For more than three centuries, visitors to the maze at Hampton Court Palace have tested their sense of direction among its tall hedges. Built in the late 17th century, the maze’s trapezoidal design looks straightforward on paper. Yet once inside, its looping paths quickly become disorientating. Turn after turn looks familiar. Progress becomes guesswork. Modern compliance systems often produce a similar experience.
Most large financial institutions did not deliberately design fragmented compliance frameworks. They accumulated them. A new regulation arrives, and a monitoring tool is introduced. A new product launches and another system is added. Teams build processes around their own responsibilities, each solving a local problem.
Over time, surveillance, regulatory reporting, risk monitoring and operational controls spread across dozens of platforms. Individually, they perform their tasks. As a whole, however, the picture becomes harder to interpret. Information exists, but understanding where risk is building becomes difficult.
That challenge is increasingly driving interest in what many firms now call a “compliance control tower”, an approach that centralises oversight across surveillance, risk and regulatory activity.
Technology will not be enough
In the view of Dalia Nightingale, Chief Revenue Officer at Vixio, the compliance stack is already consolidating. But technology alone will not be enough.
“The debate about whether compliance platforms will consolidate has largely been settled. They will, and they are. Compliance leaders, worn down by fragmented vendor relationships, disconnected data and tools that were never designed to work together, are moving towards integrated platforms. Regulators are accelerating this shift,” said Nightingale.
She added that as obligations become more complex, more cross-jurisdictional and more interconnected, the cost of operating in silos has become strategically untenable. “Boards want a single version of the truth. Risk functions need end-to-end visibility. The patchwork approach is no longer fit for purpose. So the more important question is not whether consolidation is inevitable. It is whether the platforms businesses are consolidating onto are genuinely capable of serving them and their changing business when it matters most, and whether technology, however sophisticated, can ever do that alone. It cannot,” said the Vixio CRO.
There are, however, limits to the platform promise. “The compliance technology market has never been short of ambition. Vendors promise unified dashboards, automated workflows, AI-powered risk scoring, real-time regulatory tracking. Much of it is super valuable, but none of it is sufficient on its own. Why, you may ask? Regulation is not a dataset,” said Nightingale. “It is a living, frequently ambiguous body of guidance, shaped by political context, supervisory philosophy and jurisdictional nuance that changes faster than any system can be trained to interpret.”
She gave the example of when a central bank issues guidance that contradicts established practice, when a regulator signals an enforcement priority shift through a speech rather than a formal update, when a cross-border transaction touches three different legal frameworks simultaneously, these are not problems a platform resolves by running another process, they are problems that require judgment.
Nightingale said, “Human judgment, specifically: the kind that comes from years of regulatory experience, deep sector knowledge, and the ability to read between the lines of what a supervisory authority is actually communicating. Businesses that treat compliance technology as a replacement for that expertise are not more compliant. They are more efficiently exposed.”
For Nightingale, the move from fragmented, best-of-breed tools to integrated platforms represents a genuine step forward, but only when it is accompanied by a parallel investment in human intelligence.
She explained, “The businesses navigating this most effectively understand that the goal is not automation for its own sake. It is foresight: the ability to anticipate regulatory direction, not just respond to it. This requires the first, second and third lines of defence to work in genuine harmony. The first line needs operational compliance guidance that is immediately actionable. The second line needs regulatory intelligence that is contextualised, not just catalogued. The third line needs assurance frameworks that reflect what is actually happening in the business, not what the system was configured to report.”
When these functions are connected, when the data flows between them and the insights fromone inform the decisions of another, compliance becomes a source of strategic advantage rather than a cost of doing business. “But connection alone is not enough. The insight that moves through that connected infrastructure needs to be grounded in genuine regulatory expertise. An integrated platform that surfaces poorly interpreted data faster is not progress. It is a more efficient way of being wrong,” said Nightingale.
In the view of Nightingale, the platforms that will define the next decade of compliance technology are not those with the most sophisticated automation. They are those that have built genuine expertise into the fabric of what they offer, where regulatory analysts, jurisdictional specialists and sector practitioners sit alongside the compliance and product teams, ensuring that what the platform delivers is not just technically functional but substantively correct.
She said, “This is what partnership means in a compliance context. Not just a customer success manager and a renewal conversation. A relationship in which the provider’s expertise extends the capability of the client’s own team, where the human in the loop is not an afterthought but a design principle, and where the confidence to act on compliance insight comes from knowing that it has been interpreted, tested and validated by people who understand the regulatory environment as well as the technology they have built to navigate it.”
