The State of Compliance in Financial Institutions Report by StrongDM

As financial organizations face intensifying regulatory scrutiny and relentless security threats, enterprise security teams must navigate a complex course to achieve an effective compliance blueprint. StrongDM’s latest survey of 1,000 IT, compliance, and security professionals at financial institutions and fintech firms reveals a telling picture: while confidence in compliance planning is high, operational challenges persist, especially around privileged access management and audit preparedness.

Summary of Key Findings

Audit Readiness & Confidence

• 88.4% are “very confident” in passing a surprise compliance audit.
• Only 0.2% reported lacking confidence.

Top Compliance Challenges

• Managing third-party access and tracking least privilege enforcement remain top concerns.
• GDPR and ISO 27001 are the most difficult regulations to manage.

Privileged Access Management Gaps

• 52% of teams manage 10–20 high-risk systems.
• 31% revoke access in hours; 38% do it instantly—yet 2.1% lack visibility into access status.

Audit Workload & Automation

• Nearly half (49.3%) spend 10–25 hours monthly preparing audit data.
• 45.2% have extensively automated compliance reporting.

Strategic Investment Areas

• 35.2% plan to invest in real-time audit log solutions.
• 25.1% will focus on compliance automation platforms.

Audit Readiness & Confidence

Confidence Runs High—But Can It Be Trusted?

Notably, 64% of financial services companies have received an identity-related audit citation in the past two years, according to SailPoint. That's a revealing contrast to the high level of self-reported confidence.

A striking 88.4% of respondents say they are "very confident" their organization would pass a surprise compliance audit. Only 0.2% expressed low confidence, and 0.3% admitted to having failed an audit in the past year.

But with 49.3% still spending over 10 hours a month preparing audit data—and just 45.2% having extensive compliance automation in place—the confidence might be more perception than performance. These numbers suggest a disconnect between perceived audit readiness and the operational strain compliance still places on teams.

As one respondent put it:

“If I could fix just one thing about our compliance program overnight, it would be to have fully automated and easily auditable evidence of policy enforcement across all our systems.”

Top Compliance Challenges

What Keeps Compliance Teams Up at Night?

When asked which regulation posed the biggest challenge, responses varied across a spectrum of global and industry-specific mandates:

• GDPR led the pack at 19.4%.
• ISO 27001/27002 followed closely at 18.2%.
• Other notable mentions: SOX (10.9%), GLBA (8.4%), and NYDFS (7.4%).

These findings indicate that global data privacy (GDPR) and structured control frameworks (ISO) are the most difficult to implement, likely due to their ongoing and comprehensive documentation requirements.

Respondents echoed this challenge in their comments:

“I would streamline documentation and reporting processes to reduce manual effort, improve accuracy, and ensure faster responses to regulatory audits and changes.”

“Improving real-time understanding and adaptation to evolving regulations and ethical standards would make the biggest difference.”

Privileged Access Management Gaps

Too Many Hands, Too Few Controls?

• 52% of organizations report employees accessing 10–20 systems requiring elevated privileges.
• 35.3% automate access with real-time logging, but 30.7% still rely on manual approval.
• 33.9% use role-based access with limited audit trails, leaving them exposed during investigations.

Perhaps the most revealing discovery from the survey: 2.1% of respondents say they have no visibility into how long it takes to revoke access after an employee exits or changes roles. This is a glaring vulnerability when it comes to insider threats and access sprawl.

One respondent candidly noted:

“It would be the length of time it requires to remove a user from the system. It takes hours and requires a lot of time wasting.”

Another added:

“Ability to authenticate users and control access quickly. Right now it takes too long to revoke access, including housing major IT security issues.”

Audit Workload & Automation

Compliance Still Eats Up Hours

Gathering data for audits and access reviews remains a time-intensive burden:

• 49.3% spend 10–25 hours per month on it.
• 17.7% report it consumes 25+ hours monthly.
• Only 4.8% spend fewer than five hours.

In terms of automation:

• 45.2% report extensive automation of compliance reporting.
• 46.3% have partially automated.
• 8.5% still rely mostly on manual efforts.

This mixed picture shows that while automation is increasingly becoming adopted, many teams remain bogged down in time-consuming, error-prone manual processes.

Survey responses offer a clear picture of this burden:

“Manual evidence is stressful.”

“Automate compliance tracking to reduce manual errors and save time.”

“Instead of it partially being automated, I would make it fully automated.”

Strategic Investment Areas

Where Compliance Budgets Are Headed

Over the next 12 months, financial organizations are prioritizing solutions that streamline and strengthen compliance:

• 35.2% are investing in real-time audit log solutions.
• 25.1% plan to purchase or expand compliance automation platforms.
• 23.8% are focusing on automated access controls.
• Smaller segments are investing in identity lifecycle management (8.9%) and third-party risk monitoring (7.0%).

These numbers reflect a growing appetite for tools that can not only satisfy regulatory requirements but also reduce manual workloads and improve security posture.

One respondent summarized the broader trend this way:

“If I could fix one thing, it’d be automating compliance processes to save time and reduce errors.”

The Big Picture

Managing third-party access (35%), tracking least privilege (24.2%), and producing audit logs (23.1%) are still the biggest pain points. Despite widespread confidence in audit readiness, many organizations are still playing catch-up when it comes to automating access and proving compliance on demand.

As one participant insightfully put it:

“I would automate and streamline the access review process to ensure we can track and enforce least privilege across all systems without manual intervention. This would save time, reduce errors, and improve overall compliance efficiency.”

Methodology

StrongDM surveyed 1,000 US-based professionals working in compliance, security, and IT infrastructure at financial institutions and fintech companies in May 2025. The survey was completed online via Pollfish, and responses were random, voluntary, and completely anonymous.

About StrongDM

StrongDM's unified platform simplifies the path to continuous compliance—automating privileged access management, real-time logging, and audit reporting in one identity-first interface.