“There is no perfect answer”: Inside the compliance conversations trust & safety leaders are actually having

Over thirty practitioners. Three tables. Seventy-five minutes. The brief: to get a room of trust & safety practitioners talking honestly about how they’re tackling evolving compliance requirements.

At the TSPA EMEA Summit, Ailís Daly, Head of Trust & Safety, EMEA, at WebPurify, an IntouchCX company, co-hosted a roundtable session alongside Síne Creamer, VP & Deputy General Counsel at Bumble. They didn’t want a panel, or a Q&A, or another forum where people read prepared remarks at each other. They wanted to create a space to share knowledge.

As someone who advises platforms on trust and safety and regulatory compliance day to day, Ailís came away with a clear sense of where the industry actually is, rather than where regulators or vendors say it should be. “Looking back, I think the format is most of the story,” she reflects. “I want to share what came out of the room, what stayed with me as a co-host, and a few things attendees told me that capture where the industry actually is right now.”

Designing the session around the room

In a pre-session survey, attendees shared what they were actually wrestling with: which regulatory areas were creating the most operational friction, what was getting in the way of implementation, and what they wanted to walk out with.

The strongest themes were:

• Age assurance and child safety obligations
• EU Digital Services Act (DSA) implementation and systemic risk assessments
• Transparency reporting across jurisdictions

There were operational constraints that people kept naming: tooling that isn’t fit for purpose, fragmentation across jurisdictions, and the sheer volume of regulator requests.

It shaped the session.

“We deliberately steered the agenda away from legal interpretation — there’s no shortage of forums, webinars and briefing notes for that — and toward what people are actually doing to make this work operationally,” says Ailís.

The big shift: from interpretation to execution

The clearest theme across the day was that the industry has moved past the “what does the regulation mean” stage. The challenge now is operationalizing compliance at scale, and that’s a very different problem.

“Across every table I joined in, people were wrestling with the same things,” says Ailís.

How to:

• Handle regulator request volume without burning out small teams
• Reconcile fragmented reporting obligations across markets
• Build infrastructure that scales, rather than rebuilding for each new jurisdiction
• Get cross-functional alignment when product, legal, policy and operations all have different incentives

“This isn’t a ‘do we understand the DSA’ problem. It’s an execution problem. The regulatory operationalisation gap is now the work.”

The ‘off-the-shelf’ myth

“A pattern I see in my consultancy work, almost weekly, is organisations arriving hoping for a complete, ready-made compliance playbook – buy the framework, fill in the platform-specific blanks, ship the programme,” reflects Ailís. “It’s an understandable instinct given the pace and complexity of the obligations landing on T&S teams, and the pressure many functions are under to demonstrate progress quickly.”

If you wanted a single-day illustration of why that mental model doesn’t hold, the TSPA roundtable was it.

“Some of the most sophisticated platforms in the world – organisations with mature T&S functions, dedicated regulatory counsel and significant compliance investment – were openly saying they’re still figuring it out. Not because they’re behind, but because the operational answer to most of these obligations doesn’t exist yet as a fixed artefact.”

It’s being written in real time, in cross-functional meetings and exactly the kind of practitioner exchange this session was built around.

That has implications for advisory work too. The most useful thing a consultant can do in this space isn’t hand over a template – it’s to help build the internal judgement to make good calls under genuine uncertainty, design programmes that can flex as obligations evolve, and plug clients into the peer signal that’s actually moving the field.

Age assurance: the proportionality conversation

The most operationally sophisticated discussion of the day was around age assurance.

Participants were moving past blanket “verify everyone immediately” approaches and exploring more risk-tiered models. There was an interesting thread around using account age itself as a prioritisation signal – for example, treating accounts that have existed for less than 18 years as a higher-priority population, then layering risk indicators on top. The underlying instinct across the room: balance regulatory expectations against operational feasibility, user friction, and where the actual safety risk sits.

One attendee captured the room’s view well:

“Two things stuck with me. First, the pushback on age assurance for dormant accounts. The general sense was that inactive accounts present minimal risk, and applying the same requirements to them creates a disproportionate burden. It would be good to see regulators provide clearer guidance on proportionality there. The other thing was the lack of common minimum standards across jurisdictions. Platforms are all designing their own approaches to age assurance, which makes consistency and benchmarking really difficult — especially when the DSA and OSA are pushing in the same direction but with different requirements.”

That tension – frameworks broadly aligned on direction but unaligned on implementation – came up repeatedly. “It’s creating real cost, real duplication, and a quietly growing benchmarking problem across the industry. Several practitioners were openly asking whether clearer regulatory permission to apply risk-based, proportionate approaches would unlock meaningful operational headroom without reducing user safety.”

Transparency reporting: ‘report once, format many’

Transparency reporting was the other dominant pain point. “The concept of ‘report once, format many’ got a lot of nods around the room – but very few hands went up when we asked who actually felt they had mature infrastructure capable of supporting it,” says Ailís. “Most teams are still stitching reports together by hand, against differing data definitions and inconsistent regulator expectations across markets.”

It’s exactly the kind of problem that doesn’t get solved company by company.

The biggest takeaway

After the session, a senior trust & safety leader from one of the large short-form video platforms shared a reflection that wasn’t what Ailís expected. “They said their most important learning was that none of us really has this figured out. We’re all trying our best. Maybe the secret sauce isn’t that one person has found the answer – the secret sauce is in how we collaborate to make our messaging consistent, think outside the box, and solve these challenges through companies and partners that have wider exposure.”

Ailís agrees. “I think that’s exactly right. The honesty in the room – that no one has it cracked, that everyone’s improvising, that some of the most senior practitioners in the industry are still asking each other ‘wait, how are you doing that’ – was the most valuable thing about the session. You can’t get that from a panel. You can only get it when people feel safe enough to admit what’s not working.”

A T&S policy manager from a major global games publisher captured something else worth sitting with:

“My main takeaways were the need for humans in the loop – potentially in more places than we currently have them – and the need for red-teaming and finding creative solutions for dealing with safety gaps and issues of bias and nuance. Also still chewing over the question of where ‘blame’ goes when someone vibe-codes an AI agent that winds up wreaking havoc.”

That last question is going to define a lot of trust & safety work over the next few years. The accountability gap around autonomously-built AI systems isn’t theoretical anymore. And it’s another thing no single company is going to solve alone.

Ailís’ key takeaways

• The operational maturity gap is the real story. Most organisations now understand the law. What they don’t yet have is the infrastructure to live up to it sustainably.
• Proportionality needs to be defended, not assumed. Risk-based implementation models exist, but practitioners are quietly asking for clearer regulatory permission to use them – particularly for dormant accounts and lower-risk populations.
• Common minimum standards would save the industry enormous effort. Not because regulation should be uniform, but because the implementation overhead of fragmented expectations is now a meaningful drag on safety work itself.
• Humans in the loop are not going away. If anything, they need to be in more places, especially as AI agents take on more autonomous behaviour.

The best work happens between companies, not inside them. Compliance is competitive on outcomes, but the operational solutions don’t need to be. The platforms and partners that share what’s working will collectively raise the floor.