<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Curious about how StrongDM works? 🤔 Learn more here!

Search
Close icon
Search bar icon

The State of Compliance in Financial Institutions Report by StrongDM

See StrongDM in action →
Download This Report (PDF)
The State of Compliance in Financial Institutions Report by StrongDM

Contents

Secure Access Made Simple

Built for Security. Loved by Devs.

  • Free Trial — No Credit Card Needed
  • Full Access to All Features
  • Trusted by the Fortune 100, early startups, and everyone in between

As financial organizations face intensifying regulatory scrutiny and relentless security threats, enterprise security teams must navigate a complex course to achieve an effective compliance blueprint. StrongDM’s latest survey of 1,000 IT, compliance, and security professionals at financial institutions and fintech firms reveals a telling picture: while confidence in compliance planning is high, operational challenges persist, especially around privileged access management and audit preparedness.

Summary of Key Findings

Audit Readiness & Confidence

  • 88.4% are “very confident” in passing a surprise compliance audit.
  • Only 0.2% reported lacking confidence.

Top Compliance Challenges

  • Managing third-party access and tracking least privilege enforcement remain top concerns.
  • GDPR and ISO 27001 are the most difficult regulations to manage.

Privileged Access Management Gaps

  • 52% of teams manage 10–20 high-risk systems.
  • 31% revoke access in hours; 38% do it instantly—yet 2.1% lack visibility into access status.

Audit Workload & Automation

  • Nearly half (49.3%) spend 10–25 hours monthly preparing audit data.
  • 45.2% have extensively automated compliance reporting.

Strategic Investment Areas

  • 35.2% plan to invest in real-time audit log solutions.
  • 25.1% will focus on compliance automation platforms.

Audit Readiness & Confidence

Confidence Runs High—But Can It Be Trusted?

1-Audit-Readiness-Confidence

Notably, 64% of financial services companies have received an identity-related audit citation in the past two years, according to SailPoint. That's a revealing contrast to the high level of self-reported confidence.

A striking 88.4% of respondents say they are "very confident" their organization would pass a surprise compliance audit. Only 0.2% expressed low confidence, and 0.3% admitted to having failed an audit in the past year.

But with 49.3% still spending over 10 hours a month preparing audit data—and just 45.2% having extensive compliance automation in place—the confidence might be more perception than performance. These numbers suggest a disconnect between perceived audit readiness and the operational strain compliance still places on teams.

As one respondent put it:

“If I could fix just one thing about our compliance program overnight, it would be to have fully automated and easily auditable evidence of policy enforcement across all our systems.”

Top Compliance Challenges

What Keeps Compliance Teams Up at Night?

2-Top-Compliance-ChallengesWhen asked which regulation posed the biggest challenge, responses varied across a spectrum of global and industry-specific mandates:

  • GDPR led the pack at 19.4%.
  • ISO 27001/27002 followed closely at 18.2%.
  • Other notable mentions: SOX (10.9%), GLBA (8.4%), and NYDFS (7.4%).

These findings indicate that global data privacy (GDPR) and structured control frameworks (ISO) are the most difficult to implement, likely due to their ongoing and comprehensive documentation requirements.

Respondents echoed this challenge in their comments:

“I would streamline documentation and reporting processes to reduce manual effort, improve accuracy, and ensure faster responses to regulatory audits and changes.”

“Improving real-time understanding and adaptation to evolving regulations and ethical standards would make the biggest difference.”

Privileged Access Management Gaps

Too Many Hands, Too Few Controls?

3-Privileged-Access-Management-Gaps

  • 52% of organizations report employees accessing 10–20 systems requiring elevated privileges.
  • 35.3% automate access with real-time logging, but 30.7% still rely on manual approval.
  • 33.9% use role-based access with limited audit trails, leaving them exposed during investigations.

4-manage-privileged-access-to-sensitive-systemsPerhaps the most revealing discovery from the survey: 2.1% of respondents say they have no visibility into how long it takes to revoke access after an employee exits or changes roles. This is a glaring vulnerability when it comes to insider threats and access sprawl.

5-revoke-access-for-an-employeeOne respondent candidly noted:

“It would be the length of time it requires to remove a user from the system. It takes hours and requires a lot of time wasting.”

Another added:

“Ability to authenticate users and control access quickly. Right now it takes too long to revoke access, including housing major IT security issues.”

