (PSR): Modernizing Payments with Innovation and Security


Overview


PSD3 and PSR address evolving payment models, emphasizing security, transparency, and consumer-centric innovations while setting the stage for the integration of cryptocurrencies and Central Bank Digital Currencies (CBDCs).


Highlights and Challenges


  1. Enhanced Security via Strong Customer Authentication (SCA): Strengthened multi-factor authentication requirements mitigate fraud but may create friction for low-risk transactions.
    • Example: Subscription services using automated payment exemptions must ensure compliance without disrupting user experience.
  2. Real-Time Fee Transparency: PSPs and ATMs must display all charges upfront.
    • Critical Analysis: This builds trust but requires significant technological updates across service providers.
  3. Digital Payments Integration: Provisions for crypto and CBDCs highlight a forward-looking regulatory stance but lack detailed implementation pathways, leaving room for ambiguity.
  • Example: Retailers accepting digital currencies must align payment gateways with stringent security measures.

Implications and Recommendations


  • Risk Management: Deploy AI-driven anomaly detection systems to ensure compliance with real-time fraud monitoring mandates.
  • Strategic Focus: Collaborate with consortia to standardize APIs, ensuring seamless data exchange across providers.


6. Financial Data Access Regulation (FIDA): Empowering Consumers in Open Finance


The Financial Data Access Regulation (FIDA) expands open banking principles into insurance, pensions, and investments, giving consumers unprecedented control over their financial data while addressing cybersecurity.


Key Innovations


  1. Permission Dashboards: Consumers manage data-sharing permissions in real-time, enhancing transparency and autonomy.
    • Example: A consumer grants temporary access to their investment data for AI-driven financial planning tools.
    • Critical Note: While empowering, the lack of user education about these dashboards could limit adoption.
  2. Standardized APIs Across Sectors: Interoperability drives innovation but raises integration costs for smaller firms.
    • Example: Insurers accessing banking data to refine risk models must ensure compliance with both PSD3 and GDPR.
  3. Cybersecurity Mandates: End-to-end encryption and real-time anomaly detection are prerequisites, aligning FIDA with DORA’s resilience principles.

Implications and Recommendations


  • Governance: Boards must prioritize data stewardship, integrating robust oversight mechanisms into corporate strategies.
  • Next Steps: Train stakeholders on managing permission dashboards and deploy anomaly detection systems to mitigate potential breaches effectively.


7. ESG Rating Regulation (EU) 2024/3005: Ensuring Trust in ESG Assessments


The ESG Rating Regulation (EU) 2024/3005 establishes standardized, transparent, and accountable practices for ESG rating providers. By addressing inconsistencies, conflicts of interest, and greenwashing, it aims to restore trust and align ratings with the EU’s sustainability objectives.


Features and Applications


  1. Transparent Methodologies
    • Requirements: Providers must disclose data sources, scoring criteria, and weighting mechanisms.
    • Example: An ESG rating for a tech firm based on renewable energy usage must clearly show how this factor impacts the final score.
    • Critical Insight: While transparency enhances reliability, the absence of global harmonization could limit the utility of these ratings for multinational investors.
  2. Conflict-Free Governance
    • Requirements: Providers must separate consulting services from rating activities and allow rated entities to review factual inaccuracies without influencing outcomes.
    • Example: A rating agency advising a renewable energy firm cannot simultaneously rate its ESG performance.
    • Regulatory Impact: This reduces conflicts of interest but increases operational costs for smaller providers.
  3. Supervision by ESMA
  • Role: ESMA monitors compliance, audits methodologies, and penalizes violations such as biased ratings or undisclosed data sources.
  • Example: A provider using unverifiable climate data may face fines or operational suspension.
  • Analysis: ESMA’s centralized oversight ensures consistency but may slow approval processes for innovative methodologies.

Strategic Implications


  • Governance: Boards must align sustainability strategies with rating criteria and ensure accuracy in disclosures.
  • Risk Management: Companies must mitigate reputational risks linked to greenwashing by integrating ESG governance frameworks.
  • Compliance: Alignment with CSRD and SFDR requirements is critical to harmonize ESG data across reporting frameworks.


8. MiFID II and MiFIR Updates: Redefining Transparency and Innovation


The updates to MiFID II (Directive 2024/790) and MiFIR (Regulation 2024/791) enhance transparency, protect investors, and modernize market practices through the integration of digital technologies.


