For more than three centuries, visitors to the maze at Hampton Court Palace have tested their sense of direction among its tall, imposing hedges. Built in the late 17th century, the maze’s trapezoidal design looks straightforward on paper, a geometric exercise in logic and order. Yet, once inside, its looping paths quickly become disorientating. Turn after turn looks familiar, and progress frequently dissolves into guesswork. Modern compliance systems in the global financial sector often produce a strikingly similar experience. While the organizational charts and regulatory frameworks may appear coherent in a boardroom presentation, the reality for those operating within them is one of fragmented data, siloed communications, and a persistent sense of being lost within a digital thicket.
The evolution of financial regulation over the last two decades has created a landscape of unprecedented complexity. Most large financial institutions did not deliberately design fragmented compliance frameworks; rather, they accumulated them through a process of reactive layering. Whenever a new regulation arrives—such as the post-2008 Basel III requirements, the transparency mandates of MiFID II, or the rigorous data protections of GDPR—a new monitoring tool is introduced. When a new product launches, another specialized system is added. Teams build processes around their own specific responsibilities, each solving a local problem without necessarily considering the global architecture. Over time, surveillance, regulatory reporting, risk monitoring, and operational controls spread across dozens of platforms that rarely communicate with one another.
The Architecture of Fragmentation
The resulting institutional landscape is rarely dysfunctional in isolation. Each individual system typically performs its defined task with reasonable efficiency. The difficulty emerges when organizations attempt to understand how those disparate pieces interact to form a holistic risk profile. For many institutions, compliance information exists in abundance, but the relationships between systems are invisible.
Areg Nzsdejan, CEO and co-founder of Cardamon, notes that this fragmentation is the byproduct of incremental growth. "Most large financial institutions didn’t deliberately design fragmented compliance systems," Nzsdejan explains. "A new regulation comes in, a new tool gets added. A new product launches, another layer is introduced. Different teams solve for their own problems, and before long you have surveillance in one place, regulatory change tracked somewhere else, controls documented elsewhere, and risk stitched together manually."
This sentiment is echoed by Scott Nice, Chief Revenue Officer at Label, who argues that the most dangerous weaknesses often appear between teams rather than inside them. He suggests that the modern financial institution suffers not from one large compliance gap, but from a multitude of "smaller breaks" between teams, data sets, and handoffs. In a typical Tier-1 bank, one team may own onboarding, another handles transaction monitoring, a third manages regulatory change, and a fourth is responsible for reporting. Each operates with its own priorities and technology, creating a culture of duplication and inconsistency. Taken together, these issues accumulate gradually, resembling what industry experts describe as "death by a thousand paper cuts."
The Rise of the Compliance Control Tower
As institutions confront the limits of fragmentation, the industry is witnessing a paradigm shift toward "compliance control towers." This architectural approach centralizes oversight across surveillance, risk, and regulatory activity without necessarily requiring the wholesale replacement of existing legacy systems. Replacing every compliance tool inside a global bank would be prohibitively expensive and operationally catastrophic. Instead, firms are exploring an "overlay" strategy—integrating a layer that sits above the existing technology stack to aggregate signals from across the regulatory landscape.
Ashley O’Reilly, Head of Account Management for EMEA and APAC at Corlytics, notes that the concept is borrowed directly from aviation. "The concept is borrowed from air traffic control towers," O’Reilly says. "A central hub acts as a lookout, coordinating information and activities across an organization." By consolidating risk and regulatory signals into a single vantage point, organizations can identify enterprise-wide patterns that remain hidden when functions operate in silos. This visibility allows for faster incident response and improves transparency, making complex rules more accessible to stakeholders across the firm.
From a technological standpoint, this model mirrors the centralized operations centers used to monitor critical infrastructure or global IT networks. Supradeep Appikonda, COO and co-founder of 4CRisk.ai, highlights that the control tower addresses the chronic problem of manual systems providing outdated or inaccurate information. "The control tower provides near real-time dashboards that correlate data from siloed systems managing risk, resilience, and regulatory obligations," Appikonda notes. "Functionally, this is quite similar to other centralized operations centers… It is a proven technological model."
Regulatory Pressure and the Cost of Compliance
The shift toward centralized oversight is being accelerated by a tightening regulatory environment and the sheer volume of modern digital communications. Regulatory frameworks are no longer static; they evolve continuously across multiple jurisdictions. Simultaneously, the explosion of digital channels—ranging from WhatsApp and Zoom to AI-generated communications—has increased the number of touchpoints that must be captured and monitored.
