Over the past few years, Financial Services Institutions (FSIs) have undergone a significant transformation in compliance and risk management. 

The recent surge in data breaches, malicious activity, and fraudulent actors have sounded the alarms for FSIs. Just one “non-compliance event” could cost an organization an average of $4 million in revenue, and at the same time, the rate of technology innovation and introduction of third-party vendor solutions adds additional risk to already digitized workflows. Together, this has propelled FSIs to become more cognizant of their compliance and risk management practices, driving them to proactively mitigate risks by modernizing their technology stack, investing in best practices, and ensuring high-accuracy workflows, all while maintaining cost efficiency.

This, along with the rise of the Chief Compliance Officer makes Financial Services Compliance a particularly attractive market for startups:

Across numerous conversations with bulge-bracket banks and modern fintechs, we established that Risk Management & Compliance stands as a compelling sector for startup solutions. In this post, we aim to delineate how FSIs think about compliance, their strategies concerning build vs. buy, and the dynamic domains where startups hold potential to revolutionize Risk Management & Compliance technology.

If you’re building in the Risk Management & Compliance sector, feel free to reach out to us! 

Budget Allocation

FSI compliance spending reportedly topped $206 billion in 2023 and accounts for more than 5% of institutions’ annual budgets. 

The pandemic served as an inflection point for FSI’s Risk Management & Compliance teams as more workflows digitized and work-from-home became the norm. Since then, the distribution of compliance costs among US-based FSIs indexes towards technology expenditures vs. pure labor expenditures, indicating an appetite for new solutions that can help automate business processes. 

Additionally, we learned that many banks spend between $40 and $60 million on compliance headcount and technology with two-thirds of that budget dedicated to surveillance focused on Bank Secrecy Act (BSA) workflows, which authorizes the Department of the Treasury to impose reporting and other requirements on financial institutions and other businesses to help detect and prevent money laundering.

Startups’ Biggest Barriers to Entry 

Many banks opt to invest in home-grown technology solutions given the obstacles startups need to overcome in order to enter this space:

• Complex Architecture: It’s challenging to navigate complex legacy architectures that are stitched together with sensitive data policies as well as implement stand alone SaaS solutions with more than 400+ required data connectors. 
• Process Process Process: FSIs have multiple lines of business that each follow their own unique set of rules in order to remain compliant, adding multiple layers of complexity to a vendor sale and implementation.  
• Data Integration: Every application needs to be tuned to an FSI’s proprietary data, creating on-prem silos that vendors typically can’t and/or don’t want to work with. 
• Talent Scarcity: FSIs struggle to retain talent as they compete with big tech. Given projects can be multi-year engagements, turnover can lead to lost knowledge, longer onboarding for new hires, and more.

The more aware startup founders are of these barriers to entry and their capacity to tackle them, the greater the likelihood of becoming the preferred vendor and succeeding in this competitive landscape. Achieving this necessitates a nuanced awareness of the inner workings of banks, their specific compliance needs, and their internal processes. The most effective founders building and selling in this space will need empathy for these challenges, which often stems from lived / previous experience at a bank.

FSI Purchasing Framework for Compliance Solutions

As mentioned above, purchasing vendor solutions is not a simple nor straightforward process. For startup founders, it’s important to identify repeatable business processes across the spectrum of FSIs that they’re willing to outsource. Compliance teams are willing to purchase net-new technology when the following criteria are met: 

1. Utility: When FSIs have little competitive advantage building a tool internally for industry standard workflows that can be repeated across other FSIs. 
   
   Example: In Change Management & Regulatory Intelligence, the ingested data doesn’t have to be proprietary to a firm for it to be valuable.

2. Owning the Risk: FSIs don’t want to own and manage risk associated with an application. 
   
   Example: Sanctions Screening imposes restrictions on all transactions regarding a specific country, individual, or entity. FSIs feel safer working with applications that are directly connected to Office of Foreign Assets Control (OFAC) regulations and can delegate risk to third-parties and governing bodies vs. directly owning the risk of imposing sanctions accurately.  

3. Reduce Costs to Displace Multiple Vendors: Leveraging vendor solutions to consolidate multiple areas in a tech stack. Since compliance is a cost center, buyers are not looking for ways to expand to new sources of revenue — vendors must make it more cost efficient to run business as usual. 
   
   Example: Socure’s digital identity verification solutions offer increased acceptance (more revenue), while reducing fraud (improve bottom line). Their customers see increased, safer client onboarding, and can consolidate onto Socure from oftentimes a multi-vendor identity stack.

4. Co-Developing for Speed to Market: Given FSI’s complex architectures, they are open to co-developing applications alongside partners to accelerate product roadmaps, especially for complex projects where there’s some level of customization required. 
   
   Some FSI's have recently expressed an openness to co-developing internal applications as a way to streamline key projects and enhance product roadmaps

Key Areas of Interest (Wishlist for Vendors) 

To date, FSI Compliance has been fragmented across internal policies, highly-manual workflows, and outdated technologies. As new technologies have been introduced, additional complexities are introduced by intricate and time consuming know-your-customer processes required during account onboarding.

