The Build Trap: Five Reasons Buying FCC Technology Delivers Stronger Outcomes

Operating costs increased by more than 60% for retail and corporate banks in the years following the 2008 financial crash [1], with global annual investment in financial crime compliance (FCC) estimated at over $200bn [2]. 

And yet, regulators globally issued $3.8bn in AML, KYC, sanctions, and CDD-related penalties in 2025 alone [3] – with enforcement rising sharply across a majority of jurisdictions.

More spending is not producing proportionately better outcomes. One of the most consistently underestimated contributors to that gap is the decision to build FCC technology internally, rather than buy it.

Building feels like control. However, in practice it is a permanent operational commitment: continuous recalibration, governance documentation, infrastructure re-engineering, and sustained recruitment of scarce talent – all while the regulatory environment evolves at an increasing pace. 

Executives at major banks now devote 42% of their time to compliance matters, up from 24% in 2016 [4]. When a significant share of that burden is absorbed by maintaining technology rather than managing risk, the cost of building is no longer just financial – it is strategic.

Reason 1: Speed – Regulatory Timelines Do Not Wait for Development Sprints

The gap between when a regulatory obligation takes shape and when institutions must demonstrate compliance is narrowing – and the pace of regulatory change continues to accelerate.

For example, the Financial Action Task Force (FATF) finalised comprehensive revisions to Recommendation 16 in June 2025 [5], expanding the scope of the Travel Rule to cover all payments and value transfers, not just traditional wire transfers. 

New sanctions designations can emerge within hours of a geopolitical development. Real-time payment mandates – now live across the EU and expanding rapidly in other markets – require screening to operate in seconds, not batches. Each of these shifts require an immediate operational response and internal development cycles cannot absorb that pace. 

A compliance engineering team managing a live production system, regulatory documentation obligations, and a backlog of model recalibration work does not have the capacity to respond to a new regulatory standard such as the FATF’s in weeks. A specialist vendor with a pre-built, continuously maintained platform, deployed across multiple jurisdictions and already compliant with the latest standards does. 

For institutions operating across multiple regulatory environments simultaneously, that difference is not a convenience, it’s a material risk management advantage.

Reason 2: Proven Expertise – Pattern Recognition No Single Institution Can Replicate

A specialist FCC vendor operates across dozens or hundreds of institutions simultaneously. That breadth produces a depth of typology recognition that no single institution can achieve internally. 

When a new evasion method or laundering technique emerges, such as a novel layering structure, a new crypto-to-stablecoin cashout route, or a shift in mule network behaviour, the specialist vendor has typically already encountered it elsewhere and adapted to it. Internal teams are, by definition, working from a narrower evidence base. There is no shortcut to that accumulated pattern intelligence.

This becomes increasingly important as financial crime becomes more complex and adaptive. Estimates suggest that $3tn in illicit funds flowed through the global financial system in 2023 alone [6]. Against that volume, detection models that have only been trained on a single institution's transaction history are structurally disadvantaged from the outset.

The institutions making the most meaningful progress are those deploying AI that has already been tested, validated, and refined across live production environments at scale – not those attempting to replicate that development curve internally. 

Reason 3: Scalability Without Infrastructure Overhead

Compliance challenges are not static. Transaction volumes grow, new products and channels create new risk exposure, and regulatory scope expands – as Australia's Tranche 2 reforms are currently demonstrating, bringing tens of thousands of previously unregulated entities into AML/CTF obligations from July 2026. 

Each of these developments place additional demand on compliance infrastructure that, if internally built, must scale accordingly.

Internal builds tend to scale in one of two ways: headcount or expensive re-engineering. Neither is sustainable. In 2024, it was estimated that financial institutions globally would invest approximately $190bn on FCC – with $34.7bn spent on technology and $155.3bn on operations [7]. 

The operational burden dwarfs the technology spend, which is precisely the dynamic that effective technology is supposed to reverse. Institutions that build internally often find themselves perpetuating that imbalance: re-engineering systems while simultaneously running them, at a cost in time and attention that compounds with every new obligation.

The institutions performing best are those investing in technology that produces better decisions rather than more of them, with platforms that scale with transaction volume and regulatory scope without requiring a parallel expansion of engineering and governance.

Reason 4: Key-Person Risk – The Fragility Nobody Talks About

Internal FCC systems are frequently the intellectual property of a small number of individuals: the engineers who built the architecture, the compliance experts who designed the typology logic, and the data scientists who calibrated the models. That concentration of knowledge is rarely documented comprehensively enough to survive the departure of the people who hold it.

In a market for compliance technology talent as competitive as today's, those individuals are unlikely to remain at a single institution throughout the lifecycle of the system. Compliance staffing at major banks increased by 62% between 2013 and 2023 [4], reflecting both the scale of investment institutions have made in building teams and of the exposure they carry when those teams change. 

When key individuals leave, institutions can be left managing systems they no longer fully understand, unable to recalibrate models, explain decisions to regulators, or respond to emerging typologies without extensive reverse engineering.

This fragility is one of the most underappreciated risks in FCC. It rarely appears on a risk register until the moment it becomes a crisis, and by then the cost of addressing it far exceeds the investment required in a vendor relationship.

Reason 5: Focus – FCC Leaders Should Be Managing Risk, Not Software

The core competency of a financial institution is managing financial risk and serving customers, while the core competency of a specialist FCC vendor is building, maintaining, and continuously improving financial crime detection systems. When institutions conflate the two, both tend to suffer.

Compliance leaders who spend disproportionate time on model governance, data pipeline maintenance, and technology architecture decisions are not managing risk, they are managing technical debt – a burden that accumulates silently and surfaces at the worst possible moment. 

The banks achieving the strongest compliance outcomes are those that have repositioned compliance as a strategic capability [8], directing their best talent and attention towards risk management outcomes rather than the engineering infrastructure that underpins them. The technology should be enabling that focus, not consuming it.

To Build or to Buy?

Buying is not universally the right answer. Institutions with strict data sovereignty requirements, highly distinctive risk profiles, or regulatory environments that preclude certain third-party arrangements may have legitimate reasons to develop bespoke components.

The critical distinction is between building because it is strategically necessary and building because it feels like control. The latter tends to produce neither outcome – only technical debt, governance overhead, and operational exposure that compounds quietly over time. 

Iris 7 is Silent Eight's answer to the build or buy question

A governed, Agentic AI-driven decisioning model built for key compliance challenges

Explore Iris 7