For more than three centuries, visitors to the maze at Hampton Court Palace have tested their sense of direction among its tall hedges. Built in the late 17th century, the maze’s trapezoidal design looks straightforward on paper. Yet once inside, its looping paths quickly become disorientating. Turn after turn looks familiar. Progress becomes guesswork. Modern compliance systems often produce a similar experience.
Most large financial institutions did not deliberately design fragmented compliance frameworks. They accumulated them. A new regulation arrives, and a monitoring tool is introduced. A new product launches and another system is added. Teams build processes around their own responsibilities, each solving a local problem.
Over time, surveillance, regulatory reporting, risk monitoring and operational controls spread across dozens of platforms. Individually, they perform their tasks. As a whole, however, the picture becomes harder to interpret. Information exists, but understanding where risk is building becomes difficult.
That challenge is increasingly driving interest in what many firms now call a “compliance control tower”, an approach that centralises oversight across surveillance, risk and regulatory activity.
How compliance became fragmented
“Most large financial institutions didn’t deliberately design fragmented compliance systems,” explains Areg Nzsdejan, CEO and co-founder of Cardamon.
“A new regulation comes in, a new tool gets added. A new product launches, another layer is introduced. Different teams solve for their own problems, and before long you have surveillance in one place, regulatory change tracked somewhere else, controls documented elsewhere, and risk stitched together manually.
“Individually, each piece works. Collectively, it doesn’t.”
The resulting landscape is rarely dysfunctional in isolation. Each system performs a defined task. The difficulty emerges when organisations attempt to understand how those pieces interact.
For many institutions, compliance information exists in abundance. The relationships between systems are less visible.
Scott Nice, Chief Revenue Officer at Label, says the weaknesses often appear between teams rather than inside them.
“Most firms do not have one big compliance gap,” he says. “They have lots of smaller breaks between teams, systems, data sets and handoffs.”
“One team owns onboarding, another owns transaction monitoring, another owns regulatory change, another owns reporting,” Nice explains. “Each has its own process, priorities and technology. That creates duplication, inconsistency and too many points where important information gets lost or delayed.”
Taken individually, these issues can appear manageable. Taken together, they accumulate gradually, resembling death by a thousand paper cuts.
Closing these gaps between systems, therefore, becomes essential for understanding how risk develops across the organisation. Yet improving visibility alone does not necessarily resolve the underlying problem.
Aurimas Bakas, CEO of Copla, believes many organisations focus too heavily on coordination rather than execution.
“Most control tower initiatives improve visibility across compliance activities,” he says. “That helps at a coordination level, but it does not address where risk actually builds.
“In large organisations, compliance depends on how controls, data and decisions are executed across teams. Differences in interpretation, fragmented ownership and delayed validation create outputs that require reconciliation before they can be relied on.
“Frameworks such as the DORA ICT Register in the EU and the PRA Register of Material Third-Party Arrangements in the UK make this visible because they require structured, defensible outputs.”
Bakas suggests that the challenge lies earlier in the process: “Structure needs to be applied where data is created. Validation should happen continuously, and changes should be traceable over time. When that happens, compliance stops being a coordination exercise and becomes a controlled execution process.”
The rise of the compliance control tower
As institutions confront fragmentation, attention has shifted toward architectures capable of connecting existing systems rather than replacing them.
Replacing every compliance tool inside a large financial institution would be costly and disruptive. Instead, many firms are exploring layers that sit above their existing technology stack, bringing together signals from across the regulatory landscape.
The idea has acquired a widely used label within compliance teams: the compliance control tower.
“The concept is borrowed from air traffic control towers,” says Ashley O’Reilly, Head of Account Management EMEA and APAC at Corlytics.
“A central hub acts as a lookout, coordinating information and activities across an organisation.”
The comparison reflects the growing volume of information compliance teams must oversee.
“The goal of the central hub is to monitor and consolidate risk and regulatory signals coming from a wide range of sources and systems,” O’Reilly explains.
Bringing those signals together allows organisations to identify patterns that remain hidden when compliance functions operate separately.
“Centralising compliance in this way helps identify enterprise-wide risks, avoid risk silos and enable faster incident response. It also improves regulatory transparency by making rules and regulatory processes clearer and more accessible across the organisation.”
From a technological perspective, the model builds on approaches already used elsewhere in enterprise infrastructure.
