From AI audits to accelerated pace of regulatory change

Authors:

Laurent Louvrier
VP of Product, Artificial Intelligence at Confluence

Kyrstin Ritsema, IACCP®
Executive Director - Compliance Services at Confluence

Lewis Davison
VP of Product at Confluence

As the regulatory environment continues to evolve, we are seeing greater pressure to adapt faster and smarter. From real-time settlements to global fund disclosure requirements and emerging AI governance standards, compliance teams are under increasing pressure to stay ahead.

In this month’s report, we look at:

• AI scrutiny intensifies: Regulators are demanding greater transparency and auditability in AI tools. Firms must be prepared for accountability.
• Cyber rules tighten: The SEC’s new Cybersecurity Rule mandates incident reporting within four days. Compliance now requires cross-functional governance.
• ESMA’s latest call for evidence invites feedback on how regulatory complexity may be impacting retail investor engagement, with potential implications for future disclosure requirements including PRIIPs KIDs.

Algorithmic accountability: The coming wave of AI audits

Artificial Intelligence has evolved from a buzzword to a foundational tool for asset managers. Whether supporting portfolio optimization, surveillance, or risk modeling, AI now plays a role in key decision-making processes. However, as adoption expands, so does regulatory attention.

The EU AI Act is nearing finalization, introducing a risk-based framework for AI oversight. In parallel, the U.S. SEC has signaled interest in the governance of algorithmic systems—particularly where AI intersects with investor protection, market stability, and transparency.

Firms using AI will likely be expected to demonstrate a higher level of operational transparency and accountability. Regulators are emphasizing the need for AI models to be explainable, governed by internal controls, and auditable in their outcomes.

Preparing for this shift may involve:

• Maintaining clear documentation of model assumptions, data inputs, and parameters
• Implementing governance frameworks for reviewing, validating, and updating models
• Enabling traceable decision-making through strong audit trails and version control
• Aligning internal policies to mitigate risks such as bias, data drift, or unintended outputs

This is not merely a theoretical exercise. Supervisory bodies in Europe and North America are increasingly examining the ethical and operational dimensions of AI in finance. Cross-functional collaboration—particularly between compliance, legal, data science, and IT—is becoming essential.

Confluence offers a solution designed to help asset managers strengthen their AI governance practices. Rex AI is a cloud-based platform designed to support transparency, auditability, and control.

With Rex AI, firms can:

• Leverage machine learning insights, providing visibility into model behavior
• Utilize explainable AI methods to assist in validating outputs and informing compliance review processes
• Access configuration tools and model documentation features that support internal governance and oversight
• Align analytics use with internal policies and emerging regulatory expectations

Rex AI has been developed with the needs of modern asset management teams in mind. It offers flexibility for investment analytics teams while supporting compliance functions seeking to navigate a changing regulatory landscape for AI.

As AI regulation evolves, Confluence continues to monitor developments closely and work with clients to help them respond to emerging expectations around model governance and auditability.

Want to learn more about how Rex AI can support responsible AI practices in your firm? Get in touch to explore a conversation with our team.

- Laurent Louvrier, VP of Product, Artificial Intelligence at Confluence

From shadow to spotlight: Regulating alternative assets in 2025

As alternative funds rise in popularity, regulation is catching up. Are you ready?

Alternative investments—private equity, real assets, hedge strategies, and private credit—have become essential in portfolio construction. Institutional investors are chasing yield, diversification, and downside protection. But as allocations to these asset classes increase, so too does scrutiny from global regulators.

In 2024 and beyond, alternative fund managers face a two-sided challenge: investor demand on one side, and an evolving regulatory burden on the other.

Alternative funds were historically subject to lighter regulatory scrutiny. That is now evolving.

Global and regional authorities are tightening their focus:

EU (AIFMD II): The revised Alternative Investment Fund Managers Directive (AIFMD II) introduces stricter transparency rules, liquidity risk management frameworks, and delegation controls—particularly affecting non-EU managers accessing European capital.

UK (post-Brexit FSMA updates): The UK is recalibrating fund regimes to retain competitiveness, including the introduction of the Long-Term Asset Fund (LTAF), with new disclosure and liquidity rules.

US (Private Fund Adviser Rules): The SEC’s new rules around private fund audits, fee transparency, and preferential treatment aim to level the playing field—but also increase operational complexity.