Audit Workload & Automation

Compliance Still Eats Up Hours

6-time-spent-gathering-data-for-audits-and-access-monthlyGathering data for audits and access reviews remains a time-intensive burden:

  • 49.3% spend 10–25 hours per month on it.
  • 17.7% report it consumes 25+ hours monthly.
  • Only 4.8% spend fewer than five hours.

7-automate-any-parts-of-compliance-reportingIn terms of automation:

  • 45.2% report extensive automation of compliance reporting.
  • 46.3% have partially automated.
  • 8.5% still rely mostly on manual efforts.

This mixed picture shows that while automation is increasingly becoming adopted, many teams remain bogged down in time-consuming, error-prone manual processes.

Survey responses offer a clear picture of this burden:

“Manual evidence is stressful.”

“Automate compliance tracking to reduce manual errors and save time.”

“Instead of it partially being automated, I would make it fully automated.”

Strategic Investment Areas

Where Compliance Budgets Are Headed

8-Strategic-Investment-AreasOver the next 12 months, financial organizations are prioritizing solutions that streamline and strengthen compliance:

  • 35.2% are investing in real-time audit log solutions.
  • 25.1% plan to purchase or expand compliance automation platforms.
  • 23.8% are focusing on automated access controls.
  • Smaller segments are investing in identity lifecycle management (8.9%) and third-party risk monitoring (7.0%).

These numbers reflect a growing appetite for tools that can not only satisfy regulatory requirements but also reduce manual workloads and improve security posture.

One respondent summarized the broader trend this way:

“If I could fix one thing, it’d be automating compliance processes to save time and reduce errors.”

The Big Picture

Managing third-party access (35%), tracking least privilege (24.2%), and producing audit logs (23.1%) are still the biggest pain points. Despite widespread confidence in audit readiness, many organizations are still playing catch-up when it comes to automating access and proving compliance on demand.

9-The-Big-PictureAs one participant insightfully put it:

“I would automate and streamline the access review process to ensure we can track and enforce least privilege across all systems without manual intervention. This would save time, reduce errors, and improve overall compliance efficiency.”

Methodology

StrongDM surveyed 1,000 US-based professionals working in compliance, security, and IT infrastructure at financial institutions and fintech companies in May 2025. The survey was completed online via Pollfish, and responses were random, voluntary, and completely anonymous.

About StrongDM

StrongDM's unified platform simplifies the path to continuous compliance—automating privileged access management, real-time logging, and audit reporting in one identity-first interface.

John Martinez

About the Author

, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.

💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

A New Era of Vault-Agnostic Secrets Management Is Here
A New Era of Vault-Agnostic Secrets Management Is Here
Discover why traditional secrets management isn't enough. StrongDM Managed Secrets offers vault-agnostic, Zero Trust security with secretless access, dynamic policy enforcement, automated rotation, and unified audits—perfect for complex enterprise environments.
What Is Secrets Management? Best Practices
What Is Secrets Management? Best Practices for 2025
Secrets management is the practice of securely storing, accessing, and controlling digital authentication credentials such as passwords, API keys, certificates, and tokens used by applications and systems. It ensures that sensitive information is protected from unauthorized access, while supporting automation, compliance, and security across modern infrastructure.
The State of Zero Trust Security in the Cloud Report by StrongDM
As enterprises increasingly migrate workloads to the cloud, security strategies must adapt to meet evolving threats. Zero Trust, emphasizing identity verification and least privilege access, has become a critical framework for securing cloud environments. StrongDM’s recent survey of 600 cybersecurity professionals sheds light on the progress and challenges organizations face in adopting Zero Trust for the cloud.
There Will Be Breaches: A Blueprint for Smarter Access
There Will Be Breaches: A 2025 Blueprint for Smarter Access
I’ll spare you the “I drink your milkshake” tropes, but we all face a sobering reality: there will be breaches in 2025. Breaches aren’t a question of “if” anymore—they’re a question of “when” and “how bad.” It’s a foregone conclusion, like taxes or the 37th season of Grey’s Anatomy. But here’s the good news: knowing the inevitability of breaches gives us the perfect opportunity to prepare, if we have the will – and strategy – oh, and tools – to do it. And no, I’m not talking about the “build a bunker and buy 1,000 cans of beans” kind of preparation. I’m talking about a smarter, modern approach to managing access.
Mitigating Shadow Access Risks with Zero Trust PAM
Mitigating Shadow Access Risks with Zero Trust PAM
Discover how StrongDM's Zero Trust PAM and fine-grained authorization secure cloud data plane access and mitigate shadow access risks without hindering productivity.