a16z: Compliance is Everywhere, Huge Opportunities in the AI Track

Author: James da Costa, Angela Strange; Source: a16z; Translation: Shaw, Golden Finance

Over the past twenty years, the fastest-growing professions in the United States have been manicurists and foot massage therapists.

And right behind them is Compliance Officers.

The scale of compliance operations is far larger than the public imagines. Every inflow and outflow of funds in a company is within compliance oversight: paying wages must adhere to salary regulations, revenue reporting must meet tax requirements, fund transfers must follow payment rules and anti-money laundering regulations, and customer identity verification systems are in place. In heavily regulated industries, even communication methods and communication frequency between companies and clients are included in compliance management.

Currently, there are over 400k compliance officers in the U.S., with annual personnel expenditure exceeding $40 billion. Compliance consulting, outsourcing, and related roles add hundreds of billions of dollars in additional costs. Looking at the banking industry alone, between 2010 and 2014, the number of new regulatory provisions added in Title 12 (Banks and Banking) of the Federal Regulations exceeded the entire content of that chapter in 1980.

Despite strong market demand, talent supply in the compliance field remains tight. The U.S. Bureau of Labor Statistics predicts that over the next decade, the annual gap for compliance positions will exceed 33.3k. The industry’s current situation worsens the talent shortage: 87% of newcomers in this field eventually leave, with an annual turnover rate exceeding 20%. Major institutions are caught in a cycle of constant hiring and losing skilled professionals.

As the global business environment becomes increasingly complex, companies face more and more legal and regulatory requirements, yet their responses are surprisingly uniform: simply increasing staffing to solve problems.

But evidence shows that stacking human resources does not produce ideal results. For example, TD Bank was fined $3 billion in 2024 for failing to effectively monitor 92% of transactions. Since 2018, the bank accumulated up to 70k risk alerts but failed to address them in time.

TD Bank is not an isolated case. Over the past decade, nearly all large financial institutions have experienced expanding teams and worsening backlog of work, yet their operations still heavily rely on manual processes, making it difficult to improve.

Compliance work is tedious: processes are complex, bureaucratic, and heavily reliant on paper documents, leading to high labor costs. These inherent pain points and industry inertia have long made compliance a “quagmire” for startups.

Why is the situation changing now?

1. Technological breakthroughs: from “pilot-only” to “trustworthy”

If a product is only barely usable, its market potential is very limited; but once perfected, the market size can expand a hundredfold. The same applies to compliance: products with 90% accuracy fundamentally still cannot meet requirements.

Document processing is one of the core aspects of compliance work and a prime example. Optical Character Recognition (OCR) technology has been around for decades, capable of basic text recognition. But in scenarios like mortgage approval, corporate onboarding, or insurance claims verification, “barely usable” is far from enough. Today, Visual Language Models (VLMs) can not only recognize content but also understand the overall context of documents, greatly reducing errors. As a result, many companies are deploying these technologies at scale and signing cooperation agreements. This is not just a minor technological iteration but a critical leap: from “only suitable for pilot testing” to “trustworthy for core business operations.”

In addition, AI possesses several powerful capabilities: First, it can read, extract, and logically analyze document information with near-human accuracy, whether it’s company registration documents, financial statements, or 400-page regulatory PDFs. Second, intelligent agents can operate legacy systems like humans do, without waiting for interface development or spending months on system integration. Third, they support end-to-end execution of long workflows: retrieving data, cross-checking databases, flagging anomalies, generating and submitting reports, rather than just assisting with individual tasks.

In the legal domain, large models are becoming more diverse and their accuracy more stable, enabling industry teams to finally fully embrace AI. Currently, many large language models score between 80% and 100% on the LegalBench benchmark, which tests 162 legal reasoning tasks. This is significant for compliance work because compliance essentially involves applying legal logic within actual business constraints: reading regulations, matching them to real-world situations, identifying anomalies, and annotating ambiguous clauses.