“The compliance control tower addresses the problem of manual systems that provide outdated or inaccurate information to decision-makers,” says Supradeep Appikonda, COO and co-founder of 4CRisk.ai.
“The control tower provides near real-time dashboards that correlate data from siloed systems managing risk, resilience and regulatory obligations.
“Functionally, this is quite similar to other centralised operations centres that monitor networks or critical infrastructure. It is a proven technological model.”
Why the shift is accelerating
Several forces are pushing financial institutions toward more centralised oversight.
Regulatory frameworks evolve continuously. Firms operate across multiple jurisdictions. Transaction volumes continue to grow while new digital channels increase the number of communications that must be captured and monitored.
Research by Theta Lake, based on a survey of more than 500 senior compliance and IT leaders, found that financial institutions rely on an average of three separate vendors for voice recording, communications archiving and supervision. At the same time, 93% of firms reported significant challenges managing multi-vendor compliance environments.
“These legacy, single-purpose solutions are increasingly inadequate for today’s integrated communications landscape,” says Esteban Lopez, Senior Manager of Product and Technical Marketing at Theta Lake.
“When audio, text, visual and AI-generated communications are captured across different systems, organisations struggle to reconcile the full record. That creates gaps in surveillance, search and e-discovery that directly affect a firm’s ability to detect risk.”
The problem is particularly visible in financial crime compliance.
A spokesperson for RelyComply says the number of tools involved in anti-money laundering workflows has expanded rapidly.
“Growing criminal risk, shifting regulatory expectations and the speed of cross-border payments mean institutions must maintain data hygiene across onboarding, monitoring and reporting oversight,” the spokesperson says.
When those processes rely on disconnected systems, operational pressure increases.
“If data is split across varying systems, operational inefficiency only boosts the already significant cost of compliance. Over time organisations can end up with what is effectively a system graveyard — dozens of tools solving individual problems but struggling to work together.”
Consolidation without uniformity
Despite growing interest in centralised oversight, few expect the compliance technology landscape to collapse into a single universal platform. Regulation itself spans too many domains.
“Compliance covers multiple domains, each with its own regulatory lifecycle and technical complexity,” O’Reilly says.
Cyber security monitoring, ESG compliance, prudential regulation and financial crime prevention all require specialised expertise and operational processes. Specialised tools are therefore likely to remain part of the ecosystem.
Innovation often occurs among smaller vendors focused on solving particular regulatory challenges.
What is changing instead is the way organisations manage the systems they already operate.
“Full consolidation into one platform is unlikely,” says Label’s Nice. “What is becoming inevitable is consolidation of control.”
In practice, that means aligning the workflows, decisions and evidence produced across different systems.
“The firms that succeed will not necessarily have the fewest systems,” Nice says. “But they will have far less fragmentation between them.”
Compliance as a real-time operating function
As control-tower architectures evolve, they are beginning to take on a more operational role.
Rather than functioning solely as reporting layers, these platforms increasingly analyse risk signals as they emerge and support decisions during live processes.
“This next generation of ecosystem control towers offers value beyond simply integrating data across the stack,” Appikonda says.
“With the deployment of AI agents, the platform becomes predictive and capable of acting within defined guardrails.”
Such systems also alter how compliance activity is monitored across the enterprise.
Traditional compliance models relied heavily on periodic reviews, audits and risk assessments. Control-tower platforms introduce continuous monitoring.
“Real-time observability replaces point-in-time audits and subjective heat maps,” Appikonda explains.
They also translate regulatory exposure into terms senior decision-makers can quickly interpret.
“A dashboard might show that a particular gap represents a probable loss of several million dollars within a defined period,” he says.
For many institutions navigating complex regulatory environments, the objective is clarity across the organisation.
“Firms don’t want ten different interpretations of risk across ten systems,” says Nzsdejan.
“They want a single, consistent view of what applies to them, what has changed, and where the gaps are.”
For many financial institutions, the challenge has never been about stockpiling more tools or more data. The task has always been assembling the jigsaw in a way that allows the pieces to connect.
The compliance control tower represents the industry’s attempt to do exactly that.
Returning to those famous hedges at Hampton Court. From inside the maze, every path seems plausible. Each turn offers another direction, another guess at the way forward. Only from above, when the full pattern becomes visible, does the route through reveal itself.
For many RegTech firms, the compliance control tower is an effort to gain that vantage point.
Copyright © 2018 RegTech Analyst
