When a bank is fined for misconduct, the press release follows a reliable script. The institution expresses regret. It announces new internal controls. It commits to a culture of compliance. Politicians cite the penalty as proof that the system works. And then, usually within a few years, something very similar happens again.

This is not a coincidence. It is a pattern. And it points to something more troubling than individual bad actors or under-resourced regulators. Across sectors — from finance to employment law — organisations routinely satisfy the letter of the law while resisting its spirit. The gap between formal compliance and substantive change is not a failure of enforcement design. It reflects deeper structural pressures that shape how regulation operates in practice.

Large organisations hire compliance officers, establish internal review processes, and document procedures meticulously, not primarily to change behaviour, but to demonstrate, if challenged, that they took the rules seriously. Some become adept at compliance theatre: immaculate paperwork, impressive policy manuals, and reform that rarely extends beyond the filing cabinet.

Shauhin Talesh’s research on U.S. insurance intermediaries shows how this works in practice: firms reframe anti-discrimination law around litigation risk, bulletproofing workplaces against legal challenge while leaving deeper inequalities untouched. The letter of the law is observed. Its spirit is quietly neutralised.

The problem is not confined to firms. Research on regulatory prosecutors in Brazil found that overstretched officials routinised standard workloads just to create space for more meaningful engagement. Organisational pressure had impacts beyond the regulated because it reshaped enforcement itself. The people responsible for holding firms accountable were operating under conditions that made accountability harder to deliver.

Regulators face their own structural constraints. They are often technically outgunned, dependent on data supplied by the very firms they oversee, or on industry experts whose careers are intertwined with the sector they evaluate. In complex industries like finance, oversight frequently relies on proxies — the status of an expert, the reputation of an institution — rather than independent verification of what is actually happening. Overlapping jurisdictions blur responsibility further, making it genuinely difficult to determine whether substantive objectives are being met, or just formally gestured at.

Deterrence models assume firms rationally calculate the costs and benefits of non-compliance. In reality, those calculations are shaped by uncertainty, limited knowledge, and resource constraints, on both sides. Even carefully designed enforcement strategies falter when regulators lack the expertise or access to detect violations comprehensively. And when violations are detected, the penalty is often calibrated to make headlines rather than change behaviour.

There is a subtler problem too, one that rarely surfaces in policy debates. James Kwak, writing about the 2008 financial crisis, identified what he called cultural capture: the process by which regulators who work closely with an industry over years — attending the same conferences, drawing on the same expert pools — gradually absorb its worldview. They begin to see industry objectives as aligned with the public interest rather than in tension with it. Oversight becomes negotiation. When regulatory expectations then clash with organisational culture, firms may deliver what scholars call “unnatural” compliance: outward conformity without meaningful change. By the time a serious violation occurs, the regulator may genuinely not have seen it coming, not because they were corrupt, but because proximity had quietly narrowed their field of vision.

· · ·

Some theorists have argued for more collaborative, iterative approaches — responsive regulation, meta-regulation — built on trust and dialogue rather than fixed penalties. The instinct is right. But it carries its own risk: that collaboration slides into capture, that engagement becomes co-option, that goodwill and information transparency, both of which can be strategically managed, end up serving the industry’s interests in the name of working with it.

Substantive compliance is difficult not because regulators fail to design effective enforcement mechanisms, but because organisations adapt to them. Information gaps, institutional incentives, and cultural pressures systematically constrain regulatory authority. The obstacle is not the rulebook. It is the relationship between the regulator and the regulated, and the organisational cultures on both sides that determine whether rules produce change or just paperwork.

Governments announce crackdowns. Regulators publish strategies. Companies issue commitments. The audience applauds.

The question worth asking is not whether the rules are strong enough. It is whether anyone involved — regulator, firm, or politician — has a genuine interest in finding out.