Global ESG Disclosure: For funds claiming ESG strategies, global mandates (e.g., SFDR in Europe, ESG Rule Proposals in the U.S., and APAC frameworks) require enhanced documentation, reporting, and substantiation of sustainability claims.

For alternative asset managers, compliance is increasingly viewed as a strategic differentiator.

Key operational challenges include:

Data aggregation: Alternatives often involve illiquid, manually-priced, or bespoke investments. Standardizing data for reporting (especially across jurisdictions) is complex.

Reporting templates: ESG, risk, and regulatory templates like EET (European ESG Template) or AIFMD Annex IV require specialized knowledge and system capabilities.

Cross-border complexity: Managers marketing across Europe, North America, and APAC must navigate inconsistent timelines, formats, and submission portals.

A new playbook for compliance leaders

To meet these challenges, leading firms are investing in purpose-built solutions:

Automation: Reducing manual processes for regulatory filing—especially for recurring reports like Annex IV or Form PF.

Integration: Integrated connections between portfolio management systems, data warehouses, and compliance tools designed to reduce friction.

Managed services: Leveraging expert partners for template population, jurisdictional monitoring, and filing submission can ease pressure on internal teams.

Alternative assets are only becoming more mainstream. With that comes a higher expectation of transparency, investor protection, and systemic risk oversight.

The opportunity lies in getting ahead, not just reacting to mandates but building a scalable regulatory infrastructure that evolves with the market.

Because in a world of complex rules and growing investor demands, operational confidence is your competitive edge.

SEC Cybersecurity Rule: Turning threats into a compliance priority

Cybersecurity is no longer solely the domain of IT—it's now a formalized regulatory obligation.

The SEC Cybersecurity Risk Management Rule (Cybersecurity Rule), which came into effect in 2024, introduced expectations for publicly traded companies and smaller reporting companies. The rule is designed to enhance transparency, preparedness, and response to cyber threats across these entities and offers clear direction to other registrants as to where the industry is heading. Aspects of the monitoring and notification requirements of this regulation were incorporated into the updates to Regulation S-P that registered investment advisors, broker-dealers, registered investment companies, funding portals and now transfer agents, must comply with by December 3, 2025 (June 3, 2026, for smaller entities).

Under the Cybersecurity Rule, firms are expected to:

• Develop and maintain written cybersecurity policies and procedures
• Perform annual cybersecurity risk assessments
• Report significant incidents to the SEC within four business days, where applicable

The regulation followed a string of cybersecurity incidents in the financial sector and reflects the SEC’s position that cybersecurity governance should be demonstrable and subject to regulatory oversight.

For entities subject to the regulation, this introduced a heightened level of accountability that extends beyond technical safeguards. Compliance teams are being drawn into new roles that involve:

• Coordinating with information security to ensure policies are documented and reviewed
• Supporting the incident response process with clearly defined regulatory triggers
• Maintaining accessible audit trails, logs, and compliance records

This shift increased the need for structured collaboration between compliance, IT, and legal teams. The ability to demonstrate that reasonable steps have been taken to manage and monitor cybersecurity risks has become an important factor in regulatory reviews. Several key enforcement actions occurred in 2024 and early 2025 highlighting the importance of accurate disclosure, timely reporting and controls around disclosure creation and compliance and legal review.

To support continued alignment with the rule’s intent and timelines, many firms are:

• Obtaining third-party mock exams to test adoption and execution of the Cybersecurity Rule and other regulatory requirements
• Enhancing incident escalation protocols with clearer regulatory thresholds
• Documenting cybersecurity readiness efforts, including training and policy updates
• Centralizing logs and reporting dashboards for compliance access
• Reviewing governance structures around cybersecurity oversight and accountability

From cybersecurity disclosures to AI accountability and accelerated settlement cycles, 2025 continues to test the limits of regulatory agility. Confluence helps asset managers, advisers, and administrators streamline their compliance and reporting practices—adapting to new rules with greater clarity and control.

Explore how Confluence Compliance Services and Mock Exams help your team navigate regulatory change with greater clarity and readiness.

Contact us to learn more.

Want to speak to a regulatory expert or see a demo of any solution mentioned here? Contact us to find out how Confluence can support your compliance goals this year.

