For much of the past decade, RegTech investment has followed a familiar trajectory, flowing towards technologies that help financial institutions keep pace with an ever-expanding regulatory burden.
But as compliance enters a new phase, one shaped by artificial intelligence, operational resilience, digital identity and increasingly real-time supervision, the industry’s priorities are beginning to diverge. Investors are becoming more selective, buyers more demanding, and regulators more prescriptive.
While AI-native platforms continue to attract significant capital, more established areas such as regulatory reporting, governance and traditional compliance workflows are competing for attention in a market where budgets are under greater scrutiny. The result is a growing question over where the next wave of RegTech value will be created.
The Global State of RegTech 2026 – a report co-authored by RegTech Analyst and Parker Lawrence Research – delved into this key topic during the report. You can download the full report here.
As part of the report, vendors and institutions were quizzed on a number of key areas within the financial technology market, with the central question being where they expected the greatest level of investment within financial institution’s risk and compliance environments in 2026.
For vendors, expectations are considerably heavy around AI and automation. The report detailed that a huge 91.67% of vendors believe this area will see the greatest level of investment, compared to only 44.33% of institutions. The graph below details the emerging fault lines between vendors and institutions.
In part one of a two-part series, we hear from a number of key industry thought leaders to see their view on this growing gap between vendors and institutions.
Why vendors and FIs are diverging
Why are vendors and financial institutions betting on different futures? Scott Nice, CRO at Label, detailed that the graph shows a clear difference in emphasis between vendors and financial institutions.
He said, “Vendors appear to be leaning heavily into transformation themes such as AI agents, agentic automation, generative AI and API-based integration. Financial institutions, by contrast, seem more focused on the foundations that allow those technologies to be safely adopted, including modern data architecture, privacy-enhancing technologies, cryptography, cloud migration and control infrastructure.”
However, Nice makes clear he does not see this as a complete disagreement about the future, and is instead more a difference in starting point.
“Vendors are naturally looking at where the market narrative is moving and where they can demonstrate innovation,” he said. “Financial institutions are asking a more practical question: what needs to be true before these technologies can be used safely in a regulated environment? In risk and compliance, technology is not judged only by whether it creates efficiency. It is judged by whether the outcome can be governed, evidenced, challenged and explained.”
The largest gap in the chart, Nice outlines, is around AI agents and agentic automation. He is clear that he does not read the institution-side caution as a lack of appetite for AI, instead viewing it as a sign that companies are being more precise about where AI can safely operate
He said, “There is a significant difference between using AI to support an analyst and allowing AI to act autonomously within a regulated control framework. The former is already valuable. The latter requires far more confidence around governance, explainability, oversight and accountability.”
Kevin McGuinness, global head of strategy at Napier AI, suspects not all vendors think the same on this matter.
He said, “Those with experience delivering RegTech projects at large financial institutions will be more aware of the realities of legacy technology stacks, disparate data pools, and separate business lines. “
McGuiness says Napier echoes the sentiments offinancial institutions – that to experience the benefits of cutting-edge AI innovations the underlying AML-engine needs to be AI-ready.
He added, “It is prudent to prioritise foundational work – modern data architecture, cloud migration, API-native integrations, and use cases which often act as a precursor to advance AI such as machine learning and predictive analytics. The research responses tell me financial crime compliance teams in-house know they can’t bolt agentic AI onto fragile foundations.”
Whilst some vendors are chasing the AI-first transformation story, McGuiness is clear that institutions are quietly investing in the plumbing that transformation actually depends on, more aligned to the compliance-first AI that Napier advocates.
Michael Thirer, CLO at Muinmos, meanwhile, doesn’t believe that institutions and vendors are betting on different futures, but are just seeing things from different perspectives.
“Whereas vendors have the “engine room” perspective, and may therefore focus on better data architecture to support the AI analysis and make it more reliable and transparent, financial institutions have the user perspective, which tends to focus more on the end-product.
“After all, how many of us using ChatGPT or Claude really think about the immense data centres, the huge investment in cooling systems and efficient processors required to operate them?”
In Thirer’s opinion, this is firmly what is at the heart of these different results seen in the report.
Red Oak SVP Strategy Mike Lubansky sees that there is an emerging faultline, but he would describe it less as a disagreement about the future of RegTech and more as a disagreement about sequencing.
He remarked, “Vendors are often marketing the destination: autonomous compliance, agentic workflows, real-time intelligence, and AI-driven decisioning. Financial institutions are still funding the prerequisites: clean and connected data, governed APIs, secure infrastructure, books-and-records integrity, supervisory controls, entitlement models, and evidence that can stand up in an audit.”
However, Lubasnky doesn’t believe this doesn’t mean firms are skeptical of AI. In many cases, he states, they are just being more practical about what it takes to use AI safely in a regulated environment.
“A compliance function cannot adopt autonomous agents simply because the technology is impressive. It has to know what data the agent used, what policy or rule it applied, what action it took, who approved it, where the evidence is retained, and how the decision can be explained later,” Lubansky said.
Are there different prioritisations?
