Managing Director & Partner
New York
Key Takeaways
Regulation of technology firms is increasing, especially in the AI arena. Tech leaders must build an effective compliance function that supports rather than hinders innovation.
Leaders of every tech company—not just the largest—need to respond to the harsher regulatory landscape. They must:
Leaders of every tech company—not just the largest—need to respond to the harsher regulatory landscape. They must:
- Build a compliance function that goes far beyond today’s activities, which typically focus on lobbying.
- Create internal processes that ensure products are compliant, even where regulations are evolving fast.
- Integrate the compliance function into the company culture so that it doesn’t stifle innovation.
As tech firms face a wave of regulation, and the potential for more lawsuits and larger fines, the old strategy of “move fast and break things” is unsustainable.
The So What
Regulators are targeting tech companies with more regulation and stringent enforcement across jurisdictions from California to the EU to India.
With more topics being regulated in more ways, tech companies must rethink their compliance strategy to deal with regulation at scale. Their previous approach of focused, dedicated action for specific regulatory issues will no longer work.
To ensure that innovation continues, tech firms must make this new approach a part of their innovation cycle, rather than bolting it to existing processes.
This task is given increasing urgency by the rapidly developing regulation of AI.
Go Deeper
Regulators are broadening their focus. They are moving beyond privacy and competition to areas such as content moderation (for example, the UK’s Online Safety Act, passed in October), protection of minors (Utah legislation passed in March aims to protect under-16s on social media), and tech companies’ payment activities (the US Consumer Financial Protection Bureau wants to regulate tech firms’ payments businesses and digital wallets).
Regulatory bodies now insist on transparency and accountability. The EU’s Digital Markets Act mandates stringent audits, enhanced transparency reports, and the appointment of a compliance officer by the company’s board—an indication of the heightened accountability expected in the tech industry. All of tech could soon be regulated like the medtech and fintech subsectors, with scheduled reporting and regulatory examination.
The advent of AI is bringing a new wave of regulation. President Biden’s executive order on AI safety and security in November and the EU’s proposed AI Act signal the onset of a wave of global regulation. Many other jurisdictions around the world are gearing up to introduce similar legislation.
Enforcement and intervention have intensified. The ten largest fines under Europe’s General Data Protection Regulation, totaling approximately €3.8 billion ($4.1 billion), were all levied on tech companies, and cumulative fines under that regulation now exceed €4.4 billion. (See the exhibit.) Enforcement on competition issues in particular is ramping up. Microsoft had to significantly amend its $69 billion acquisition deal with Activision Blizzard, finalized in October, after regulatory intervention; Adobe abandoned its $20 billion acquisition of Figma at the end of 2023 after declaring there was “no clear path to receive necessary regulatory approvals.”
Now What
Leaders of any tech company, not just Big Tech, must recognize that the landscape has transformed—and will continue to evolve rapidly. Although traditional approaches like lobbying, voluntary standards, and cooperation with regulators offer some benefits, they fall short.
Companies must build efficient and effective compliance processes, addressing regulation at scale while keeping costs under control and maintaining the ability to innovate at pace:
- Manage regulator relationships. This is as vital as managing relationships with customers. Regulators expect quick, consistent, and accurate responses to their requests.
- Lobby effectively. Strategies include educating regulators, aligning on the interpretation of laws and directives, and setting voluntary commitments.
- Identify and assess relevant regulations. New laws must be systematically analyzed for relevance and impact to adequately prioritize responses. Consistent interpretation across jurisdictions is critical.
- Develop internal standards. Translating regulations into clear, actionable internal standards is vital for product and engineering teams to respond to the requirements efficiently. It is critical to de-duplicate, aggregate, and simplify the requirements.
- Create and update controls. Turning standards into reality requires implementing effective controls across the organization. The best way to do this is by designing new products—and even the firm’s tech architecture—with compliance in mind. Certain controls need uniform standards (such as authentication and data controls). Others are more bespoke and require training for product and engineering teams.
- Monitor and test controls. Regular testing ensures that controls function as intended, using techniques like white-hat testing. Where possible, testing should be automated or replaced by live data feeds from automated controls.
- Be clear about what risk is acceptable. This prevents fresh debates about risk levels from holding up product development.
These strategies ensure that new products are compliant at release and stay compliant over time. Companies that have not invested in a holistic compliance function need to catch up and make sure that they are taking all key laws and regulations into account.
The Idea in Action
Tech firms are learning—as many other regulated companies already have—that they must build multiple compliance teams: a centralized enterprise team to lead the strategy and business-aligned teams to integrate compliance into daily operations. The skills in their current legal teams will not be sufficient.
Tech firms also need to build the appropriate systems. These include tools to track controls, testing, and incidents to ensure that employees can effectively manage compliance risk.
Culture needs to change as well. Compliance capabilities have to be integrated into a tech company’s thinking, which is not easy. Change begins with a proactive approach to risk management and strong leadership support for compliance. Tech firms must prevent bureaucratic compliance processes from stifling innovation.
Compliance works best if the whole company buys into it, understanding that the organization needs a social license to operate. This requires a culture where risk is no longer someone else’s problem; staff should proactively spot and address potential problems.
If You Do Nothing Else
Build a modern compliance program that supports rather than hinders change. This journey often takes two to four years to complete, but companies that successfully navigate it will avoid legal pitfalls and gain a significant competitive advantage. Those that fail to do so risk distraction from regulatory inquiries, forced product changes, lawsuits, and fines. Acting now lets you focus on what all tech firms need—innovation.
The authors thank Bernhard Gehra and Matthew Barton for their invaluable contributions.
Authors
Bryan Comis
Brian Hughes
Senior Advisor
Chicago
Djon Kleine
Managing Director & Partner
San Francisco - Bay Area
Michael Zombek
Platinion Associate Director
New York