2. Sales cycle: from slow to fast

Today, the risk of not upgrading compliance systems exceeds the risk of transformation itself. For a long time, regulated companies relied on cumbersome Governance, Risk, and Compliance (GRC) tools and outdated, fragile systems. System migration is difficult, with high costs and risks—any audit oversight can be costly; maintaining the status quo and “just getting by” seems safer.

AI has completely changed this situation. Compliance departments are no longer just cost centers but can become revenue enablers. In financial services, improving identity verification (KYC/B) speeds up onboarding, reduces customer churn, and helps companies generate revenue faster. After optimizing anti-money laundering monitoring, false positive rates drop, avoiding mislabeling normal clients and maintaining customer relationships. Marketing content review speeds up, allowing ads to reach users more quickly.

This reshapes industry competition: companies that complete digital compliance upgrades not only cut costs but also win clients that slower competitors cannot retain. Today’s competition is less about AI technology itself and more about how companies leverage AI capabilities.

Furthermore, as intelligent agents are poised to become mainstream online operators, a new risk emerges. Traditional compliance systems are designed around human operators. When counterparties become autonomous AI agents, we need new solutions to verify identities, judge behavioral intentions, and assign responsibility.

All these changes mean that compliance departments, which previously rarely purchased specialized software, are now actively adopting digital tools.

Three pillars of a compliance system

All regulated companies’ compliance work consists of three core components:

• Regulatory rules: External laws, internal policies, and extensive interpretation and linkage work between the two.

• Software systems: Implement rules as programs, including GRC platforms, case management systems, sanctions screening tools, and automation connecting various systems. These systems generally lack stability.

• Personnel: Operate the software according to rules, performing document review, form filling, data cross-checking, and report writing.

Most core compliance tasks involve extracting information from documents, manually verifying data accuracy or contradictions, and conducting routine monitoring (periodic repetition of the first two tasks).

For example, in banking, a Suspicious Activity Report (SAR) case: when NICE Actimize issues an alert for suspicious transactions, compliance officer Sarah intervenes to verify. She logs into the core banking system to retrieve the full transaction history, then consults independent databases and shared files to review customer identity verification, account opening documents, and source of funds. She compares these against internal policies to determine whether the transaction warrants a suspicious activity report and makes a judgment. Finally, she returns to NICE Actimize to write a report, manually copying and pasting transaction info and customer data from various systems.

Each of these steps can be a breakthrough point for AI startups to enter the market.

3. Converting regulatory rules into code

The U.S. Federal Regulations, Title 12 (covering the Office of the Comptroller of the Currency, Federal Reserve, FDIC, with over 70 chapters), the Financial Industry Regulatory Authority (FINRA), SEC, CFTC, and various state policies are all published as PDFs. Previously, companies relied on manual reading and interpretation to convert these into internal policies and continuously track rule changes.

AI can transform regulatory rules into standardized code, enabling structured storage, automatic updates, and invocation by intelligent agents. A lengthy 400-page regulation document can now be broken down into a clear compliance obligation checklist, automatically verified by systems. Regulations are no longer just documents for human reading but are implemented as executable logic. This results in two major changes: compliance monitoring shifts from periodic checks to continuous, real-time surveillance; and the time from regulation issuance to full enterprise implementation shrinks from several quarters to just minutes.

Take Brazil’s payroll compliance scenario as an example: local compliance officers repeatedly check government websites for rule updates, organize affected employee data into spreadsheets, and manually recalculate wages.

Case: Tako developed an intelligent system that automates Brazil’s complex labor regulations (over 10,000 unions, with nearly 900 rule changes annually). The system can audit payroll against union-related compliance rules, answer complex HR questions in natural language, and provide real-time alerts before violations occur.

2. Fully replacing legacy systems

Many compliance platforms were built before the cloud era, relying on manual copy-paste and switching between different systems. This results in low overall efficiency, as manual operations connect otherwise independent tools. Moreover, replacing these traditional systems often takes years, with high risks and costs, making risk officers hesitant to approve such projects.

Over time, many companies (especially banks) have accumulated decades of technical debt, which now hinders AI deployment.