#ExpectIt | #RegTech | #AssetManagementCompliance

- Kyrstin Ritsema, Executive Director - Compliance Services at Confluence

ESMA seeks feedback on retail investor experience to support simplification and burden reduction

The European Securities and Markets Authority (ESMA) has launched a Call for Evidence to gather views on the retail investor journey as part of its ongoing efforts to streamline regulation and reduce unnecessary burdens in EU capital markets. Open for input until 21 July 2025, this initiative aims to assess whether current rules facilitate or hinder retail investor participation and to explore how simplifications might improve engagement without compromising necessary investor protections.

ESMA’s consultation seeks feedback from a broad range of stakeholders, including consumer groups, investment firms, industry associations, and retail investors themselves. The authority is particularly interested in understanding how the current regulatory framework—especially under MiFID II—affects retail investors in practice. The consultation forms part of a wider review of the effectiveness and proportionality of investor protection measures in an evolving investment landscape.

1. Retail market trends and digital influences
   ESMA is examining how recent trends, such as the popularity of speculative products among younger investors and the growing influence of social media and online “finfluencers,” are shaping retail investment decisions. The authority is interested in whether these trends present new opportunities or risks for retail investors and how regulation might respond to the changing ways people access financial information.


2. Application of MiFID II requirements
   The Call for Evidence also focuses on the practical application of MiFID II requirements, including regulatory disclosures and the assessment of suitability and appropriateness. ESMA is seeking input on whether current disclosure requirements are clear and helpful, or if they may be too complex and potentially discourage investor engagement. The authority is also reviewing whether suitability and appropriateness assessments strike the right balance between protecting investors and ensuring accessibility, particularly as more investment activity moves to digital platforms.


3. Crowdfunding and alternative investment experiences
   Feedback is also sought on the investor experience under the European crowdfunding framework (ECSPR), which introduced specific protections such as risk warnings and investment limits. ESMA is interested in whether these measures are effective or if they may create additional challenges for retail investors seeking to participate in alternative investment opportunities.

A central theme of ESMA’s review is how to maintain appropriate levels of investor protection while also enabling informed risk-taking and greater participation in capital markets. The authority acknowledges that overly complex or burdensome requirements may discourage some individuals from investing, particularly those with less experience or confidence. ESMA is therefore exploring whether simplification and clearer communication could help improve the retail investor experience.

Stakeholders are invited to submit their feedback by 21 July 2025. ESMA will review the responses in cooperation with National Competent Authorities and may consider whether adjustments or clarifications to the regulatory framework are warranted. Potential outcomes could include revised disclosure formats, streamlined assessments, or enhanced digital tools and educational resources for investors.

ESMA’s Call for Evidence offers stakeholders an opportunity to contribute to the future direction of retail investor regulation in the EU. By gathering diverse perspectives, ESMA aims to ensure that the regulatory environment continues to support a confident, informed, and active retail investor base, while maintaining appropriate safeguards in a rapidly changing market.

For further details and to participate, interested parties can visit ESMA’s official website.

For firms who may be impacted by potential disclosure changes arising from this wider focus on retail investment, Confluence will be actively monitoring next steps to help align our disclosure production solutions (notably, PRIIPs KIDs) with the evolving framework. The proposed ‘PRIIPs modernization’ initiative falls within the perimeter of this wider retail investment strategy, where we anticipate a range of changes to be made to the existing PRIIPs KID disclosure framework. For now, we will keep our clients informed as this evolves and work to align our solution with any new requirements.

- Lewis Davison, Vice President of Product at Confluence

Disclaimer

The content provided by Confluence Technologies, Inc. is for general informational purposes only and does not constitute legal, regulatory, financial, investment, or other professional advice. It should not be relied upon as a substitute for specific advice tailored to particular circumstances. Recipients should seek guidance from appropriately qualified professionals before making any decisions based on this content.

Unless otherwise stated, Confluence Technologies, Inc. (or the relevant group entity) owns the copyright and all related intellectual property rights in this material, including but not limited to database rights, trademarks, registered trademarks, service marks, and logos.

No part of this content may be adapted, modified, reproduced, republished, uploaded, posted, broadcast, or transmitted to third parties for commercial purposes without prior written consent.

About Confluence