One of the biggest and most common mistakes companies make is thinking compliance and legal are the same thing. As someone with academic and professional background in both fields, I can confidently say that they are not.
This confusion likely stems from the flawed assumption that because compliance deals with laws and regulations, having a legal background alone is enough. Compliance is not just about knowing the law, but it is about proactively identifying, assessing, and managing compliance risks. To be clear, this is not about comparing which fields is better. This is about clearly stating the facts that compliance and legal two completely distinct professions, each with its own unique value to the business, ways of operating, and scope of responsibilities.
Let’s Break it Down Using Squid Game as an Analogy
(Spoiler Alert: Contains references to Squid Game Season)
In Squid Game Season 2, during the ‘Red Light, Green Light’ round, Gi-Hun, having survived Season 1, had a full understanding of both the rules and the risks. He recognised that the rule was outcome-based. The goal was simple: avoid detection by Young-Hee (the robotic doll) to proceed to the next round - that’s the required outcome. The risk? Gi-Hun understood that non-compliance meant death.
By understanding both the principle behind the rule and the risks of non-compliance, Gi-Hun introduced practical solutions to improve the players’ chances of survival:
He explained the rules and risks involved to all participant;
He positioned himself strategically (e.g., covering his mouth, turning his back to the doll) without compromising the rules of the game so he could give instructions without being detected.
He introduced a simple but effective control measure such as instructing players to stand in a line, ideally behind someone larger, to reduce exposure to the doll’s detection.
What Gi-Hun did reflects the compliance function in action: understanding the rules, identifying non-compliance risks, and recommending practical, risk-based controls. The result? Better survival rates compared to Season 1, all without compromising the integrity of the rules.
Now, compare this with the Front Man. The Front Man’s duty was not to protect the players or to help them understand how to survive the games. His job was to protect the game itself, and its creators to the best of his capacity. When Jun-ho, the undercover cop, infiltrated the island, the Front Man’s role was to manage an external intrusion that threatened the secrecy and survival of the games. In a corporate setting, legal’s role is to manage external risks such as lawsuits or official investigations, ensuring the company responds appropriately within the boundaries of the law.
What the Front Man did is the essence of legal: to defend the organisation and the game from internal and external threats. The result? Despite multiple attempts from both internal and external threats, the game still continues.
Of course, the Squid Game analogy is purely for entertainment and serves as an oversimplification of the two functions. There is no intention to villainise or glorify either role. Instead, the analogy helps to illustrate the core essences of compliance and legal functions.
For a more precise explanation of how these functions truly operate, please continue reading below.
Why Should You Care?
Because not knowing the difference can be very costly.
Cost #1 Heightened Risks of Regulatory Failures
Legal defends the company from external threats like lawsuits and investigations. Compliance focuses on identifying internal risks, escalating them independently, and designing controls to prevent breaches before regulators step in. When these roles blur, conflicts of interest arise, weakening compliance independence, which regulators see as a serious governance failure.
For example, after a non-compliance incident, legal's priority is likely to minimise legal liability, often by sanitising the report. Compliance, on the other hand, focuses on transparent reporting, breach assessment, and recommending risk-mitigating measures.
Some companies think sanitising helps. But, regulators prefer proactive risk mitigation over cosmetic fixes. With the right approach, transparency reduces penalties. Meanwhile, downplaying issues often backfires. Just look at Westpac’s 2019 money laundering scandal; AUSTRAC imposed a record AUD1.3 billion fine, partly due to Westpac’s failure to properly disclose and escalate critical compliance gaps, coupled with evidences that the AML issues were downplayed. Regulators do not expect perfection; they expect you to proactively detect, escalate, report, and fix risks.
Another case is Tenet Healthcare (2007), where Christi Sulzbach wore both General Counsel and Chief Compliance Officer hats. Holding both roles was not the issue. The real failure was not being able to separate legal defence from compliance transparency when it mattered most. Legal concerns overrode compliance duties, leading to a USD900 million False Claims Act settlement: a clear example of why failing to respect the boundary between the two functions creates serious governance risks.
Failing to separate legal and compliance does not just weaken governance. It distorts priorities, hides real risks, and increases the risk of mishandling issues, which in turn increases the likelihood of non-compliance.
Cost #2 Operational Bottlenecks
Legal teams handle interpretation, legal advisory work, and disputes. They are not typically tasked with monitoring controls, testing processes, or embedding compliance into operations. When compliance work is handled by legal teams, or vice versa, it fundamentally undermines effectiveness, as the two functions require distinct expertise and approaches to manage their respective risks. Legal’s role is to protect the company by interpreting laws and minimising liability, therefore, they naturally aim for controls that meet only the legal minimum. Compliance, however, focuses on managing actual regulatory risks - factoring in risk assessments, industry practices, and evolving regulatory expectations.
A hypothetical example: sanctions screening rules say, “Screen existing, potential, or new customers.” Legal, interpreting the wording strictly, would likely recommend the bare minimum screening frequency on existing customers (e.g. such as annual screening) to avoid unnecessary cost, since the law does not specify the frequency. Compliance, however, assesses actual risk exposure and recommends screening frequency proportionate to that risk: the higher the risk, the more frequent the screening. Even if the law is silent, controls must match the real risk, not just the wording.
Disagreements can arise when compliance responsibilities are shifted to legal teams, leading to inefficiencies and wasted resources, as both functions are stretched. Decisions stall, risks grow, and no one wins; not legal, not compliance, not the business.
Cost #3 Burning Budget on the Wrong Fit
When companies confuse legal with compliance, they often hire legal practitioners to solve compliance problems assuming compliance is just about laws.
