• Monday, 22nd June, 2026

Tawakalit Ibiyeye speaks on RegTech, AI Governance and Inclusive Banking

Life & Style | 18 hours ago

The compliance strategist in this exclusive with Tosin Clegg explains why banks, fintechs and public institutions must modernise compliance without sacrificing trust, inclusion or human judgment.

Your recent RegTech article has attracted attention because it does not present technology as a magic solution. What was the central message?
The central message is that compliance cannot be modernised by buying software alone. A tool can help, but a tool cannot decide who owns a control, whether the data are reliable, whether an automated alert is fair, or whether a regulator can trace the decision later. In that article, we argued that readiness must come before automation. If a bank has poor data, unclear ownership and weak audit trails, AI may simply make those weaknesses faster and harder to see. My approach is to move compliance from paper to proof. By proof, I mean documented controls, named owners, traceable evidence, human review and a clear explanation of why a decision was made.
Why should this matter to Nigeria’s financial sector now?
Ibiyeye: Nigeria is one of the most dynamic financial markets in Africa. We have strong banks, fast-growing fintechs, mobile-first customers, cross-border flows, digital wallets, payments innovation and a young population that expects speed. But speed without trust is dangerous. If fraud grows, if customers are wrongly excluded, if KYC records are weak, if data privacy is not respected, or if AI outputs cannot be explained, the system loses credibility. Nigeria needs RegTech not because technology is fashionable, but because the financial system must be able to scale safely. Compliance should not be treated as a brake on innovation. Done properly, it is what allows innovation to survive regulatory scrutiny and public trust.

You often speak about ‘inclusive compliance’. What does that mean in practical terms?
Ibiyeye: It means we should not build compliance systems that protect institutions by shutting out people who need financial services. A rural customer, a small trader, a young entrepreneur, or a customer with an unusual transaction pattern should not automatically be treated as suspicious because a system does not understand their context. Inclusive compliance means the bank still applies AML, fraud, consumer protection and cybersecurity controls, but it also provides human review, plain-language explanations, appeal routes and staff who understand the communities they serve. The question is not compliance or inclusion. The question is how to build controls that make inclusion safer.