Today, companies have three main options for AI-driven transformation:

1. Maintain existing systems with headless architecture: Continue using current systems as backends, building intelligent agents or new interfaces on top.

2. Develop new replacement systems: Rebuild core business systems from scratch, including data models, permission systems, workflows, APIs, and audit functions.

3. Purchase native AI platforms: Switch directly to next-generation platforms designed for intelligent agents, machine-readable workflows, and automation.

If existing systems store core compliance data, connect to dozens of internal and external data sources, and encode years of business logic, companies tend to prefer the first option for risk reasons. But this approach is passive: competitors leveraging AI can significantly reduce costs and increase revenue, and legacy systems may even prevent deploying basic tools like voice assistants (which require reading outdated programs from the 1990s).

Today, replacing traditional systems is not only feasible but essential to unlock AI’s value. Legacy systems are designed around manual operations: data silos, difficult retrieval, hardcoded rules, slow updates, batch processing, and no real-time response. Major banking systems like Jack Henry, NICE Actimize, and Smarsh exhibit these issues.

Case studies:

• Valon (Mortgage services): Built a mortgage platform from scratch, demonstrating that software can boost profit margins from breakeven to over 60%. It encapsulates complex post-loan processes into ValonOS—a native AI operating system with standardized workflows, auditable ledgers, and programmable actions—replacing over 25 legacy systems. The core system is now licensed externally, serving a trillion-dollar mortgage industry; more clients mean a data flywheel, continuously improving AI capabilities.

• Vesta (Mortgage origination): Integrates U.S. CFPB rules (TRID, HMDA, etc.) and state-level compliance requirements across all 50 states, streamlining federal and state filings. Rule updates are pushed via code, avoiding large-scale enterprise deployment. Lenders can perform precise audits and improve overall efficiency by 25% to 50%.

• Sardine (Fraud and transaction monitoring): Gradually replacing NICE Actimize, built on cloud architecture, capable of real-time fraud detection and complex post-transaction AML analysis. Its platform-based intelligent agents can boost compliance review efficiency by nearly 30 times. For example, an SAR (Suspicious Activity Report) auto-summarization tool can automatically extract info from multiple systems, filling 60-100 fields in a report in under a minute, compared to over 30 minutes manually.

3. Human-machine collaboration, empowering human work

The core of compliance work always involves three types of repetitive manual tasks: document parsing, manual process review, and routine monitoring of the first two.

Previously, the only way to connect these steps was through manual operations across outdated systems, which AI-powered automation now solves.

For example, in corporate banking account opening: when a client applies, compliance officers review and extract key info from IDs (ID cards, passports, corporate registration documents) and financial statements, then input data into multiple legacy systems, cross-checking sanctions lists and corporate info. With AI, the entire process can be automated end-to-end: instant document ingestion and parsing, parallel database checks, with only anomalies flagged for manual review—no need for full manual operation.

Case:

Factor Labs did not replace existing systems but layered applications on top. Their intelligent agents automate dispute resolution for banks and payment providers. Each task follows a customized manual (tailored to different merchants and card networks), mimicking analyst actions: logging into email, spreadsheets, fraud platforms like CyberSource, retrieving evidence, formatting into Word documents, and generating PDFs for clients.

Conclusion

All three implementation paths are practical, and future platforms will likely combine these capabilities. Companies should choose the best entry point based on their market scenario:

1. Frequent regulatory changes: If operations span multiple jurisdictions, with rapid rule updates or frequent audits, prioritize converting rules into code.

2. Replacing core systems: When there are new market opportunities with no dominant incumbents, or legacy systems are costly and difficult to upgrade, full replacement is necessary to realize AI’s potential.

3. Results-driven, backlog-heavy, or labor-short businesses: When compliance work involves producing reports, filings, or certifications, the immediate need is to augment human capacity—AI agents working 24/7 with zero errors, quickly clearing backlog (e.g., TD Bank’s 70,000 alerts).

In the long run, these paths will converge. Leading players will simultaneously implement rule codification, control next-generation core systems, and deploy large-scale intelligent agents.