But legal practitioners are trained to interpret laws, draft documents, and defend legal positions - not to design practical, risk-based compliance frameworks that fit daily operations. This leads to companies paying premium legal fees for theoretical advice or templates that do not work in practice, then spending even more to fix operational gaps. Worse, the actual compliance problem remains unsolved, only to surface later often during an audit finding when it’s already too late.
Compliance is not just knowing the law. It’s about embedding controls into processes and adapting them to real risks and regulatory expectations. That’s why hiring the right expertise matters.
What’s the Difference Between Compliance and Legal?
Now that you know why this matters, let’s break down the core differences.
Fact #1 Different Goals
No, despite the archaic belief, compliance is not here to 'murder' your organisation - that’s the auditor’s job (just kidding!). Compliance’s primary role is to independently identify, assess, and monitor compliance risks, then recommend controls proportionate to the risks and regulatory expectations, staying ahead of issues and working within the spirit, not just the letter, of the law.
To put that into context, if compliance detects a risk that could seriously threaten your organisation, compliance is expected to recommend controls to manage it, even if no specific regulation addresses that risk (yet). For example, if a new type of cyber attack emerges and regulations have not yet addressed it, it is compliance’s responsibility to assess the risk and establish measures to address it because compliance’s role is to manage compliance risks, whether or not they are explicitly covered by existing regulations
On the other hand, legal’s primary goal is to protect the company from legal risks such as lawsuits, liability, contractual disputes, or regulatory penalties. Legal is defensive by nature, acting as a shield between the company and external threats.
Despite having different goals, both compliance and legal ultimately aim to serve your best interests, albeit in different ways.
Fact #2 Different Methodologies
Legal works by interpreting the law - analysing statutes, contracts, and case law to form legal opinions or defend the company’s position. Legal also plays a critical role in ensuring contracts are enforceable, protecting intellectual property, managing disputes, and advising the business on legal risks related to new products, partnerships, and market expansion.
Guided by the *Basel Committee on Banking Supervision's principles, compliance works by assessing risks, building controls, and monitoring their effectiveness. This requires tools and methodologies that go far beyond legal interpretation, such as:
Risk assessments
Control testing and monitoring
Independent reporting to the Board / Committee
Direct engagement with regulators
These processes are not taught in law school. A law degree does not prepare someone to design compliance controls, conduct financial crime risk assessments, or monitor compliance risks in real time. Similarly, legal skills are not fully covered in compliance training. While compliance programs may include case law in their curriculum, they do not train a compliance professional to become a legal practitioner.
*A legal practitioner may argue these principles only apply to banking. Sure, but more sectors, including digital assets, have adopted them because they enhance governance, improve risk management, and foster stronger regulatory relationships. It’s always smarter to adopt proven standards early, rather than wait until regulators force your hand.
Fact #3 Different Scope of Responsibilities
Lawyers are not trained to think like compliance risk managers. Legal training focuses on:
Understanding laws and legal precedent
Drafting contracts
Managing disputes and litigation
Similarly, compliance officers are not trained like legal officers. Compliance training focuses on:
Identifying and assessing compliance risks
Building and testing internal controls
Liaising directly with regulators
Ensuring day-to-day operations align with regulatory expectations
Of course, these lists are not exhaustive. Both functions cover far more in practice. Still, the difference is significant; expecting legal to cover compliance is like asking an architect to run building inspections. Both work in construction, but their skills serve different purposes.
That said, this does not mean a person cannot build expertise in both. To do so, they need to invest in proper qualifications, hands-on experience, and the right mindset for each role.
What Should Companies Do?
First, separate the functions. In mature organisations, compliance reports directly to the Board or a Board-level Risk or Compliance Committee. This is already mandatory in many highly regulated sectors. This ensures compliance can escalate risks independently, without being blocked by legal’s defensive instinct. Legal, meanwhile, reports to the General Counsel or CEO to focus on protecting the company’s legal position. If your organisation is too small to split the roles, do not just merge them blindly. Instead, hire someone with formal credentials in both compliance and legal, who understands how to switch roles consciously and ethically.
Second, educate senior management and the Board. Many governance failures happen because leadership does not understand the difference between legal and compliance. They assume one can cover both or view compliance independence as unnecessary red tape. This mindset is outdated and risky. Regulators expect compliance to operate independently, and that’s a basic governance requirement.
Third, get your hiring and outsourcing right. Need compliance expertise? Hire compliance professionals. If you engage a law firm for compliance work, ask this: "Do they have dedicated compliance experts with hands-on operational experience or just lawyers who “advise on compliance”? Hiring legal professionals for compliance tasks can be costly if they lack the right expertise. If you want someone to handle both legal and compliance effectively, invest in proper training. Formal qualifications like those from the International Compliance Association (ICA) are essential. While a legal background is invaluable, becoming a compliance professional requires specialised knowledge and experience in managing regulatory risks and building operational controls. I know this first-hand as I only earned the right to call myself a compliance practitioner after completing compliance qualifications and gaining hands-on experience.
Conclusion
Confusing compliance with legal is not a semantic debate, it’s a governance risk with real operational and regulatory consequences. Companies that get this right build stronger regulatory relationships and run smoother operations. Companies that get it wrong face endless operational bottlenecks, or worse, regulatory actions.
Compliance problems require compliance solutions, designed by professionals who understand regulatory risks, expectations, and how controls work in practice. Legal problems require legal solutions, provided by professionals trained to interpret laws, draft contracts, and protect the company’s legal position. Both functions are critical and valuable, but they are not the same.
Learn More About Us
Pragmax Consulting is a compliance, risk, and governance consulting firm with a diverse clientele, including a Fortune 500 asset management firm, a global fintech leader in digital payments across international markets, statutory bodies, and various virtual asset management companies.
Website: https://www.pragmaxconsulting.com
Коментарі