Surveillance is no longer questioned because firms lack it. It’s being tested because regulators want proof that it works.
Having a surveillance system in place is no longer enough. Firms must now demonstrate (with evidence) that their controls operate as intended, consistently and at scale.
That was the central theme of a recent NICE Actimize roundtable webinar on Regulatory Certainty, the next standard for surveillance.
The discussion featured Konstantinos Rizakos, General Manager, Compliance, NICE Actimize, a seasoned compliance technology executive who has overseen enterprise compliance platforms at global tier-one banks and driven large-scale surveillance transformation initiatives. He was joined by Steve LoGalbo, Director, Compliance Product Management, who brings more than two decades of experience across compliance and technology, and Paul Cottee, Director, Regulatory Compliance with multi-jurisdictional compliance, and front-office experience across global markets.
What emerged was not incremental change. It was a structural shift in regulatory expectations, from capability to defensibility.
The Pivot: From Implementation to Proof
Modern surveillance functions were shaped by the global financial crisis and the regulatory wave that followed (Dodd-Frank, MAR, MiFID II), all reinforced by benchmark scandals that exposed weaknesses in oversight.
Those events institutionalized surveillance. For years, the mandate was clear: implement systems capable of detecting and preventing misconduct.
But now, that baseline has matured.
“The requirement now,” Cottee said, “is that you need to be able to prove that it works. It’s not good enough just to have it, and set it, and fire and forget.”
Surveillance is no longer a deployment milestone. It is a governance obligation, and that governance must be defensible on demand.
From “Who Did It?” to “Prove Your System Would Have Seen It”
Historically, enforcement focused on identifying individual wrongdoing. Today, regulators are increasingly examining the control framework itself.
“Now they care about how the systems that prevent the abuse are actually operating,” Rizakos explained. “Not just whether someone committed it.”
This is a profound shift.
Regulators are no longer satisfied with retrospective detection. They are asking firms to demonstrate that their programs would have identified misconduct, and that those outcomes are reproducible under scrutiny.
The emphasis has moved from the existence of surveillance to measurable effectiveness. Firms must show that their systems are appropriate for the nature and scale of their business, and that they understand how those systems behave under real conditions.
Control Telemetry: The Dashboard Regulators Expect
To illustrate the new expectation, Rizakos used a simple analogy: it’s not enough that a car gets you from point A to point B. Most car owners would want to know that it’s operating as designed, and that they would have early warning before something starts to fail.
LoGalbo built on that idea, emphasizing the need for clear signals — the equivalent of dashboard indicators that reveal when maintenance is required and when performance is beginning to deteriorate.
Surveillance is moving toward that same standard of telemetry. From event initiation through capture, enrichment, archiving, retention, investigation and closure, firms must have visibility into each stage of the pipeline.
“You have to have signals at each point of the way,” LoGalbo emphasized.
No firm believes it captures 100% of activity. The real exposure lies not in imperfection, but in uncertainty — not knowing what is missing, where gaps exist or how material those gaps may be.
The new standard requires firms to quantify that risk.
Traceability and Infrastructure-Level Scrutiny
A telling indicator of where the market is heading is the growing demand for traceability. Compliance leaders increasingly ask for the ability to trace a regulated event (whether a trade, voice call, message or electronic communication) from the moment it is created through capture, processing, archiving and retention, with full transparency along the way.
This reflects a broader move toward infrastructure-level oversight. Regulators are looking beyond alert counts and case closures. They are evaluating data lineage, reconciliation controls, tolerance thresholds, system versioning and evidence of remediation when failures occur.
It is no longer sufficient for a firm to assume its controls are operating correctly because no issues have surfaced. A detection scenario that generates no alerts may indicate low risk, or it may indicate a failure in data capture, logic configuration or upstream processing. Regulators increasingly expect firms to distinguish between those two outcomes with evidence.
The burden has shifted from asserting “the system works” to demonstrating how you know it works — and how you would detect it if it didn’t.
Don’t fall into the TRAP: A Blueprint for Defensibility
To crystallize the expectation, Cottee introduced a framework he calls TRAP. Surveillance programs must be traceable, repeatable, auditable and predictable.