For Nightingale, compliance leaders and their teams are operating under sustained and growing pressure to modernise, to demonstrate increasing maturity, and to do more with resources that rarely grow as fast as the regulatory environment demands. The expectation is not simply that compliance functions keep pace with change. It is that they get ahead of it, advising the business with confidence rather than reacting to developments after the fact. Infrastructure is the foundation of that ambition.
She remarked, “The right platform, properly integrated, removes the friction that slows compliance teams down and gives them the operational visibility to manage risk proactively. But infrastructure alone does not build maturity. What elevates a compliance function from reactive to genuinely strategic is the quality of intelligence it can access and the foresight it can act on. Knowing that a regulatory shift is coming is useful. Understanding what it means, why it matters and what to do about it before it arrives is what allows compliance leaders to move at speed and advise with confidence. That capability cannot be automated. It has to be built into the partnership.”
For the Vixio CRO, best-of-breed tools will persist in corners of the business for years to come, serving niche requirements that no consolidated platform has yet matched. But as integration matures and the bar for what a compliance platform must deliver continues to rise, the defining differentiator will not be which vendor has built the best workflow engine. It will be which vendor has built the deepest expertise and made it inseparable from the product. Best-of-breed tools will persist in corners of the business for years to come, serving niche requirements that no consolidated platform has yet matched.
“But as integration matures and the bar for what a compliance teams platform must deliver continues to rise, the defining differentiator will not be which vendor has built the best workflow engine. It will be which vendor has built the deepest expertise and made it inseparable from the product,” she concluded.
How compliance became fragmented
“Most large financial institutions didn’t deliberately design fragmented compliance systems,” explains Areg Nzsdejan, CEO and co-founder of Cardamon.
“A new regulation comes in, a new tool gets added. A new product launches, another layer is introduced. Different teams solve for their own problems, and before long you have surveillance in one place, regulatory change tracked somewhere else, controls documented elsewhere, and risk stitched together manually.
“Individually, each piece works. Collectively, it doesn’t.”
The resulting landscape is rarely dysfunctional in isolation. Each system performs a defined task. The difficulty emerges when organisations attempt to understand how those pieces interact.
For many institutions, compliance information exists in abundance. The relationships between systems are less visible.
Scott Nice, Chief Revenue Officer at Label, says the weaknesses often appear between teams rather than inside them.
“Most firms do not have one big compliance gap,” he says. “They have lots of smaller breaks between teams, systems, data sets and handoffs.”
“One team owns onboarding, another owns transaction monitoring, another owns regulatory change, another owns reporting,” Nice explains. “Each has its own process, priorities and technology. That creates duplication, inconsistency and too many points where important information gets lost or delayed.”
Taken individually, these issues can appear manageable. Taken together, they accumulate gradually, resembling death by a thousand paper cuts.
Closing these gaps between systems, therefore, becomes essential for understanding how risk develops across the organisation. Yet improving visibility alone does not necessarily resolve the underlying problem.
Aurimas Bakas, CEO of Copla, believes many organisations focus too heavily on coordination rather than execution.
“Most control tower initiatives improve visibility across compliance activities,” he says. “That helps at a coordination level, but it does not address where risk actually builds.
“In large organisations, compliance depends on how controls, data and decisions are executed across teams. Differences in interpretation, fragmented ownership and delayed validation create outputs that require reconciliation before they can be relied on.
“Frameworks such as the DORA ICT Register in the EU and the PRA Register of Material Third-Party Arrangements in the UK make this visible because they require structured, defensible outputs.”
Bakas suggests that the challenge lies earlier in the process: “Structure needs to be applied where data is created. Validation should happen continuously, and changes should be traceable over time. When that happens, compliance stops being a coordination exercise and becomes a controlled execution process.”
The rise of the compliance control tower
As institutions confront fragmentation, attention has shifted toward architectures capable of connecting existing systems rather than replacing them.
Replacing every compliance tool inside a large financial institution would be costly and disruptive. Instead, many firms are exploring layers that sit above their existing technology stack, bringing together signals from across the regulatory landscape.
The idea has acquired a widely used label within compliance teams: the compliance control tower.
“The concept is borrowed from air traffic control towers,” says Ashley O’Reilly, Head of Account Management EMEA and APAC at Corlytics.
“A central hub acts as a lookout, coordinating information and activities across an organisation.”
The comparison reflects the growing volume of information compliance teams must oversee.
“The goal of the central hub is to monitor and consolidate risk and regulatory signals coming from a wide range of sources and systems,” O’Reilly explains.
Bringing those signals together allows organisations to identify patterns that remain hidden when compliance functions operate separately.
