Detecting and preventing financial crime is extremely important for financial services businesses. It involves an entire strategy and suite of tools, specifically geared toward keeping the organization (and its customers) safe from things like fraud.
Due to the serious nature of staying compliant and the vigilance required to continuously combat fincrime from occurring, many organizations face the challenge of deciding how they should stand up their risk and compliance programs.
Typically, the question of whether to build a system in-house or purchase a software is at the forefront of these conversations because once the decision is made, it can be a messy and time consuming process to transition away from the predetermined selection.
When deciding whether to buy or build compliance software, a big concern is managing the gap between fraud and engineering teams.
For many companies, it is both costly and risky to devote engineering resources to a fraud and AML solution because this means that resources are being diverted away from revenue-driving activities like investing in better customer experience or a more stable product.
However, many organizations prefer to build something instead of buy it because they believe a purchased solution won’t offer them the customization or flexibility they need, or because having something proprietary is a culture preference.
Typically, small to midsize organizations try to solve this conundrum early on, so that they can align resources accordingly. Companies frequently replace an in-house solution with a vendor, but it’s not common for organizations to stop using a vendor in preference of an in-house solution.
While there are pros and cons to each option, each organization is different and has varied reasons for choosing one way or the other. To truly understand if you can build vs. buy your compliance solution, we’ll cover all the steps required. We’ll also point out why we think buying a reliable, robust compliance solution is likely the better option.
Regardless of what you end up doing, it’s a difficult decision to make. To help you make the right choice, we break down the steps for building a financial compliance software in-house.
Before you really determine whether you should build or buy your compliance solution, we’ll go through the entire process for building in-house risk and compliance software.
This will help you understand all the steps needed to build an in-house solution, so that you can compare it to the cost of buying. Then we’ll dig into reasons why you may want to buy a high-quality solution instead of building internally.
Before you start doing anything, you need to ask yourself if you can actually translate a fraud pattern into a rule in your software. Not only that, but you need to know: how time-consuming and challenging that process will be and how effectively your solution will handle the issue.
It’s hard to gauge how long every rule will take to build, as different rules will be more or less challenging (and costly) to build. Typically, most organizations require some (however minimal) degree of customization on their rules, translating into custom database queries for each use case. Modifying or updating those rules at any time will require full-time engineering resources just for managing rulesets.
On top of this, you’ll need to consider how you’ll be able to test the rules you’re creating to ensure they are performing properly. You may need to set this infrastructure up yourself (which will also take a lot of time and resources). Regardless, you’ll need to manage that system and ensure it’s accurately tracking how well your rules perform their intended tasks. To reiterate the above, constantly changing rules need to be tested and re-tested to ensure that they are airtight, to avoid fraud loss and/or adverse regulatory consequences.
With all this said, consider the number of rules you will need to update. Now that you have that in mind, you’ll have to ask yourself how feasible it is that you will be able to keep pace with a rapidly changing fraud landscape, with new attack vectors being unearthed ever so frequently.
While creating the rule itself is the first thing that comes to mind, there is much more to consider when developing your own risk management solution.
You’ll need to have an alert generation system to communicate escalations to your team. To do this, you’ll need to consider which team member will get alerts and how they will receive them. Are you going to use a dashboard, emails, Slack messages, spreadsheets, documents or other systems (or even a combination of a few)? Can you build a software with a UI dedicated to managing your alerts?
Once you know what you want to achieve, you need to think about how you’ll be able to execute your vision. Is the tool you used to create the rules the same tool that will generate alerts, or do you need to create a separate solution altogether?
Ideally, you don’t want risk and compliance teams to have to use various solutions - and switch through multiple screens and windows. Instead, you want to offer the capability to perform all updates from a unified, easy-to-use solution, saving your team operational time.
If you think you’ll struggle with managing and integrating these solutions, it would likely be a good idea to buy a solution that offers a seamless user experience for your team.
Alright, you’ve created a rule, tested it, and are generating accurate alerts.
Now that alerts are being generated, you need to make sure they are being properly managed so that your team can address them. Not only that, but your team needs to be able to organize and prioritize alerts, and even filter alerts to different teams depending on how many types of cases you get (and how robust your risk and compliance team is).
You’ll want to consider how your investigative teams pull cases for review. Is it a single queue that everyone pulls from? Are there tags to identify case types? Who implements these tags, and at what point in the process does that occur? Can you set up a queue that enables filtering case types so they get sent to different teams for faster, more efficient investigations?
Make sure the system you build has a way of implementing a queue process for cases to improve case management. Set up a way to track what reports have been started, completed, and more to help manage this queue most effectively.
