In the fast-paced realm of financial services, where innovation clashes with ever-tightening regulations, embedded compliance is gaining traction as a seamless integration of regulatory checks into core operations. This approach leverages technology to automate and embed compliance directly into products, workflows, and customer interactions, potentially reducing risks and costs. Yet, as fintech disrupts traditional models, can embedded compliance truly serve as the foundational support for sustainable growth? We speak to a number of key industry players on this topic, in a part-one of a two-part series.
For decades, compliance was treated as an add-on, as firms built products, ran transactions, and only then layered compliance checks over the top, claims Areg Nzsdejan, CEO of Cardamon.
The result of this, for Nzsdejan, was predictable. “Bottlenecks, remediation costs, regulatory fines, and an adversarial relationship between compliance and commercial teams.”
The Cardamon CEO believes that this model is breaking. Considering this, what is then the next step for firms?
“The next chapter is embedded compliance: controls integrated directly into infrastructure, operating invisibly, in real time. Just as payments became ‘rails’ that sit beneath every fintech product, compliance is becoming the backbone layer of financial services,” he said.
Embedded compliance, Nzsdejan argues, flips the model from reactive to preventive – instead of policing after the fact, risks are intercepted at the source. For example, a payment that fails sanctions screening never leaves the system and a client without a verified identity never makes it onto the books.
Such a shift can remove the constant pull of audits, firefighting and remediation – instead of catch and correct, firms move to design out the risk. Compliance is enforced at the moment of action, not weeks later during review.
For Nzsdejan, the transition to embedded compliance is already underway, enabled by a convergence of infrastructure and AI.
Examples of these can be found in API-first compliance layers. “Providers now offer KYC, AML, sanctions, and tax compliance as embeddable services that integrate directly into onboarding, payments, and trading flows,” said the Cardamon CEO.
Other examples include machine learning and NLP – which often includes real-time monitoring of contracts, communications and transactions which make it possible to detect anomalies, mis-selling risks or suspicious activity as they occur.
There is also cloud-native orchestration and regulatory ontologies and mapping engines. On the first, controls can be deployed across multiple jurisdictions simultaneously without breaking the user journey, ensuring local obligations are enforced while global consistency is maintained.
On the latter, these translate sprawling regulation into structured, machine-readable rules, which is critical for scaling compliance across products, regions, and regulators.
“The net effect is that compliance becomes more programmatic with human oversight. It shapes what users and employees can or cannot do automatically, much like payments infrastructure did a decade ago. At Cardamon, we are embracing these principles and help our partners by providing everything via APIs if requested – we don’t just sell our solution, we become build partners,” said Nzsdejan.
Despite all this, global financial firms face compliance sprawl, claims the CEO. One control per regulator, per jurisdiction, often duplicating effort and increasing operational drag. Embedded compliance is able to consolidate this.
He said, “By mapping obligations centrally but enforcing them locally, firms can launch products faster across multiple markets, reduce duplication between local compliance teams and demonstrate consistency to regulators while still honouring jurisdiction-specific requirements.”
If this is done well, embedded compliance has the ability to transform cross-border compliance from a roadblock into a competitive advantage, claims Nzsdejan.
“The firm can expand internationally without carrying an exponential compliance burden. For reference, at Cardamon we have enabled our customers to solve compliance problems across 6 continents already – harmonising their controls and policies to streamline the process,” he said.
Historically, the return on investment for compliance was calculated in fines avoided or headcount reduced. Instead, embedded compliance transforms the value proposition.
The speed to market is increased, as new features or products launch faster due to pre-wired compliance checks. There is also lower remediation costs, as incidents are prevented rather than corrected after the fact, investor confidence climbs as firms are able to show that compliance is resilient by design and faster approvals and cleaner customer experiences reduce churn and boost growth.
This, for Nzsdejan, shows that the ROI case is becoming clearer, in that compliance is not just a shield against downside risk, it is an accelerator of growth, with the Cardamon CEO highlighted that its customers are already launching projects 95% faster in certain cases.
Nzsdejan finished, “The firms that win in this next era will not treat compliance as an overlay. They will treat it like core infrastructure: as fundamental as payments, identity, or cloud hosting.
“Embedded compliance does more than reduce cost or risk. It redefines how financial services operate: faster, safer, and globally scalable. In a world of tightening oversight, shifting regulations, and unforgiving regulators, compliance is no longer a cost center. It is the backbone of modern financial infrastructure.”
Cutting friction
How does embedding compliance at the infrastructure level reduce operational risk? Michael Thirer, CLO at Muinmos, gave an example of how Muinmos embeds the client risk assessment (CRA) in the client application.
He explained “Our platform embeds decision-making between SDD, CDD and EDD (simplified, normal or extended due diligence) in the client journey itself, making it both as relevant and as compliant as possible.”
Another example he gave was of the firm’s AI Regulator Classification Engine. ”It will let you know, right from the beginning of the relationship with the client, all the data you need in order to make sure you don’t mis-sell (what is their regulatory category – Professional Client, Sophisticated Investor, Qualified Holder etc. – what services and products are suitable and appropriate for them, their risk appetite, etc.).”
If such steps are known from the start and its embedded in a firm’s infrastructure, Thirer argues, that chance of you mis-selling or exposing yourself to unnecessary risk drops dramatically.
In terms of what tech enables such seamless compliance integration, whilst Thirer raises AI as a significant player – the truth is that such a technology has already been here for years.
“What has changed is that people now use it broadly in other areas as well, and therefore are more willing to adopt it in compliance as well. It’s important, of course, to keep it fully explainable and accountable, as we do – otherwise, AI in itself becomes a risk,” he said.
Can embedded compliance support cross-border operations without adding friction? Here, Thirer makes clear that embedded compliance cuts friction, especially in a cross-border context.
He said, “A simple example is the client onboarding journey. In different countries, there are different compliance requirements. Embedding the compliance requirements in the client journey from the start, along with real-time decisioning capabilities, means the client only goes through the shortest journey possible, hence reducing friction.
“This is what allows us, for example, to boast a 97% completion rate for the entire client application (not just IDV and basic questionnaire, but everything including client classification and suitability and appropriateness assessments) – way above market standard.”
The ROI is proving to be one of the clearest examples of why embedded solutions are thriving.
Thirer outlined, “We have clients telling us they saved 32% on IT costs by embedding all in one process, others stating they reduced onboarding time by over 45%, and others that their case handling time dropped by 50%.”
Reducing risk
For Madhu Nadig, CTO at Flagright, embedding controls at the infrastructure layer cuts risk because policy checks happen before money or data moves.
He said, “The cleanest examples are name‑check systems that verify account holder details at payment time and shared fraud‑data arrangements that block suspect transfers in flight, both envisaged in the EU’s payments reforms alongside stronger consumer protection. Because the PSR is a regulation, many of these conduct rules will apply uniformly once finalised, which reduces fragmentation for cross‑border operations.”
The enabling stick for Nadig is often straightforward – event streams from the core, policy-as-code at the API gateway, ML models for anomaly scoring, and auditable decisions that analysts can override within minutes.
Instant payments rules that require IBAN-to-name confirmation can show how this works as an invisible check that adds minimal friction while materially reducing misdirected payments.
“Measuring ROI then goes beyond license consolidation; firms track shorter onboarding cycles, fewer write‑offs from fraud or scams, and faster audits because evidence is generated automatically at run‑time,” concluded Nadig.
Copyright © 2025 RegTech Analyst
Copyright © 2018 RegTech Analyst
