Regulatory compliance risk in transformation: PwC

Is the US market deregulating? While there are targeted efforts to loosen federal regulation in certain areas — often to promote innovation and reduce compliance burdens — the broader trend is heightened scrutiny, evolving disclosure requirements and more active regulatory posture across key sectors. And with no centralized oversight, different states may set their own — often conflicting — rules. Doing business globally adds another layer of complexity.

Regulatory and compliance risks show up in two ways. The first is non-compliance — failing to meet established regulations — which can result in fines, legal consequences or lost business. The second is broader: navigating evolving or ambiguous rules, managing inconsistent requirements across jurisdictions and addressing stakeholder scrutiny even when technically compliant. As businesses pursue transformation, these risks often emerge in areas including AI, tax, data governance, and operations, requiring proactive oversight, not just reactive fixes.

As a business leader in charge of transformations, ignoring potential regulatory and compliance risks can open your organization to delays, budget overruns, fines and penalties, even potential impact to your reputation. PwC’s June 2025 Pulse Survey found that 34% of tech leaders consider managing transformation risk one of their top three barriers to effectively delivering on strategy — ranked ahead of technical debt and resource constraints.

“Deprioritizing or delaying regulatory and compliance risk assessment or requirements-gathering activities as part of a transformation roadmap can have lasting consequences. It often leads to higher compliance costs in the long run — from potential remediation efforts, missed momentum and the need to retrofit solutions.”

Jill Pavlus,Principal, Digital Assurance & Transparency, PwC US

Even without changes in regulation, every transformation is a chance to strengthen how you meet regulatory obligations — building smarter, more resilient compliance into systems and processes from the start. In a fast-changing landscape, managing regulatory and compliance risks takes focus. Here’s what to consider right now.

What are the most pressing regulatory and compliance risks today?

You need to work across functions to manage risks effectively and holistically across the organization. Consider these key areas to pay attention to.

Risk and compliance leaders may be involved too late. This isn’t a new issue. Still, transformation teams facing tight timelines and business pressures may neglect to include the right financial, operational and compliance risk team members in the early stages of major transformations. This may include impacts to internal controls over financial reporting inclusive of material control deficiencies, inaccurate or incomplete cybersecurity disclosures, and missed regulatory obligations to shareholders, customers or regulatory agencies. It can also result in inadequate vendor oversight due to increased reliance on third parties, regulatory blind spots stemming from missed or misunderstood requirements, and increased risk of failing regulatory examinations.
Geopolitical shifts can derail transformation momentum. Major transformations often depend on global supply chains, cross-border investments and long-term cost models. But volatility in trade policy and tariffs introduces sudden friction — impacting material costs, vendor stability and timelines. In our May 2025 Pulse Survey, 58% of executives say they’re diversifying suppliers in response to these pressures. Without early visibility into such risks, transformation efforts can stall midstream or require costly realignment. Are your strategies flexible enough to withstand potential trade-related shocks?
Regulation often lags behind innovation. Today, leading-edge technologies like AI and blockchain operate in largely unregulated or rapidly evolving environments. While laws and regulations may be pending, organizations that fail to apply responsible frameworks proactively could face operational or reputational impacts once regulation begins. Without strong governance, major AI initiatives may fall short — missing expected ROI and putting critical innovation investments at risk.
Complexity and fragmentation can make transformations harder. With federal uncertainty in some areas like sustainability, and overlapping or even conflicting requirements between different regulators, state-level and international regulations become more influential and complex. Multinationals should navigate a patchwork of requirements, such as the Corporate Sustainability Reporting Directive (CSRD) in the EU and varying state-level climate or data privacy laws in the US. It’s difficult to design one set of processes or controls that satisfy each jurisdiction — especially when regulations can change and evolve mid-transformation. Inconsistent standards raise the risk of noncompliance, and inopportune timing can lead to delays, increased costs, or programs falling out of alignment before they’re even fully implemented. Fragmented rules also mean vendor oversight models need to be layered and highly adaptable — making your job even harder.
New doesn’t mean compliant. New platforms or processes, especially connected systems, may unintentionally violate existing rules or obligations. Without centralized oversight, regulatory blind spots can get baked into transformation initiatives. When outsourcing to third parties, like cloud service or fintech providers, it’s hard to make sure regulatory responsibilities are clearly assigned, monitored, and auditable.