“Centralising compliance in this way helps identify enterprise-wide risks, avoid risk silos and enable faster incident response. It also improves regulatory transparency by making rules and regulatory processes clearer and more accessible across the organisation.”
From a technological perspective, the model builds on approaches already used elsewhere in enterprise infrastructure.
“The compliance control tower addresses the problem of manual systems that provide outdated or inaccurate information to decision-makers,” says Supradeep Appikonda, COO and co-founder of 4CRisk.ai.
“The control tower provides near real-time dashboards that correlate data from siloed systems managing risk, resilience and regulatory obligations.
“Functionally, this is quite similar to other centralised operations centres that monitor networks or critical infrastructure. It is a proven technological model.”
Why the shift is accelerating
Several forces are pushing financial institutions toward more centralised oversight.
Regulatory frameworks evolve continuously. Firms operate across multiple jurisdictions. Transaction volumes continue to grow while new digital channels increase the number of communications that must be captured and monitored.
Research by Theta Lake, based on a survey of more than 500 senior compliance and IT leaders, found that financial institutions rely on an average of three separate vendors for voice recording, communications archiving and supervision. At the same time, 93% of firms reported significant challenges managing multi-vendor compliance environments.
“These legacy, single-purpose solutions are increasingly inadequate for today’s integrated communications landscape,” says Esteban Lopez, Senior Manager of Product and Technical Marketing at Theta Lake.
“When audio, text, visual and AI-generated communications are captured across different systems, organisations struggle to reconcile the full record. That creates gaps in surveillance, search and e-discovery that directly affect a firm’s ability to detect risk.”
The problem is particularly visible in financial crime compliance.
A spokesperson for RelyComply says the number of tools involved in anti-money laundering workflows has expanded rapidly.
“Growing criminal risk, shifting regulatory expectations and the speed of cross-border payments mean institutions must maintain data hygiene across onboarding, monitoring and reporting oversight,” the spokesperson says.
When those processes rely on disconnected systems, operational pressure increases.
“If data is split across varying systems, operational inefficiency only boosts the already significant cost of compliance. Over time organisations can end up with what is effectively a system graveyard — dozens of tools solving individual problems but struggling to work together.”
Consolidation without uniformity
Despite growing interest in centralised oversight, few expect the compliance technology landscape to collapse into a single universal platform. Regulation itself spans too many domains.
“Compliance covers multiple domains, each with its own regulatory lifecycle and technical complexity,” O’Reilly says.
Cyber security monitoring, ESG compliance, prudential regulation and financial crime prevention all require specialised expertise and operational processes. Specialised tools are therefore likely to remain part of the ecosystem.
Innovation often occurs among smaller vendors focused on solving particular regulatory challenges.
What is changing instead is the way organisations manage the systems they already operate.
“Full consolidation into one platform is unlikely,” says Label’s Nice. “What is becoming inevitable is consolidation of control.”
In practice, that means aligning the workflows, decisions and evidence produced across different systems.
“The firms that succeed will not necessarily have the fewest systems,” Nice says. “But they will have far less fragmentation between them.”
Compliance as a real-time operating function
As control-tower architectures evolve, they are beginning to take on a more operational role.
Rather than functioning solely as reporting layers, these platforms increasingly analyse risk signals as they emerge and support decisions during live processes.
“This next generation of ecosystem control towers offers value beyond simply integrating data across the stack,” Appikonda says.
“With the deployment of AI agents, the platform becomes predictive and capable of acting within defined guardrails.”
Such systems also alter how compliance activity is monitored across the enterprise.
Traditional compliance models relied heavily on periodic reviews, audits and risk assessments. Control-tower platforms introduce continuous monitoring.
“Real-time observability replaces point-in-time audits and subjective heat maps,” Appikonda explains.
They also translate regulatory exposure into terms senior decision-makers can quickly interpret.
“A dashboard might show that a particular gap represents a probable loss of several million dollars within a defined period,” he says.
For many institutions navigating complex regulatory environments, the objective is clarity across the organisation.
“Firms don’t want ten different interpretations of risk across ten systems,” says Nzsdejan.
“They want a single, consistent view of what applies to them, what has changed, and where the gaps are.”
For many financial institutions, the challenge has never been about stockpiling more tools or more data. The task has always been assembling the jigsaw in a way that allows the pieces to connect.
The compliance control tower represents the industry’s attempt to do exactly that.
Returning to those famous hedges at Hampton Court. From inside the maze, every path seems plausible. Each turn offers another direction, another guess at the way forward. Only from above, when the full pattern becomes visible, does the route through reveal itself.
For many RegTech firms, the compliance control tower is an effort to gain that vantage point.