Traceable means that data lineage is visible from origin to outcome. Repeatable means identical inputs produce consistent outputs. Auditable means that every step leaves an evidence trail. Predictable means that system behavior is understood and governed.
TRAP moves surveillance beyond operational monitoring. It transforms it into defensible governance, something leaders can confidently stand behind.
Explainability in the Age of AI
As AI becomes embedded in surveillance architectures, the governance bar rises again.
Explainability once meant documenting rule thresholds. Today it encompasses model selection rationale, training data governance, validation protocols and performance recalibration over time.
Cottee illustrated this with a regulator’s analogy about making tea. You don’t need to understand the molecular chemistry behind boiling water to make a good cup of tea. But you do need to know the recipe (the steps you follow, the ingredients you use and the order in which you apply them), and you must be able to produce the same result consistently.
That is the regulatory expectation for AI. Firms are not required to explain algorithms at an academic level. They are required to understand, document and consistently reproduce how their models function, and to demonstrate that those models behave predictably under defined conditions.
Rizakos added that automation of documentation and testing workflows is rapidly becoming table stakes. What differentiates mature programs is disciplined oversight: understanding why a model was selected, how tolerance levels were determined and how those decisions evolve as risks change.
AI adoption alone does not create regulatory certainty. Governed AI does.
AI: Efficiency, Effectiveness and Risk Visibility
In the near term, AI can reduce false positives and alleviate alert fatigue, acting as a copilot for investigative teams.
“AI is going to assist — not replace,” LoGalbo noted.
But the longer-term opportunity is more strategic. AI can surface risks that legacy approaches could not detect — the “unknown unknowns.” Dormant detection scenarios. Inconsistent investigative patterns. Emerging behaviors that static thresholds might miss.
That reframes AI from a cost-control tool to a risk-visibility accelerator.
At the same time, automation without oversight introduces new risk. Bulk closures without review have already led to regulatory findings across the industry. Efficiency must be paired with defensibility.
Used thoughtfully, AI elevates the workforce. Analysts transition from repetitive triage to quality assurance oversight, model validation and governance optimization, strengthening institutional capability.
Continuous Improvement as the True Signal
Regulators are not demanding perfection. They are demanding demonstrable control maturity.
They expect to see ongoing system health monitoring, calibration based on observed trends, structured QA review, documented remediation when issues arise and continuous refinement of detection logic.
Regulatory certainty is not static. It is visible, disciplined improvement over time.
From Surveillance to Certainty
Regulatory certainty ultimately rests on three core foundations: 1) complete and validated data coverage; 2) governed, explainable detection models; and 3) consistent, defensible investigative processes. Increasingly, disciplined AI integration enhances each of these dimensions.
Surveillance once centered on detection.
Today, it centers on assurance — assurance to regulators, executive leadership and boards that control frameworks are functioning as intended.
When regulators ask, “Can you prove your program works?” The answer cannot be conceptual. It cannot be aspirational. You have to be able to demonstrate it — clearly, confidently and with evidence that stands up to scrutiny.
That is the new standard.
What Leaders Should Do Now
For senior compliance and risk leaders, the shift to regulatory certainty is not theoretical. It demands action.
First, move beyond periodic validation and build real-time visibility into the health of your surveillance infrastructure. If you cannot quantify completeness, you cannot defend it.
Second, treat model governance as a strategic discipline, not a documentation exercise. Ensure your teams understand not only how models perform, but why they were designed the way they were and how they evolve.
Third, establish measurable feedback loops between detection, investigation, QA and model refinement. Continuous improvement must be observable, not implied.
Fourth, integrate AI deliberately. Use it to reduce noise and enhance insight, but pair automation with governance controls that preserve defensibility.
Finally, prepare for examination before it happens. Challenge your own program. Trace it. Test it. Red-team it. Ask the question regulators will ask: Can we prove this works?
Because in today’s environment, regulatory certainty is no longer a competitive advantage. It is the cost of credibility.
Interested in learning more? Watch the on-demand roundtable webinar on Regulatory Certainty here.