A London fintech launches an AI-driven fraud detection platform for EU clients and quickly discovers that innovation is now the easy part. Within months, the business must navigate Financial Conduct Authority (FCA) operational resilience rules, the EU AI Act, General Data Protection Regulation. (GDPR) data transfer restrictions, anti-money laundering checks, environmental, social and governance (ESG) disclosures and the EU’s Digital Operational Resilience Act (DORA) cyber resilience requirements. The firm may be technically compliant, yet it is still vulnerable to conflicting obligations and mounting reporting costs.
Across Britain and Europe, companies are no longer suffering from regulatory gaps. They are being overwhelmed by overlapping rules arriving from multiple regulators at once. As technology, geopolitics and digital finance evolve faster than regulatory coordination, duplication, contradiction and accountability confusion are becoming defining risks of modern business. What does this look like in practice?
The Compliance Gordian Knot
Anti-money laundering controls, ESG disclosures and data privacy rules were once treated as separate compliance functions. Today, they increasingly overlap in ways that confuse even sophisticated multinational firms. A European bank investigating suspicious transactions linked to forced labour risks in Asia may now face obligations under the EU Corporate Sustainability Due Diligence Directive while simultaneously complying with AML reporting duties and GDPR restrictions on behavioural monitoring. Meanwhile, Britain’s Economic Crime and Corporate Transparency Act has expanded corporate liability for fraud, pushing firms towards more aggressive surveillance and internal data collection.
The paradox is striking. Regulators demand deeper customer intelligence to combat fraud, sanctions evasion and greenwashing, yet the same authorities punish excessive monitoring or weak privacy safeguards. In 2024, several European regulators intensified scrutiny of ESG claims, while data protection authorities continued challenging intrusive AI-driven profiling systems.
Compliance teams are therefore becoming “data arbitrage centres”, constantly balancing transparency against confidentiality. Supply chain audits now overlap with sanctions checks, ESG governance reporting increasingly depends on AML systems and privacy lawyers routinely clash with fraud investigators. The result is a modern regulatory Gordian Knot that few businesses can easily untangle.
Too Many Watchdogs
Digital finance has created a regulatory maze in which multiple watchdogs often supervise the same activity without clear coordination. A crypto exchange operating in Europe may answer simultaneously to securities regulators, payments authorities and anti-money laundering agencies under the EU’s Markets in Crypto-Assets Regulation. In Britain, fintech firms frequently navigate overlapping expectations from both the FCA and the Payment Systems Regulator, particularly around authorised push payment fraud and reimbursement rules.
This fragmentation creates opportunities for criminals. Fraud networks move funds rapidly across jurisdictions while regulators remain divided by national mandates and legal boundaries. Cross-border scam investigations involving cryptocurrency, mule accounts and AI-generated identities are often delayed by disputes over authority and evidence-sharing. Meanwhile, some fintech firms engage in “jurisdiction shopping”, choosing countries with lighter oversight or slower enforcement in which they can act more ‘independently’.
The EU hopes its new Anti-Money Laundering Authority (AMLA) will improve coordination, yet tensions between national regulators and EU-wide supervision remain unresolved. Buy now, pay later platforms provide another example of difficulties, with consumer credit regulation varying sharply across Europe. Increasingly, businesses fear that regulatory complexity itself may become a systemic risk by slowing innovation, weakening accountability and creating uneven competition across the digital economy.
Risk Without Borders
Third-party risk oversight has become one of the most chaotic areas of modern regulation. Financial institutions using Amazon Web Services, Microsoft Azure or Google Cloud now face overlapping obligations under DORA, NIS2 and the UK operational resilience regime, all demanding deeper visibility into outsourced technology, cyber resilience and operational continuity. DORA requires firms to maintain detailed registers of ICT suppliers and assess concentration risk linked to hyperscalers, reflecting fears that a single cloud outage could disrupt entire sectors.
The problem is that regulators increasingly expect companies to understand not only their direct suppliers but also fourth-party and fifth-party dependencies hidden deep inside global supply chains. Retailers tracking modern slavery exposure, manufacturers monitoring ESG compliance and banks auditing AI-enabled vendors are discovering that outsourced efficiency often creates operational blindness. Following the 2024 CrowdStrike disruption, many firms realised they had little visibility over interconnected software dependencies despite extensive compliance programmes.
Businesses are therefore caught between contradictory pressures. Regulators demand resilience and transparency, while boards continue pursuing leaner outsourcing models and AI-driven procurement systems that make supply chains more opaque rather than clearer.
The AI Governance Vacuum
Artificial intelligence has become the clearest example of modern regulatory fragmentation. A bank using AI for fraud detection may simultaneously fall under privacy law, anti-discrimination rules, consumer protection obligations and financial conduct supervision, yet no regulator can fully explain where responsibility for algorithmic decisions ultimately begins or ends. The confusion is growing as firms deploy autonomous agentic systems capable of approving loans, monitoring transactions and generating compliance reports with minimal human intervention.
The EU AI Act adopts a highly prescriptive model built around risk categories and mandatory controls, while the UK continues favouring a more principles-based approach intended to encourage innovation. The result is increasing uncertainty for multinational businesses operating across both systems. Financial institutions are already battling synthetic identity fraud powered by generative AI, while employees sometimes quietly introduce “shadow AI” tools into workflows without formal governance approval.
The deeper concern is that regulators may already be falling behind the technology itself. Many organisations are deploying AI systems that neither internal auditors nor external supervisors fully understand. Even AI-generated compliance documentation can obscure rather than clarify how automated decisions are actually being made.
From Silicon Valley to Sovereign Regulators
Compliance is no longer simply a legal exercise. It has now become a geopolitical balancing act. Brussels is pursuing “digital sovereignty” through new EU data and technology policies, while post-Brexit Britain is gradually diverging from EU cyber and privacy frameworks. At the same time, US-China technology tensions are forcing European firms to reassess suppliers, cloud providers and investment partnerships. Dutch chipmaker ASML, for instance, has faced export restrictions on semiconductor equipment destined for China, while TikTok continues to face European scrutiny over data security concerns. Companies must now navigate conflicting sanctions regimes, localisation requirements and investment screening rules across multiple jurisdictions. Regulation increasingly functions as a strategic state weapon rather than merely consumer protection.
Compliance as Strategic Navigation
Regulatory fragmentation is unlikely to fade in the coming decade. Instead, businesses face a permanent landscape of overlapping rules shaped by politics, trade disputes and national security concerns. The World Economic Forum has warned that companies are operating in an increasingly “polycrisis” environment, while Deloitte notes that boards now treat regulatory risk as a strategic issue rather than a legal afterthought. Successful firms will build flexible governance systems, invest in real-time compliance monitoring and prepare for sudden policy shifts across multiple markets. The next competitive advantage may not be innovation alone, but the ability to navigate regulatory complexity without becoming paralysed by it.
And what about you…?
- In your experience, where do you see the greatest overlap between different regulations, standards, or governing bodies in your field, and how does this affect your day-to-day work?
- What concerns do you have about the impact of overlapping regulations on innovation, decision-making, or professional autonomy within your organisation or industry?