Core Reforms


  1. Consolidated Tape (CT)
    • Function: Aggregates real-time trading data across EU markets.
    • Example: A hedge fund can analyze liquidity trends using CT data to optimize trading strategies.
    • Regulatory Insight: The CT improves transparency but poses implementation challenges due to harmonization and data accuracy concerns.
  2. Ban on Payment for Order Flow (PFOF)
    • Objective: Eliminate broker conflicts of interest by prohibiting financial incentives for order routing.
    • Example: Retail brokers must prioritize execution quality over profitability.
    • Critical Analysis: While this aligns with investor protection, smaller brokers may struggle to compete without these revenue streams.
  3. Blockchain and Tokenization
  • Application: Enables real-time trade settlements and supports pilot programs for tokenized securities.
  • Example: A financial institution issuing tokenized bonds benefits from reduced settlement times.
  • Evaluation: While innovative, tokenization requires robust cybersecurity and regulatory clarity to scale effectively.

Strategic Recommendations


  • Governance: Boards must enforce compliance with CT requirements and the PFOF ban, ensuring client-centric execution policies.
  • Risk Management: Implement advanced cybersecurity tools to secure blockchain-enabled processes.
  • Compliance: Leverage regulatory sandboxes to test digital innovations while aligning with MiFID II and MiFIR standards.


9. Sixth Anti-Money Laundering Directive (AMLD6): Reinforcing Financial Integrity


The Sixth Anti-Money Laundering Directive (AMLD6) expands the EU’s anti-money laundering framework, targeting modern financial crimes such as cybercrime, environmental offenses, and tax evasion.


Key Enhancements


  1. Expanded Predicate Offenses
    • Scope: Includes cybercrime, environmental crimes, and aggressive tax evasion schemes.
    • Example: A carbon credit fraud scheme would fall under AMLD6’s environmental crime provisions.
    • Critical Insight: This broad scope reflects modern risks but requires extensive training and resources for compliance.
  2. Corporate Accountability
    • Mandates: Companies must conduct AML risk assessments, disclose beneficial ownership, and report suspicious activities.
    • Example: A corporation with opaque ownership structures must centralize and disclose beneficiary data to prevent anonymity in laundering.
    • Regulatory Impact: While this fosters transparency, it could impose administrative burdens on multinational corporations.
  3. Cross-Border Collaboration
  • Mechanisms: Real-time FIU data sharing and coordinated investigations streamline enforcement.
  • Example: A laundering network operating across Member States can be dismantled more effectively through shared intelligence.
  • Analysis: These measures reduce enforcement delays but require Member States to invest in interoperable systems.

Practical Guidance


  • Governance: Appoint AML officers to oversee compliance with expanded requirements and facilitate cross-border collaboration.
  • Risk Management: Deploy AI tools for real-time transaction monitoring, focusing on high-risk areas like cryptocurrencies.
  • Compliance: Align AML processes with GDPR and FATF standards to ensure global consistency and regulatory adherence.


10. Alternative Investment Fund Managers Directive (AIFMD) Review: Modernizing Alternative Investments


Key Updates


  1. Delegation Oversight
    • Requirements: AIFs delegating key functions to non-EU entities must maintain substantial EU operations and seek NCA approval.
    • Impact: Prevents "letterbox entities," ensuring compliance with EU standards.
    • Example: A Luxembourg-based fund delegating risk management to the U.S. must retain decision-making capabilities locally.
    • Critical Insight: While reinforcing oversight, the added administrative burden could deter non-EU partnerships.
  2. Liquidity Management Tools (LMTs)
    • Mandates: Funds must adopt LMTs like redemption gates and perform periodic stress tests to handle market volatility.
    • Example: A private equity fund activating gates during market stress ensures liquidity stability.
    • Evaluation: Enhances resilience but may limit investor flexibility in stressed markets.
  3. ESG Integration
  • Requirements: ESG funds must disclose sustainability impacts and align with SFDR and the EU Taxonomy.
  • Example: A green energy fund must report financial risks from climate change and its emissions reduction contributions.
  • Analysis: Tackles greenwashing but demands sophisticated ESG expertise and reliable data.

Strategic Advice


  • Strengthen governance to meet delegation, LMT, and ESG mandates.
  • Enhance liquidity tools and ESG data systems for compliance and investor confidence.
  • Avoid regulatory circumvention by ensuring substantial EU operations.


11. Corporate Sustainability Due Diligence Directive (CSDDD): Enforcing Value Chain Accountability


Key Features


  1. Comprehensive Due Diligence
    • Mandates: Companies must identify, prevent, and mitigate human rights and environmental risks across value chains.
    • Example: A clothing manufacturer addressing labor violations in supplier factories.
    • Critical Insight: Aligns with global principles but increases compliance costs for complex supply chains.
  2. Stakeholder Engagement
    • Requirements: Companies must consult affected parties and publish actions taken.
    • Example: Energy firms engaging indigenous communities for land-use projects.
    • Analysis: Fosters transparency but demands robust stakeholder management.
  3. Climate Accountability
  • Provisions: Companies must set emissions reduction targets and embed climate goals into governance.
  • Example: A logistics firm electrifying its fleet for net-zero compliance.
  • Evaluation: Enhances accountability but raises execution challenges for emissions-intensive sectors.

