The policy-behavior gap no one talks about

Here's the uncomfortable truth for financial services leaders: having a policy isn't the same as enforcing one. 85% have communicated policies around office attendance, but only 69% actually measure whether people comply. That 16-point gap is more than an HR problem. In a regulated environment, a policy you can't evidence is a liability.

And the gap is widening. CBRE's 2026 data shows that while required office time increased by 12% from 2024 to 2025, actual attendance rose by only 1 to 3%. Banks are tightening policies on paper while the real-world needle barely moves.

This isn't because employees are being defiant. It's because most firms lack the infrastructure to connect policy to behavior. Spreadsheets, manual badge pulls, and quarterly headcounts don't give compliance officers what they need: real-time, auditable proof of who was where, and when. If you're still relying on those tools, you might want to look at how workplace compliance frameworks are evolving.

Where the big banks actually stand

The headlines make it sound simple. JPMorgan says five days. Goldman says five days. Everyone's back. But the reality is messier than that.

JPMorgan Chase moved to a full-time office requirement in early 2025, housing 14,000 employees in its Manhattan tower alone. The mandate was clear, the enforcement was real, and the internal backlash was documented. Employee morale dropped. Internal message boards lit up with frustration. The firm got bodies in seats, but the question of whether forced presence translates to better outcomes remains open. We covered the broader implications in our piece on JPMorgan's return to office.

Goldman Sachs has maintained a five-day policy since 2021. CEO David Solomon has been vocal and consistent. But even aggressive enforcement hasn't closed the gap. By late 2022, only roughly 65% of staff were actually in the office five days a week. Enforcement memos keep coming. Compliance keeps lagging.

Citigroup took a different path. Two days remote, three days in-office, with structured expectations tied to business continuity planning. The approach aligns with FINRA and FCA expectations without creating the morale drag of a hard mandate. Citi's bet is that flexibility, paired with systems, produces better compliance than rigidity alone.

Wells Fargo landed on a three-day minimum for most employees, with four or five days required for senior leaders and client-facing roles. This role-based approach acknowledges something the five-day mandates don't: not every function carries the same compliance risk or client interaction requirements. If you're thinking about how companies structure hybrid policies, Wells Fargo's model is worth studying.

The industry is moving toward structured hybrid, not full mandates

The individual bank stories are interesting, but the macro trend is more telling. FlexIndex's financial services data shows that the percentage of full-time in-office firms dropped from 20% to just 9% over the past year. The overwhelming majority have shifted to structured hybrid models.

Even FinTech, which historically leaned fully flexible, is tightening. Sixty-two percent of FinTech companies remain fully flexible, but that number has dipped 16 percentage points year over year as compliance requirements grow and companies mature.

The pattern is clear. Finance isn't going back to 2019, and it's not staying in 2020 either. It's landing somewhere in between, with structure, role-based expectations, and (ideally) the technology to make it all auditable. For a broader look at return-to-office trends across industries, we've been tracking the data closely.

Why compliance makes financial services hybrid different

Every industry deals with hybrid work logistics. Financial services deals with hybrid work logistics under regulatory scrutiny.

SEC Rule 17a-4 requires firms to retain records in a non-rewritable, non-erasable format for a minimum of six years. That rule was written for trade records and communications, but its logic extends to workplace operations. When a FINRA examiner asks who was on the trading floor on a specific date, "we think most people were in" isn't an acceptable answer.

The compliance requirements break down into a few categories:

Desk booking audit trails. Every reservation needs a timestamped, immutable record. Not a calendar invite. Not a sign-in sheet. A system-generated log that satisfies retention requirements without manual archiving.

Visitor management and access logs. Regulators, auditors, and third-party consultants move through financial services offices constantly. Knowing who was on-site, when they arrived, what documents they signed, and when they left isn't optional. It's an operational risk requirement. If your visitor management still runs on paper logbooks, that's a gap waiting to be flagged.

Data residency for client data. Hybrid work means employees access client information from multiple locations. Where that data lives, how it's transmitted, and whether the physical workspace meets security standards all fall under regulatory oversight.

