Chief financial officers are under pressure to meet rising compliance standards on a growing range of issues – many of which fall outside their usual jurisdiction. Now, signs of strain are beginning to show.
On top of the more traditional compliance that occupy their time, such as market and economic risks, fraud prevention and tax compliance, finance leaders are having to deal with a fresh wave of non-financial regulations, including those around cybersecurity and ESG reporting.
For Imran Ahmadzada, CFO of investment firm NEQSOL Holdings, geopolitical instability and the accelerated pace of innovation is causing the regulatory landscape to shift quickly, making staying compliant more expensive and resource-intensive. “The key challenge is resource and talent allocation, to keep up with new and evolving demands of the global regulatory environment,” he says.
Cost pressure is also one of the main barriers to implementing effective compliance measures. “Complying with privacy laws has made it necessary to increase investment in data security and privacy protection initiatives, which can often cause strains on budgets,” Ahmadzada explains.
This is taking time and attention away from long-term financial strategies, leading to potential delays in investment decisions or growth opportunities.
The pace with which regulation is moving means just 5% of mid-market CFOs believe their firms are fully prepared for future regulatory changes, according to the latest Intelligence 2024 Certainty Report by data platform PYMNTS. Nearly a quarter of them report that regulatory pressures are intensifying uncertainty for their businesses, with smaller firms feeling the greatest impact.
This uncertainty highlights the need for improvements to CFOs’ current compliance strategies, argues Simon Moore, who heads the CFO practice at recruitment firm BIE Executive. “As regulations become more global and multifaceted, many CFOs are struggling to keep up with the demands of proactive compliance management. And, if finance leaders are behind then the company certainly will be.”
Data security and privacy is a growing concern
Data privacy and security is causing finance teams particular anxiety. General Data Protection Regulation (GDPR), while not new, imposes strict requirements on how companies handle and protect personal data, requiring meticulous documentation and monitoring. It is “a constant headache,” says Moore. “Cross-border data transfer regulations, such as the EU to U.S. Data Privacy Framework, complicates global operations by imposing different standards for data protection across regions, making compliance especially challenging for multinational organisations.”
The cost of non-compliance is getting steeper. In 2023, Meta was slapped with a €1.2bn (£1bn) fine by Ireland’s regulator for GDPR shortcomings and, earlier this year, Uber was fined €290m (£242m) by the Dutch Data Protection Authority for non-compliance with data privacy laws. For CFOs, such headline-grabbing fines emphasise the potentially major repercussions, both financial and reputational, of any slip in oversight.
New cybersecurity disclosures, alongside the growing threat of cyber warfare, is giving finance chiefs further cause to prioritise data security. One example is the Network and Information Security Directive 2 (NIS2), which imposes a maximum fine level of at least £10m. Another is the EU AI Act, which has now taken force and can lead to hefty fines of up to £29m for breaches.
Once the sole remit of CISOs and CIOs, data privacy and security now demands more of the CFO’s attention. It is top of the list of concerns for finance executives in consultancy firm Protiviti’s annual Global Finance Trends Survey, having risen from fifth place in last year’s survey. It now ranks above financial planning and profitability reporting and analysis.
As Protiviti noted in the report: “The growing demand for financial, non-financial, structured and unstructured data, combined with the need to safeguard organisational data with accuracy and compliance savvy have elevated the CFO’s data governance responsibilities.”
As regulators clamp down on data security and privacy capabilities, Moore says CFOs are having to having to rush to create new compliance and accountability processes and adopt cybersecurity best practices. “While many finance leaders are aware of the growing compliance burden and the sheer complexity of modern data regulations, plenty are still behind the curve and not keeping pace with the growing risks and changing data regulations,” he says.
Staying one step ahead
In the face of new and existing compliance demands, finance leaders must know what is coming so they have time to prepare. “Horizon-scanning is a critical part of reacting to new regulation and planning for compliance,” says Nick Frost, CFO of global technology group Prytek. “Today’s blog or newspaper discussion is tomorrow’s compliance requirement.”
The key, he says, is to get involved proactively. Most regulatory bodies have a mechanism for sharing strategies or tactical ideas and they run lengthy consultation processes for updates. In Frost’s view, having email alerts or a method of collecting information on new areas of consultation is important, particularly in local markets where businesses might operate. This means staying up to date and compliant with not only national, but also varied international regulations.
Engagement in potential change can be a good opportunity for CFOs to influence subsequent compliance requirements. “I have previously engaged with a regulator for a question they have asked; I didn’t need to, but it felt strategically prudent to be part of the conversation,” Frost says. “A collection of smaller voices can often have a big impact.”
Creating a compliance culture
Compliance is as much a cultural issue as it is a processes and systems issue. Modern desktop tools make it easy to communicate internally but they bring the risk of sharing sensitive private data in an uncontrolled way.
“The real challenge is ensuring the culture is compliant at all stages,” Moore argues. “All companies can do this better, but it takes time, money and a push from senior leadership.”
For Vineta Bajaj, CFO at online grocery retailer Rohlik Group, fostering a compliance culture is key. “It’s more than fulfilling obligations; it cultivates a commitment to privacy integrity,” she says. “CFOs should promote regular employee training that really engages staff. Interactive methods, such as quizzes and online scenarios, help integrate privacy more easily into the organisational fabric.”
Implementing a proactive data governance framework and communicating this to staff, investors, suppliers and other stakeholders, can also help finance leaders address emerging risks and ensure ongoing compliance.
Clear messaging and communication around compliance is especially important for businesses operating in multiple jurisdictions, where the legal expectations of staff may differ. CFOs need to ensure they are having these conversations with their local management teams to retain clear oversight.
“Finance leaders should lead by example, prioritising confidentiality and transparency,” says Bajaj. “Active involvement in committees and partnering with chief privacy officers are ways to bolster compliance initiatives. Treating data as both an asset and a liability demands vigilance, with policies evolving alongside emerging threats.”
Compliance challenges are not going away any time soon. This is a period of increasing levels of scrutiny and sanctions for countries, organisations and individuals. And, as Moore points out: “as regulatory requirements grow, we need to grow with them.”