Strategic Advice


  • Map and monitor supply chains to identify risks.
  • Build stakeholder engagement frameworks to reduce reputational risks.
  • Invest in technology for emissions tracking and compliance monitoring.


12. Payment Services Regulation (PSR) Updates: Innovating Financial Transactions


Core Innovations


  1. Transparent Fees
    • Mandates: Real-time fee disclosures for all payment services.
    • Example: ATM users seeing conversion fees upfront.
    • Critical Insight: Promotes trust but may challenge PSPs with inconsistent cross-border pricing models.
  2. Fraud Prevention
    • Requirements: AI-driven anomaly detection and two-tier fraud reporting to NCAs.
    • Example: Blocking dual-country card payments in real-time.
    • Analysis: Strengthens fraud defenses but requires significant tech investments.
  3. Digital Payments Integration
  • Provisions: Crypto and CBDC payments must meet traditional transparency and security standards.
  • Example: Retailers accepting Bitcoin displaying fees and equivalent euro values.
  • Evaluation: Drives innovation while aligning with MiCA for digital asset governance.

Strategic Advice


  • Upgrade transparency tools to meet real-time fee disclosure requirements.
  • Deploy advanced fraud detection systems for anomaly tracking.
  • Prepare for digital payment integration with robust compliance frameworks.

GRC Transformation for 2024 and Beyond
GRC Transformation for 2024 and Beyond

GRC Transformation for 2024 and Beyond


The EU’s 2024 regulatory updates mark a pivotal evolution in the Governance, Risk, and Compliance (GRC) landscape. These changes compel financial institutions to adopt a more integrated, forward-thinking approach to managing risks and ensuring accountability across their operations. By aligning with the new frameworks, organizations not only address compliance requirements but also position themselves as leaders in resilience, transparency, and innovation.



GRC: From Compliance to Strategic Advantage


1. Accountability as a Core Pillar


The 2024 updates embed accountability at every organizational level. Senior executives must now demonstrate active oversight, whether managing ESG disclosures under the Corporate Sustainability Reporting Directive (CSRD) or ensuring digital resilience through the Digital Operational Resilience Act (DORA).


  • Example: A multinational bank’s board of directors is required to oversee compliance with ESG standards, tying executive compensation to the achievement of measurable sustainability targets.

2. Building Resilience Amid Complexity


From liquidity stress testing in the AIFMD review to advanced fraud detection in the Payment Services Regulation (PSR), the updates emphasize resilience as a cornerstone of financial stability.


  • Example: A fintech company incorporating anomaly detection tools for real-time payment fraud monitoring not only meets PSR standards but also builds consumer trust by mitigating risks effectively.

3. Innovation as a Compliance Imperative


Regulations like the Markets in Crypto-Assets Regulation (MiCA) and the Payment Services Regulation (PSR) highlight the need for financial institutions to embrace emerging technologies such as blockchain and digital assets.


  • Example: A regional payment processor piloting cryptocurrency integration under MiCA’s guidelines attracts forward-thinking clients while ensuring regulatory compliance.


Key Insights from the 2024 Regulatory Updates


  1. Global Alignment: These frameworks align EU regulations with international standards, such as those from the Financial Action Task Force (FATF) and OECD, fostering global trust in EU financial markets.
  2. Consumer Empowerment: Mandates like FIDA’s data permission dashboards and PSR’s transparency in fees place consumer rights at the forefront of financial innovation.
  3. Cross-Border Collaboration: Enhanced data-sharing mechanisms under AMLD6 and MiFID II strengthen the EU’s collective ability to combat financial crime and market manipulation.


Opportunities Beyond Compliance


While compliance remains the baseline, organizations that proactively align with the 2024 updates can unlock competitive advantages. Improved transparency under CSRD enhances investor confidence, while adherence to MiFID II and MiFIR creates more robust market operations. Financial institutions that prioritize innovation—such as integrating digital assets under PSR—stand to differentiate themselves in an increasingly competitive landscape.



A Forward-Looking GRC Framework


The 2024 regulatory updates are more than a set of compliance requirements; they are a roadmap to transforming GRC into a driver of sustainable growth and trust. Financial institutions that embrace this proactive mindset can mitigate risks, build stakeholder confidence, and lead the way in innovation-driven governance.

Reduce your
compliance risks

Sign Up Free Request Demo