Research conducted by Theta Lake, based on a survey of more than 500 senior compliance and IT leaders, underscores the severity of the problem. The study found that financial institutions rely on an average of three separate vendors just for voice recording, archiving, and supervision. Furthermore, 93% of firms reported significant challenges in managing these multi-vendor environments. Esteban Lopez, Senior Manager of Product and Technical Marketing at Theta Lake, warns that legacy, single-purpose solutions are increasingly inadequate. "When audio, text, visual, and AI-generated communications are captured across different systems, organizations struggle to reconcile the full record," Lopez says. "That creates gaps in surveillance, search, and e-discovery that directly affect a firm’s ability to detect risk."
In the realm of financial crime compliance, the pressure is even more acute. A spokesperson for RelyComply points out that the number of tools involved in anti-money laundering (AML) workflows has expanded rapidly to keep pace with the speed of cross-border payments. When data is split across disconnected systems, the operational inefficiency boosts the already staggering cost of compliance. Industry estimates suggest that the global cost of financial crime compliance alone has exceeded $274 billion annually. Without a centralized "tower" to manage these workflows, institutions risk creating "system graveyards"—dozens of expensive tools that solve individual problems but fail to function as a cohesive defense.
From Coordination to Execution: The Role of DORA and the PRA
While visibility is a primary driver for the control tower model, some experts argue that the true value lies in execution. Aurimas Bakas, CEO of Copla, believes that many organizations focus too heavily on coordination and not enough on how data is actually handled at the point of creation. Bakas points to new regulatory frameworks, such as the EU’s Digital Operational Resilience Act (DORA) and the UK Prudential Regulation Authority’s (PRA) Register of Material Third-Party Arrangements, as catalysts for change.
"Most control tower initiatives improve visibility across compliance activities," Bakas explains. "That helps at a coordination level, but it does not address where risk actually builds." He argues that compliance depends on how controls and data are executed across teams. DORA, which comes into full effect in early 2025, requires firms to maintain structured, defensible outputs regarding their digital resilience. This forces a shift from "periodic auditing" to "continuous validation." In this context, the compliance control tower becomes more than a dashboard; it becomes a controlled execution process where structure is applied at the moment data is generated.
The Future: AI Agents and Predictive Oversight
As control-tower architectures evolve, they are moving beyond retrospective reporting and into the realm of real-time operational functions. The integration of Artificial Intelligence (AI) is the next frontier in this evolution. Rather than merely flagging a past violation, the next generation of control towers is designed to analyze risk signals as they emerge, supporting decisions during live processes.
Supradeep Appikonda suggests that the deployment of AI agents will allow these platforms to become predictive, acting within defined guardrails to prevent breaches before they occur. "Real-time observability replaces point-in-time audits and subjective heat maps," he says. This transition also changes the language of compliance for senior leadership. Instead of vague "amber" or "red" status updates, a modern control tower can translate regulatory exposure into financial terms. A dashboard might show, for instance, that a specific gap in transaction monitoring represents a probable loss or fine of several million dollars within a specific timeframe.
Conclusion: Consolidation of Control, Not Platforms
Despite the clear trend toward centralization, industry experts do not expect the RegTech landscape to collapse into a single, universal platform. The domains of compliance—ranging from ESG (Environmental, Social, and Governance) and cybersecurity to prudential regulation and financial crime—are too specialized and technically complex for a "one-size-fits-all" solution. Innovation will likely continue to thrive among smaller, niche vendors solving specific regulatory puzzles.
What is changing, however, is the philosophy of management. "Full consolidation into one platform is unlikely," says Scott Nice of Label. "What is becoming inevitable is consolidation of control." The successful financial institutions of the next decade will not necessarily be those with the fewest systems, but those that have eliminated the fragmentation between them.
Returning to the metaphor of the Hampton Court maze: from the ground level, every path seems plausible and every turn offers a new guess. It is only from a higher vantage point—the "control tower" view—that the full pattern becomes visible. For the modern financial institution, achieving that vantage point is no longer a luxury of innovation; it is a prerequisite for survival in an increasingly complex regulatory world. The task is no longer about stockpiling more tools or data; it is about finally assembling the jigsaw puzzle so that the pieces connect.