What specific problem does your RegTech Compliance Automation Framework seek to solve?
Ibiyeye: The framework is designed to solve the gap between regulation and execution. Many institutions know the regulation. They have policies. They may even have dashboards. But when an auditor or regulator asks, ‘Show me the control, show me the evidence, show me who reviewed it, show me the exception, show me the remediation,’ the response is often scattered across emails, spreadsheets and shared folders. My framework brings four pieces together: a compliance gap diagnostic tool, an AI-enabled monitoring architecture, a regulatory reporting automation module and a training curriculum for compliance staff. The goal is to help institutions know where the gaps are, monitor them continuously, generate examination-ready evidence and build the staff capability to sustain the system.
You speak often about frameworks and control design. How should organisations rethink their SOPs and internal frameworks in the age of AI?
Ibiyeye: Many organisations still operate with legacy compliance and operational frameworks that were designed for paper processes, manual approvals and slower business environments. Those frameworks served a purpose, but they are increasingly inefficient when institutions rely on digital banking, automated workflows and AI-supported decision-making. AI changes not only the technology environment but also the speed and complexity of risk. That means SOPs and governance frameworks cannot remain static. They must evolve from document-based procedures into living control systems that reflect how work is actually performed.
What makes legacy SOPs ineffective in an AI-driven environment?
Ibiyeye: The challenge is not that legacy SOPs are completely wrong. The problem is that many assume linear workflows, manual review and limited data interaction. AI systems do not operate that way. An automated onboarding process, fraud model or compliance-monitoring tool may trigger decisions continuously and across multiple systems. If the SOP still assumes a paper escalation process or unclear approval hierarchy, gaps emerge. You begin to see delays, duplicate work, accountability problems and weak audit evidence. In some cases, staff rely on informal workarounds because the written framework no longer reflects operational reality. That creates control risk.
So updating SOPs is more than a documentation exercise?
Ibiyeye: Absolutely. Updating SOPs is really about governance redesign. Organisations should ask: does this procedure reflect how decisions are made today? Does it identify where AI or automation is involved? Who validates outputs? Who approves overrides? What evidence is retained? How are errors escalated and corrected? Those questions move SOPs from administrative paperwork to operational governance. A framework should guide behaviour, support accountability and make testing possible.
What should an AI-ready framework include that older frameworks often miss?
Ibiyeye: AI-ready frameworks should include several things that traditional models often overlooked. First, clear ownership of automated controls and model oversight. Second, defined human-review points and override authority. Third, data-quality and validation standards because poor data produces unreliable outcomes. Fourth, logging and evidence requirements so that decisions can be traced later. Fifth, regular review cycles because AI systems and risks evolve. Older frameworks were sometimes written once and left untouched for years. That approach is no longer sustainable.
What practical first step should organisations take if they realise their SOPs are outdated?
Ibiyeye: Begin with a framework review rather than a technology purchase. Map your existing SOPs against current operations and identify where practice has drifted from policy. In many organisations, staff are already working around outdated procedures simply to keep operations moving. That gap between written policy and operational reality is where risk grows. Once the gaps are visible, institutions can redesign procedures, assign ownership, strengthen escalation pathways and align the framework with how digital and AI-supported work is actually performed. Modernisation works best when governance evolves alongside technology rather than trying to catch up afterward.
Can you explain the compliance gap diagnostic in simple terms?
Ibiyeye: It is a structured way of asking: what rule applies, what control responds to that rule, who owns the control, what evidence proves the control worked, and what happens when it fails? For example, if the obligation relates to KYC refresh, the institution should identify the customer segments affected, the data required, the review timeline, the responsible team, the system trigger, the escalation route, the exception log and the remediation evidence. Once that map is visible, management can prioritise. Not every gap carries the same risk. A good diagnostic helps an institution focus on the gaps that could create enforcement exposure, fraud risk, consumer harm, or audit failure.
You are also a public-sector internal auditor in the United States. How does that experience connect to financial compliance?
Ibiyeye: Internal audit principles travel across sectors. Whether the setting is a bank, a fintech, a public agency or an investment firm, the core questions are similar: are controls properly designed, are they operating effectively, is the evidence reliable, are exceptions resolved, and is management accountable? My current work strengthens the public-sector side of my practice because it requires risk-based audit planning, testing of financial, administrative, operational and technology controls, review of laws and rules, and clear reporting of findings. I do not discuss confidential agency matters, but the discipline of audit evidence, internal control and accountability is directly relevant to banks and regulated institutions.
What would you tell a Nigerian bank that wants to use AI for compliance but does not know where to start?
Ibiyeye: Start with one high-risk, evidence-heavy process. Do not start with a grand AI project. Pick a process such as overdue KYC reviews, suspicious transaction escalation, sanctions-screening exceptions, vendor due diligence, cyber incident reporting, complaints tracking, or regulatory filing evidence. First map the obligation to the control. Then clean the data. Then assign owners. Then design the audit trail. Then pilot the automation with human review. Only after that should the institution consider more advanced AI. In my experience, the best early wins come from making existing controls visible, owned and auditable.

Related Articles

Founded on January 22, 1995, THISDAY is published by THISDAY NEWSPAPERS LTD., 35 Creek Road Apapa, Lagos, Nigeria with offices in 36 states of Nigeria , the Federal Capital Territory and around the world. It is Nigeria’s most authoritative news media available on all platforms for the political, business, professional and diplomatic elite and broader middle classes while serving as the meeting point of new ideas, culture and technology for the aspirationals and millennials. The newspaper is a public trust dedicated to the pursuit of truth and reason covering a range of issues from breaking news to politics, business, the markets, the arts, sports and community to the crossroads of people and society.

Helpful Links

Contact Us

You can email us at: hello@thisdaylive.com or visit our contact us page.