What can I do to help reduce regulatory and compliance risks right now?

It’s your job to cut through complexities and avoid pitfalls. Here are three things you can do to help your transformations avoid roadblocks.

Start at the beginning. We’ll say it again for emphasis: Head off issues before they happen to avoid costly penalties and delays for remediation. Include the appropriate risk team members (financial, operational and compliance) in your transformation steering committee and program team build-out to guide transformations from the outset. When you’re moving fast — say, migrating to the cloud with a systems integrator — it’s easy to focus on delivery and overlook the controls that keep your business secure and compliant. Too often, providers aren’t equipped to design or test the right controls for your environment. Control design shouldn’t be an afterthought. Build it in early. Align with internal and external audit teams. Develop automated controls and continuous monitoring from the get-go. Because what you catch up front won’t catch you off guard later.

Or, say your deals team is managing an acquisition. Make sure the right controls are in place before closing the deal. It’s better to prevent problems than untangle someone else’s, which could require standing up a whole regulatory affairs team — at a time when you may already be under the microscope of shareholders and other stakeholders.

Keep regulatory change on your radar. Build out a dedicated workstream on how current and forthcoming regulations could affect your business. Be proactive about areas like local data privacy laws and cross-border sourcing or trade, and work these into your transformation roadmap. You’ll need to consider the future state now, rather than playing catch up later. Use modular designs that can adapt to different regulations and jurisdictions and include flexible controls and reporting layers for audit readiness. A traceability matrix can help you monitor how changes affect specific functions.

For example, to get the most out of your of AI investments, start by setting up a cross-functional governance team. Make sure you’re tracking AI tools and use cases across your business, as part of your transformation roadmap and beyond — and applying responsible AI from the start. Use a risk-based approach to evaluate AI across functions, drawing on frameworks like the EU AI Act or the NIST AI Risk Management Framework. Assess vendor contracts and update internal controls to close compliance gaps before they become issues.

Work with regulators and standards bodies. Regulators aren’t your enemy. They’re collaborators in transformation. Maintain real-time engagement with regulatory change teams.

Take the recently revived interest in stablecoins, less-volatile cryptocurrencies pegged to the US dollar: If your business has been thinking about issuing stablecoins, you should already be following the activity around reporting standards and regulations — and hopefully provided your perspectives during the public comment periods. That way, you’d be well positioned for the new American Institute of CPAs (AICPA) framework and pending federal regulations. (PwC's assurance specialists worked with the AICPA to help craft guidance for institutions planning to issue stablecoins.) The new reporting standards are designed to comply with even the most stringent state and local regulations and forthcoming federal guidelines.

Engaging with regulatory bodies and standards organizations can help you adhere to new and existing guidelines, even if they vary between the locations where you operate. Over time, these relationships may even give you a say in shaping future rules.

34%

Tech leaders who consider managing transformation risk one of their top three barriers to effectively delivering on strategy

PwC June 2025 Pulse Survey

Where can I get help?

We help organizations navigate complex transformations across multiple risk areas — including regulatory and compliance. Using PwC’s integrated suite of services, we help you address both immediate compliance needs and long-term strategic alignment. Here's what we can do, so you can focus on moving your business forward.

Regulatory change pre-implementation assessments can help you understand and interpret applicable regulatory obligations; assess the impact on processes, controls and systems; identify gaps or risks that could emerge during or after a transformation event; and make sure regulatory compliance is built in — not bolted on. That way, you can preserve control integrity and sustain a sound regulatory posture through change.
Regulatory impact assessments help you proactively understand which regulations, processes and controls could be impacted as a result of strategic, operational or technological change. We assess business impact, control readiness and system implications — helping you move forward with greater confidence, better align with regulators, and build a control environment that’s ready to support long-term compliance and growth.
Regulatory and compliance framework health checks evaluate the effectiveness of existing compliance programs and transformation initiatives to identify gaps, inefficiencies, or control weaknesses, so you can run more smoothly.
Regulatory risks and issue remediation is where we work alongside you to respond to regulatory findings or audit issues and head off client or shareholder concerns. We assist with implementation of sustainable solutions so you can strengthen your processes, controls and reduce your risk exposure.

These offerings, supported by our unmatched expertise and tech-forward innovative approach, help you stay compliant and build trust with regulators and stakeholders while achieving impactful business outcomes.