Compliance rules are becoming increasingly complex, and their application requires ever-increasing technical expertise

The manipulation of digital information is advancing rapidly and requires appropriate countermeasures.

The second edition of Sofia Compliance Forum 2026 will be held on 29 April - an all-day leadership forum that focused on compliance as a management function. The event is organised by FIBank and PwC and will bring together managers at the highest level, leading international experts, representatives of regulatory institutions, and established names from the business for practically oriented discussions and exchange of international know-how.

On this occasion, we talked to Michael Weis, Forensics & Anti-Financial Crime Leader at PwC Luxembourg, about the challenges facing compliance today, the difference between formal and effective control, and readiness for managing the inevitable risk.

Mr. Weis, why is it no longer sufficient for organisations in today's business environment just to comply with technical requirements? Where is the line between a “tick-box” on a checklist and genuine ethics in management?

The challenge we often face today is that the broader compliance requirements are becoming increasingly technical and formal. The complexity of the rules has been increasing for years, and their precise application requires ever more serious technical expertise. However, this also necessitates increasing specialisation of compliance teams. In the earlier days of compliance, the teams were smaller and consisted of more general specialists, while today expertise is growing, especially in large organisations.

In this detailed-oriented world of Compliance requirements, one must not forget to take a step back and look at the broader purpose of it.

Compliance is more than detailed checklists and technical requirements. The effectiveness of compliance is the ultimate goal and focus. What matters is the essence -the principles of why and what is to be achieved with compliance rules.

During the Sofia Compliance Forum 2026, you will analyse cases in which control systems existed but failed in practice. Without revealing too much, what is the most common reason for this - technological gaps or "the human factor"?

The answer is: it depends. Based on my experience, it’s usually a combination of factors, not just one reason. The well-known fraud triangle theory of Donald R. Cressey focuses on the human factor with opportunity, rationalisation, and pressure. But today it is supplemented by the aspect of capability, which also introduces more technical elements. Today the business environment is much more complex — with many stakeholders and a wide variety of rules that must be followed. This sometimes leads to over-complexity and the fact that the real purpose of controls and more precisely the effectiveness of controls is not sufficiently looked at.

We must be aware that technology is not a solution to all risks. It may be insufficiently used in prevention and control, but more importantly today, fraudsters also use technology to avoid or circumvent control mechanisms. Deepfakes or digital information manipulation are spreading rapidly and require appropriate countermeasures.

You mention that failures occur at the intersection of corporate culture and pressure. Can a strong corporate culture compensate for weaknesses in software monitoring systems?

There is an old saying attributed to Peter Drucker: "Culture eats strategy for breakfast." In essence, it means no matter how brilliant a strategy is, it will fail without a supporting organisational culture. Even though this is a taboo topic, it is true that the wrong environment, attitude, and, ultimately, culture within an organisation can be more harmful than anything else.

If the message from management suggests that compliance does not matter, even the best software systems will be limited in their effectiveness because, in the end, they are used, calibrated, and applied by people. On the other hand, relying solely on a strong corporate culture in today’s technology-driven world may be somewhat naive. Both aspects are important.

What does the difference between "formal" and "effective" control look like from the perspective of an expert in investigations with global experience?

Formal control is important, especially in regulated environments and complex situations. It is crucial to have a well-structured and organised system. It is a matter of a real audit, not just trust! Evidence and formal documentation form robust frameworks, but this is only the basis.

Today, almost all regulators and bodies such as AMLA or FATF increasingly focus on effectiveness. Because it is only this what counts. If the control is not working, meaning not being effective, it is useless. It is important when building controls frameworks to make this last step in verifying and testing, if the controls really work and if they are effective.

If you had to point to one "warning sign" that management most often fails to notice before a crisis occurs, what would it be?

I would not point out a specific warning sign, but rather an attitude. The main problem is often some form of ignorance or, to put it diplomatically, a lack of awareness. People think: "What could happen? Maybe this is happening to others, but not to us.". Maybe this is a bit of an exaggeration, but when we look at studies like PwC Economic Crime Surveys or ACFE Global Fraud Survey, it seems the matter is more when something will happen, not whether it will happen. I don’t want to fuel paranoia, but the correct awareness of risk and readiness for it should not be underestimated.

What is your key message to leaders who are concerned that stricter reporting requirements may slow down their business processes?

More compliance requirements are not beneficial to the business when they become just an additional effort. That is why my message to business leaders is to focus on the wider use of technologies when it comes to applying compliance requirements. This opinion is also shared by my colleagues at PwC, as the frequent and repetitive preparation of reports can be significantly accelerated and ease the work of compliance teams when appropriate technology is applied.


Sofia Compliance Forum 2026: What to Expect

Sofia Compliance Forum 2026 will take place on 29 April, with international lecturers and leading regional leaders from banking, technology, and industrial sectors. Among guest lecturers will be representatives from DSK Bank, Hiab, MBH Bank, Borika, Eurotrust, Lexis Nexis, MyPos, DBank, EOS, United Group, and many others.

This year, the event focused on four main thematic blocks:

• Risk management and ownership 
• Technologies and responsibility 
• Lessons and real-life failures from practice 
• Human behaviour and business pressure 

The attendees will listen and take part in practically oriented, analytical, and even provocative discussions — at the management level, not just at a functional level.

The Sofia Compliance Forum 2026 is not only a platform for sharing good practices but also a driver of change in the corporate culture.