Badge-based access verification. Policies say employees should be in the office three days a week. Badge data shows whether they actually are. The gap between those two numbers is where compliance risk lives.

Closing the gap between policy and proof

The firms that are getting hybrid right in financial services share one thing: they've stopped treating attendance policy and attendance measurement as separate problems.

JLL's 2025 research found that 72% of the global workforce now views return-to-office policies positively, but that goodwill comes with expectations for better workplace experience and genuine flexibility. In financial services, that means the office has to earn the commute, and the systems behind it have to earn the trust of compliance teams.

This is where fragmented tools break down. A desk booking app that doesn't talk to your badge system. A visitor log that lives in a different platform than your occupancy data. An HRIS that can't enforce role-based attendance requirements. Each gap is a place where compliance visibility disappears.

Gable unifies these pieces: desk booking with audit trails, visitor pre-registration with document signing, badge integration for occupancy verification, and role-based permissions that let you enforce different policies for different functions, all feeding into dashboards that compliance officers and CRE teams can actually use. When a regulator asks "who was present on April 3rd," the answer takes seconds, not days.

For teams evaluating this kind of infrastructure, our guide on building a workplace technology RFP covers how to structure the evaluation process.

What role-based policies look like in practice

One-size-fits-all mandates are tempting because they're simple. But financial services firms don't operate in a one-size-fits-all world.

A trading floor analyst and a back-office compliance analyst have fundamentally different workspace needs, client exposure levels, and regulatory risk profiles. Wells Fargo recognized this by setting different attendance requirements by role. JPMorgan, despite its blanket mandate, still operates with functional variations in practice.

Effective role-based policies typically look something like this:

Trading and client-facing roles: Four to five days in-office. These functions involve real-time market activity, client meetings, and regulatory oversight that requires physical presence and secure infrastructure.

Risk, compliance, and legal: Three to four days. These teams need regular in-person collaboration and access to secure systems, but can handle document review and analysis remotely.

Technology and operations: Two to three days. These functions benefit from focused remote work but need in-person time for cross-functional coordination and system access.

Support functions (HR, marketing, communications): Two to three days, with flexibility around team gathering days.

The key is that each tier has clear expectations, and the system enforces them automatically. No manager discretion. No ambiguity. No compliance gaps. If you're thinking through how to communicate these changes, transparency about the "why" behind role-based differences matters enormously.

Making the office worth the commute

Here's the part that gets lost in the compliance conversation: none of this works if the office experience is terrible.

JLL's workplace research found that financial services firms cite improving employee experience as their top hybrid work goal, ahead of cost reduction and footprint cuts. That's a meaningful shift. It signals that even in an industry known for top-down mandates, leaders recognize that sustainable attendance requires an office people actually want to use.

This means investing in collaboration spaces over rows of identical desks. It means making it easy for teams to coordinate in-office days so people aren't commuting to sit on video calls alone. It means parking, catering, and quiet focus rooms that reduce the friction of being on-site.

The firms seeing the best attendance numbers aren't the ones with the strictest mandates. They're the ones where employees can see who else is coming in, book a desk near their team, reserve a meeting room that actually has working AV equipment, and know that their commute will result in meaningful interaction. That's a workplace experience problem as much as a compliance problem.

The financial services hybrid workplace isn't a paradox; it's a design problem

The tension between flexibility and compliance in financial services is real, but it's not irreconcilable. The firms struggling are the ones trying to solve it with policy alone: write a mandate, send an email, hope for the best. The firms succeeding are treating it as a systems problem.

Structured hybrid works in regulated environments when you can prove it works. That means audit trails, real-time occupancy data, role-based enforcement, and visitor logs that satisfy regulators without creating friction for employees. It means closing the 16-point gap between having a policy and being able to demonstrate compliance with it.

The financial services hybrid workplace in 2026 isn't about choosing between Goldman's rigidity and a FinTech's flexibility. It's about building the infrastructure that makes your chosen model defensible, measurable, and, ideally, something your employees don't resent.