Evaluating the Risk vs. Reward for AI/ML in Compliance 

Across the vendor wishlist spectrum, a staggering amount of practitioners called for LLM-powered automation. However, FSIs are proving to be slow adopters of LLMs and black-box AI given their additional security concerns. On one hand, leveraging AI will enable compliance teams to better automate workflows and improve business processes. On the other hand, AI provides its own set of challenges that will trigger more scrutiny around which vendors FSIs choose to work with, how they manage risk associated with production-grade models, and more. 

However, contemporary banks already rely heavily on quantitative ML models across many aspects of their decision making and recent regulation and market tailwinds have spurred the need for further governance, risk management, and model transparency. While the rise of ML reflects the extent to which models can improve business decisions, it also comes at a direct cost of devoting resources to develop and implement models properly. 

Given the user-risk acceptance criteria is higher for FSIs than other industries, products that leverage AI will need to adhere to the highest level of data, security, and governance standards, to ensure use cases are accurately fulfilled and compliant. This will give rise to further expand the market for compliance solutions like model risk management and data governance.

Below, I’ve outlined the three most cited areas for technology innovation along with the sub-business processes practitioners are looking for help with:

1. Improving AML Case Investigator Experience
   
   AML case management is integral to FSI operations and is the process through which FSIs monitor, detect, investigate, and report suspicious customer behavior. It is often the first layer of defense against potential financial crimes, regulatory fines, and sanctions. Efficient case management systems need to dynamically meet a company’s many AML needs and adjust for changing regulations and relevant criteria. In traditional FSIs, many of these tools are highly manual and costly. 

• AI/ML for Suspicious Activity Reports (SARs): Transition from rules based approaches to incorporating ML for AML Alerts for SARs
• Augment the Agent Experience: Automate acquisition and summarization of external data outside of transactions to help with AML case management 
• Next Best Action Decisioning: Automatically assess SAR to recommend next best actions 
• Identifying Counterparty Risk: Collate and summarize data to understand likelihood of default
• Improve Advisor Compliance Portals: Create personalized alerts for compliance task management via integrations with greater governance, risk, and compliance solutions
• Intelligent Summarization Agent: Automatically summarize transactions, negative news screening, and proprietary transaction data 
• Ongoing Monitoring: Analyze operational data and system logs, process metrics, and employee behavior patterns to expose internal/external compliance risks

2. Improving Firmwide Surveillance
   
   FSIs are required to monitor customers and employees on an ongoing basis to identify fraudulent or criminal activity. AI/ML will help improve upon detection logic underpinning traditional screening and monitoring tools and help organizations leverage additional data sources to identify suspicious activity across domains (e.g., spoofing, insider trading, AML, fraud, sanctions, etc.). Upgrading this outdated technology will help reduce false-positive alerts and help teams better identify compliance risks, all with the goal of allowing institutions to migrate toward continuous monitoring. 

• Anomaly Detection for Risk Management: Leverage LLMs to analyze indicators for malicious activity like fraudulent financial transactions, anomalous customer behavior, insider trading, etc.
• Code Inspection: Utilize ML to inspect and describe codebases with the goal of maintaining data compliance
• LLMs for Summarization: Leverage LLMs for net-new use cases involving massive amounts of data (e.g., ensure that marketing collateral is compliant with products the bank is currently offering)
• Improve Regulatory Insights: Collate and synthesize regulatory data and next best actions for compliance investigators  
• Supercharge Regulatory Intelligence & Change Management: Continuously scan relevant regulatory changes and new policies; AI/ML to determine business unit level applicability of requirements and develops controls to ensure that requirements are met
• Third-party Vendor Risk Management: Incorporate LLMs to help organizations assess operational risk for onboarding new technologies

3. Software-Led Consulting Engagements for Hairy Problems
   
   ‍Given limited resources and talent constraints, teams are often constrained on rearchitecting outdated technologies vs. investing in net-new tools and applications. To combat this, FSIs often outsource multi-year projects that can move the needle to consultants who can provide the building blocks for net-new applications and customize them to an organization's internal systems and technical architecture. In essence, think of this as a Palantir-like vendor verticalized for financial services work.

• Improve Electronic Trade Surveillance Tooling: Improve market oversight by creating a comprehensive audit trail to track and analyze trading activities in exchange-listed equities and options across U.S. markets
• Market Risk Prediction: Utilize LLMs to forecast market trends, analyze historical data, synthesis news to provide insight for investment risk management and potential impact on a banks portfolio
• Model Risk & Explainability: As organizations invest in ML capabilities, understanding the underlying data used to train models will be more important than ever given new and existing regulations (CCAR )related to model bias, explainability, etc. 

Conclusion

Compliance has become a massive and timely category of interest for FSIs. However, this is not the traditional Silicon Valley problem. The startups that will win in this space are those that are able to understand the deep domain nuances within the banking world and bring tailored, best-in-class technology to solve those challenges.

My biggest advice for founders building in the space is to proceed with customer empathy – carefully consider how to position yourself in order to earn trust with bank stakeholders. By doing so, you’ll have a more direct line to candid feedback on their top pain points and areas of opportunity needed to validate a solution. 

If you’re building in the Risk Management & Compliance sector, feel free to reach out to us!