There’s a cynical reading of banking governance: it’s all theatre. The weekly monitoring reports nobody reads. The risk frameworks that grow thicker after every audit. The metrics that proxy for proxies of things nobody can actually measure. Everyone performs diligence and nobody catches the bad guys.
The cynical reading is half right. But it misses something important: the regulator knows.
The HKMA knows that banks can’t measure their true AML miss rate. They know that STR filing rates reflect process decisions, not criminal detection. They know that a model scoring alerts by historical labels is predicting what analysts did, not what reality is. They’ve been doing this longer than any of us.
So why do they require the monitoring, the frameworks, the quarterly governance packs?
Not because they believe these controls catch criminals. Because they believe — correctly — that the alternative is worse. If you tell a bank “monitor whatever you think matters,” some banks will monitor rigorously and some will monitor nothing. The framework requirement creates a floor of attention. It’s not the optimal level for any individual bank, but it’s better than no floor at all.
This is a social contract, not a delusion. Both sides understand the terms:
- The bank’s side: We will show reasonable process. We will define criteria upfront, monitor consistently, act on breaches, and document everything. We will generate an audit trail that proves we were paying attention.
- The regulator’s side: We will accept reasonable process as sufficient. We will not pretend you catch every criminal. We will audit the process, not the outcome — because the outcome is unknowable and holding you to unknowable standards would paralyse the system.
The contract breaks down in one direction only: when the bank’s process is so obviously inadequate that the regulator can’t credibly defend having accepted it. That’s the real line. Not “did you catch the bad guy?” but “given what you knew, was your process defensible?”
This framing changes how you think about governance design. You’re not building a detection system. You’re not even building a monitoring system. You’re building a defensibility system — one that generates evidence of reasonable attention, consistently, over time.
And the regulator is your co-author, not your adversary. They want the system to work too. Their nightmare isn’t a bank that misses a criminal — that’s inevitable. Their nightmare is a bank that misses a criminal and can’t show it was trying. Because then the regulator has to explain to legislators why they approved the bank’s process. The social contract collapses upward.
This is why governance theatre persists even when both sides know it’s partly theatre. The theatre creates a rhythm of attention. The rhythm occasionally catches something real. And even when it doesn’t, it provides the institutional cover that lets both sides continue operating in the face of irreducible uncertainty.
The most useful people in this system aren’t the ones who expose the theatre — that’s easy and changes nothing. They’re the ones who know which parts of the theatre are load-bearing and which are decoration, and who can make the load-bearing parts sharper without dismantling the whole stage.
Related: [Every Control Has an Attention Budget](Every Control Has an Attention Budget) · [Governance Is a Tax](Governance Is a Tax) · [AI Governance: Routing vs Compliance](AI Governance: Routing vs Compliance) · [Backtest vs Operational Validation](Backtest vs Operational Validation)