Are firms prioritising foundations while vendors chase transformation? Nice, on this point, agrees – and thinks that this is one of the most important messages in the graph.
He remarked, “Vendors are understandably focused on transformation because AI, LLMs, automation and integration can materially change how risk and compliance functions operate. But financial institutions know that these capabilities only work if the foundations are strong enough to support them.”
Many firms are still dealing with fragmented data, legacy systems, inconsistent workflows, manual review processes and too much dependency on spreadsheets, detailed Nice. In such an environment, advanced automation can create the illusion of progress without solving the underlying problem.
“If the data is poor, if exceptions are not properly managed, or if decisions cannot be evidenced, automation may simply allow the firm to produce weak outcomes faster,” explained Nice.
The Label CRO remarked that this is why the institution-side focus on data architecture, privacy, cryptography and cloud migration matters.
He explained, “These areas may be less fashionable than AI agents, but they are fundamental to the future of compliance. Continuous KYC cannot work if firms cannot reliably detect and interpret changes in customer risk. Real-time compliance operations cannot exist if the data is incomplete, inconsistent or trapped across disconnected systems.”
In reference to a key strong point of Label’s, Nice states that this is highly relevant in tax transparency.
“FATCA and CRS have shown that firms can meet complex obligations through manual effort, but that does not make the model sustainable. CARF adds further complexity through digital assets, new data sources, self-classification, reasonableness checks and multi-jurisdiction reporting. A human-controlled spreadsheet model may have been tolerated historically, but it feels increasingly unsuitable for the next phase of compliance,” he said.
What investment gaps reveal about the next RegTech phase
What do investment gaps reveal about the next phase of RegTech? Lubasnky believes that the winning platforms will not be the ones that simply add AI on top of disconnected processes.
He explained, “They will be the ones that connect the compliance ecosystem: data, workflow, policies, disclosures, supervision, reporting, archives, and third-party systems. Once that connective tissue is in place, AI becomes much more powerful because it is operating inside a governed, traceable, and explainable control environment.”
Therefore, in Lubansky’s view, the investment gap reveals something important. “Firms are not rejecting transformation. They are building the control foundation that makes transformation defensible.”
Nice, meanwhile, said that the investment gaps reveal that the next phase of RegTech will be shaped by the tension between ambition and trust.
He said, “Vendors are pushing towards a more automated, AI-enabled and integrated future. Financial institutions are not rejecting that future, but they are making it clear that trust, governance and infrastructure still matter.”
For Nice, this is indeed a healthy tension, and made a point that risk and compliance functions cannot adopt technology simply because it is new or because it promises efficiency. They need to understand how it changes the control environment, who owns the output, how the logic is governed, how errors are identified, how exceptions are handled and how the process can be explained to a regulator or auditor later.
He concluded, “The next phase of RegTech will not be won by the boldest claims about AI. It will be won by the providers that can turn advanced technology into trusted operating capability. That means embedding AI into controlled workflows rather than presenting it as a replacement for compliance expertise.
“It means using automation to reduce manual effort while strengthening accountability. It also means helping firms move away from fragmented, spreadsheet-led processes towards more connected, evidence-led operating models.”
Huge disruption
The first wave of FinTech disruption fundamentally altered where financial institutions chose to invest. Customer experience became the defining competitive advantage, forcing incumbent banks to prioritise digital onboarding, intuitive interfaces and seamless payments, often ahead of modernising the compliance functions operating behind the scenes.
According to RelyComply, that imbalance is now becoming increasingly difficult to sustain. “The entire fabric of financial services was ripped open by the arrival of neobanks and FinTechs,” they said, with CX-first innovation forcing traditional institutions into rapid digital transformation despite the constraints of legacy infrastructure and siloed data.
The consequences are now becoming clear. As financial crime grows more sophisticated and regulators demand greater evidence of effective controls, investment priorities are beginning to shift from front-end innovation towards compliance resilience.
Institutions still burdened by manual processes face the challenge of modernising legacy AML operations, while newer entrants, particularly in payments, must ensure their compliance capabilities can keep pace with the rollout of instant payment systems and real-time financial services.
RelyComply argued that AML is no longer simply a regulatory obligation, but a strategic enabler of growth. “Real-time cross-border payments are a baseline customer demand today,” they said, warning that fragmented compliance processes and resource constraints can quickly become barriers to scaling internationally.
Against this backdrop, AI-powered AML platforms are emerging as a strategic investment rather than a discretionary technology upgrade. Centralised, automated systems allow firms to apply consistent due diligence, ongoing monitoring and risk assessment across multiple jurisdictions, reducing operational friction while strengthening financial crime controls.
Importantly, the shift is not limited to institutions at a particular stage of digital maturity. Whether replacing manual workflows or enhancing existing compliance ecosystems, integrated RegTech platforms offer a route to long-term transformation. As RelyComply concluded, while perceptions of AI range from excitement to uncertainty, “the flexibility of a well-integrated AML platform makes it an investment with future-proofed potential”, one capable of adapting to an increasingly complex threat landscape regardless of which type of institution criminals choose to target.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst






