Most compliance failures do not happen because leaders say the wrong things. They happen despite saying all the right ones. Across the UK and EU, organisations face intensifying scrutiny, from ESG reporting requirements to the EU Whistleblowing Directive and ongoing enforcement by the Financial Conduct Authority (FCA). Yet scandals continue to emerge in firms with polished codes of conduct and confident boardroom messaging. According to the FCA Annual Report (2023) and European Commission compliance guidance (2022), the gap between policy and practice remains stubborn. The problem is not tone from the top. It is what happens in the messy middle, where targets, pressure and ambiguity collide. Sustainable compliance is not built through rhetoric. It is built through behaviour.
Middle Managers are the Real Compliance Gatekeepers
Most compliance strategies look impressive at the top and unravel in the middle. Middle managers are expected to translate policy into practice, yet they are rarely equipped or incentivised to do so. This creates what might be called a “compliance translation gap”. Senior leaders issue clear principles, but by the time they reach frontline teams, they are filtered through competing pressures.
In UK financial services, this tension is particularly visible. Managers are expected to meet ambitious sales targets while also adhering to strict conduct expectations under FCA. In practice, many quietly prioritise what is measured. Employees tend to follow the behaviour they see rewarded locally rather than formal corporate messaging. The result is a set of informal norms that carry more weight than official policy. Teams quickly learn what really matters. If deadlines and revenue are prioritised, compliance becomes secondary.
The solution is not more guidance from the top. It is targeted investment in middle managers, giving them clarity, support and accountability to act as genuine gatekeepers of behaviour.
Performative Compliance Undermines Real Integrity
Many organisations are exceptionally good at looking compliant. They produce detailed policies, complete mandatory training and pass audits with confidence. Yet this often amounts to what can be described as “compliance theatre”. The activity signals control without genuinely changing behaviour.
The problem is particularly visible in the wake of GDPR. Across the EU and UK, firms rushed to update privacy notices and consent forms, creating an impression of rigour. However, enforcement actions by regulators show that underlying practices often lag behind documentation. The European Data Protection Board Annual Report (2023) highlights repeated failures in how data is actually handled, despite formal compliance structures being in place. This gap exists because documentation is easier to produce than behavioural change. Employees learn quickly that completing training or signing policies is what matters, not how decisions are made under pressure.
Leaders often respond by adding more rules, more reporting and more audits. This only deepens the problem. Real integrity cannot be measured through paperwork alone. It requires attention to what people actually do when faced with trade-offs, deadlines and competing priorities.
Incentives Don’t Lie
Organisations rarely set out to encourage misconduct, yet their incentive systems often do exactly that. The tension between revenue targets and compliance obligations creates what can be called “shadow incentives”. These are the unspoken signals about what really matters.
In sales-driven environments, the pattern is familiar. A bank may promote strong conduct values, yet reward teams primarily on growth. It is no surprise that employees focus on hitting targets. Past mis-selling scandals in UK financial services showed how easily this imbalance can distort behaviour. Even with the introduction of the Senior Managers and Certification Regime, accountability still depends on how incentives are structured in practice.
The same dynamic is now visible in fast-growing tech firms, where speed and scale are prized above all else. Compliance becomes something to manage later.
The lesson is straightforward. People follow what is rewarded, not what is written in policy documents. If incentives point in the wrong direction, culture will follow. Leaders need to align performance measures with ethical outcomes, or risk undermining their own compliance efforts.
Psychological Safety or Silent Risk?
On paper, employees have never been better protected. The EU Whistleblowing Directive and strengthened UK frameworks offer clear routes to report concerns. Yet many employees still stay silent. This gap reflects what researchers call “organisational silence”, where people choose not to speak up despite formal safeguards.
The barriers are rarely legal. They are social and psychological. Employees worry about being labelled difficult, damaging relationships or harming their careers. Others simply do not trust that anything will change. The European Commission Whistleblowing Directive Report notes that underreporting remains a persistent challenge, even where systems are in place. In practice, this often leads to escalation outside the organisation. High-profile cases have shown employees bypassing internal channels entirely and going straight to regulators or the media when trust breaks down.
The lesson is uncomfortable. Formal protection does not create perceived safety. That comes from visible action. When leaders respond consistently, protect those who raise concerns and demonstrate consequences, trust builds. Without that, silence becomes the default and risk quietly accumulates.
Embedding Compliance
Most organisations still treat compliance as a set of rules to remember. The more effective ones treat it as a set of habits to design. Risk rarely appears in dramatic moments. It shows up in what might be called “micro-compliance moments”, the small, routine decisions made under time pressure.
Behavioural science offers a more practical approach. Instead of relying on memory, firms can use nudges, defaults and reduced friction to guide behaviour. For example, some UK financial institutions now embed compliance prompts directly into client onboarding systems. Employees are required to confirm key checks before progressing, making the compliant action the natural one. Such interventions can significantly improve decision quality.
A similar trend is emerging in EU-based firms adopting automated controls within procurement and data handling workflows. Rather than issuing more guidance, they design systems that prevent errors in the first place.
The key insight is simple. Policies are easy to ignore, especially under pressure. Habits are harder to break. Leaders should focus less on writing better rules and more on shaping environments where the right choice feels like the easiest one to make.
Compliance Is a System, Not a Slogan
Tone from the top still matters, but on its own it achieves very little. Real compliance is shaped by incentives, habits and the countless small decisions made each day. Organisations that have reduced misconduct have not relied on messaging alone. They have redesigned systems. UK banks adjusting bonus structures after past scandals, and EU firms embedding controls into digital workflows, show how behaviour shifts when the environment changes, as noted in FCA Enforcement Review (2022).
The uncomfortable truth is that organisations do not have compliance cultures in isolation. They have systems that consistently produce compliant or non-compliant behaviour. If your compliance depends on people remembering the rules, you have already designed it to fail.
And what about you…?
- Do my middle managers feel equipped and incentivised to uphold compliance, or are they quietly forced to prioritise performance targets?
- Are our compliance processes genuinely influencing decisions, or are they becoming a form of “tick-box theatre”?
