Written
The 20-Year Myth: Why Time Served Doesn't Make a Great Compliance Leader
Omas, A.
10 mins
I recently came across a statement that gave me pause. It argued that a credible Head of Financial Crime or MLRO takes fifteen to twenty years to develop, that this timeline is non-negotiable, and that the talent pool is finite and shrinking.
While I understand the sentiment behind it and the desire for seasoned, experienced leadership in a high-stakes field, I fundamentally disagree. This perspective is deterministic and misdiagnoses the problem and, in doing so, prescribes the wrong solution, perpetuating the very talent shortage it laments.
The real issues aren't about time served. They are about the nature of that experience, the immense pressure of personal liability, the broken compliance culture within many firms, and a systemic failure to properly invest in and protect the compliance function.
1. Experience is Not a Monolith
The idea that there is a 15-20 year barrier to entry for a senior compliance role is overly simplistic. It fails to account for the incredible diversity of our industry. Is one year of experience as a senior analyst at a 30-person crypto start-up, building a financial crime framework from the ground up, the same as one year in the same role at a global investment bank, managing a small cog in a vast, established machine? Of course not. To measure both with the same yardstick of "years" is to miss the point entirely.
2. The Myth of the Magic Number
There is no magic number of years that guarantees competence. This is precisely why regulators wisely avoid prescribing one. The UK's Financial Conduct Authority (FCA), for instance, mandates that firms ensure senior managers have the appropriate "fitness and propriety" under its Senior Managers & Certification Regime (SM&CR). The assessment, detailed in the FIT section of the FCA Handbook, focuses on competence and capability, not a crude calculation of time spent in a chair. To dismiss a brilliant candidate with 13 years of intense experience because of an arbitrary 15-year rule is a failure of risk management.
Crucially, this flawed logic also cuts the other way. Putting arbitrary numbers on experience without judging the substance of what a practitioner can offer is never useful and often leads to a subtle but pervasive form of ageism. There have been multiple instances where highly qualified, senior practitioners are dismissed as being "too qualified," especially for roles in nascent financial services domains like crypto or fintech. They are branded as "dinosaurs," unable to adapt, and their deep experience is viewed as a liability rather than an asset. This is just as damaging. Judging a candidate on the substance of their skills, their adaptability, and their strategic mindset is the only approach that makes sense, regardless of whether they have 8 years of experience or 28.
3. Career Velocity: Navigating the New Landscape of Modern Finance
This brings us to the concept of "career velocity": the rate at which a professional accumulates diverse, high-impact experience. This is where the argument for a fixed timeline completely falls apart, especially in the context of modern finance, which now encompasses everything from digital assets and cross-border fintechs to neo-banks.
Having had a varied career myself, I can speak to this personally. I’ve worked in retail consumer banking, a large investment bank, and in consultancy, serving a huge range of clients, from Fortune 500 companies, NBFIs and big commodity traders, right through to start-up payment companies and crypto firms. Each of these environments required a completely different way of working and a unique approach to risk and compliance.
The skills needed to design a compliance framework for a crypto exchange with 50 employees are fundamentally different from those needed to manage a thematic review at a Tier 1 bank. One demands rapid, pragmatic, tech-first solutions; the other requires deep institutional knowledge and the ability to navigate complex governance. Neither path is inherently superior, but they are profoundly different. To suggest that professionals from both worlds are on the same 20-year clock is to ignore the reality of our evolving industry.
4. The Accountability Hammer: Why Culture is a Survival Imperative
Perhaps the most significant factor the "20-year" argument misses is the crushing weight of personal liability now placed on senior compliance staff. This isn't a theoretical risk; it's a global regulatory standard.
The UK's Senior Managers & Certification Regime (SM&CR) places a "duty of responsibility" squarely on individuals. An MLRO can be held personally accountable if they cannot prove they took "reasonable steps" to prevent a breach. This is not a uniquely British phenomenon; similar accountability regimes exist or are emerging in Singapore (MAS), the UAE (DFSA/FSRA), South Africa (COFI Act), and are pursued through aggressive enforcement in the United States.
This global "accountability hammer" changes everything. It means that for a credible professional, accepting an MLRO role is a profound personal risk assessment. It makes a supportive, well-resourced, and psychologically safe culture a non-negotiable condition of employment. Why would anyone stake their career, their finances, and their reputation on a firm that refuses to provide adequate staffing, technology, and board-level support?
5. So, What is the Answer? A Shared Responsibility
The revolving door of senior compliance staff isn't a symptom of a skills shortage; it's a rational response to an untenable risk-reward calculation. The solution requires a shared responsibility.
Regulators must continue to push beyond box-ticking. As the FCA's COO stated in her "Culture is Contagious" speech, a firm's culture is a direct regulatory concern. The U.S. Treasury's 2024 "National Strategy for Combatting Illicit Financing" acknowledges that even government agencies can lack sufficient resources for supervision, highlighting how critical proper investment is at all levels.
Firms need a fundamental change in mindset. Compliance is not a cost centre; it is a strategic function that enables sustainable growth. The trend of using AI as an excuse to shrink compliance teams is the ultimate expression of this broken mindset. By failing to hire, train, and develop new talent, and by fostering cultures that burn out the experienced professionals we already have, we are creating our own crisis.
The talent pool isn't finite; we're just failing to cultivate it.
A Call to Action
This isn't an academic debate; it has real-world consequences for our industry's health and integrity. To truly solve the compliance talent challenge, we need action from all sides.
For Aspiring Compliance Leaders: Focus on the quality of your experience, not just the quantity. Seek out diverse challenges. If you're in a large institution, volunteer for cross-functional projects. If you're in a start-up, document your programme-building achievements meticulously. Build a portfolio of accomplishments that demonstrates your capability, not just your tenure. For all compliance professionals whether you’re in a traditional bank or a fintech, be open and embrace technology.
For Hiring Managers & HR: Rethink your job descriptions. Replace arbitrary "15+ years of experience" requirements with competency-based criteria. Ask candidates for evidence of how they have built, managed, or remediated compliance programmes. Test their judgment and strategic thinking, not just their memory of regulations. Widen your search to include talent from non-traditional backgrounds who have demonstrated the core skills of risk management and critical thinking.
For Boards & Senior Management: Recognise that culture is your most critical compliance control. The SM&CR and its global equivalents make you accountable for it. You must actively challenge the notion that compliance is a cost centre. Ask your CCO and MLRO: "Do you have the resources and the headcount to do your job effectively?" If the answer is anything but a confident "yes," you are failing in your duty of responsibility and exposing your firm, your compliance staff and yourselves to unacceptable risk.