While this may seem as easy as ‘take a number’ for small risk and compliance teams, managing this queue can be a complicated process as your team scales. Having a high-quality solution that can help will save your team valuable time and money in the long run, while also giving you a high level of control over your operations is necessary for success.
Next, you need to consider how the investigation process looks. How are fraud analysts or agents picking alerts? Are they being assigned by a team lead or manager, or is it FIFO (First in First Out) through self-selection? Additionally, is the investigation of cases occurring within the same interface?
It’s extremely important to look at this through the lens of the investigator here. Ask yourself if the agent has all the information they need to determine if a case is fraud or if they need to use another solution during the process. Ideally, they’d have access to everything they need in one place for the fastest, best investigation. Redundancy in alert investigations can significantly raise the SLA (Service Level Agreement) times on the company’s side, reducing operational efficiency substantially.
Here’s where Unit21 shines! As a data agnostic solution, it’s extremely easy to integrate other solutions, allowing you to pull in various data sources into one, simple-to-use solution that makes investigation easy.
Now that the investigation is complete, we have one thing left to do - file the case to a relevant FIU - be it FinCEN, goAML, or whichever regulatory body you operate under. If you’ve completed everything up to this stage, you’ll still need to take your investigations and turn them into a SAR (suspicious activity report).
The process of filing SARs using Government-managed software systems is cumbersome, to say the least. To this day, the primary way to self-manage SARs outside of Risk and Compliance infrastructure software is through PDF or XML documents that are hard to manage, time-consuming to fill up and even more difficult to maintain for auditability.
Ask yourself if you can do this in-house: how long will it take for your team to review the alert, do the investigation, create the case, and convert that into a SAR that can be sent to your partner bank, or to the regulatory body directly? Can this process be automated? How much time would that save your team?
In the end, automating this process can save a lot of time and effort on your end, and ensure accuracy in your suspicious activity reporting!
Before we jump in, let’s look at the differences from a high level.
Seems simple enough, but there’s a lot to unpack here.
Below, we cover five of the top decision criteria for buying versus building a fraud and AML software. While these are some of the most important criteria for making the decision, which ones matter most to you will depend on how you want your risk and compliance solution to perform.
1. Time to implement
Regardless of whether you buy an existing solution or build your own, there will be a time commitment to implement.
For building, this commitment will be extensive. Building a solution from scratch will require a significant investment of time and effort from your team. This time includes not only the time to build, but also time hiring the right team, planning the development of the program, and testing performance once complete.
This may also mean that you have to wait a long time before your solution is ready. This could mean you have to hold off on launch, or you may have to operate with inadequate protection. If you use a solution in the interim, you’ll need to consider how you migrate data from the provider you use to the solution you build. All of this adds time to when you’re ready to actually operate.
Buying will still involve a period of implementation but will be significantly shorter - and smoother - than building.
Should you buy vs build? We cover the pros and cons related to the time of implementation:
2. The true cost of compliance
While buying software may feel like it’s extremely expensive, it pales in comparison to building your own solution.
There are several costs associated with building, which can add up quickly. You’ll need to hire an engineering team capable of building the solution. The hiring process itself will take time and cost your business money, as you'll need to make sure you acquire the right specialists. That’s all on top of the salary expenses to actually build the team, which can be a substantial investment.
Then there’s the actual time and work investment to actually build it. In the process of building, you may also find that your team needs third-party tools to add capabilities you need, such as servers, firewalls, datasets, and more! All of these tools add up, and many of these will be required to develop a high-quality solution that serves your needs.
This is all just to build the solution - this doesn't include the consistent cost of upkeep, as your system will need regular maintenance. These expenses will persist for the entire lifespan of your system, and they’ll be a regular time and cost commitment for your team. These costs are also much more difficult to predict than the costs of a monthly or annual subscription to a compliance solution.
While it may seem shocking, building a solution from scratch can cost millions of dollars, especially when you consider the salary costs of the team and how long it will actually take to build. Factor in third-party tools that will be needed, and you are looking at a huge investment.
Keep in mind that the above is just a baseline to guide you. You may find that you need more risk analysts than we’ve listed. Larger companies may also need more than one compliance officer, and even someone in a senior role, which can bring higher salary expectations.
As you can see, even a relatively small Risk and Compliance team can cost upwards of $1 million USD each year. That’s before factoring in the costs of third-party vendors, such as alert management systems, reporting solutions, and more.
Let’s compare the difference in costs between buying and building your compliance system:
3. Performance and efficiency
Just because you can do something doesn’t necessarily mean you can do it the best. Sure, your team could build out their own solution, but will it perform as good - or better - than fraud and compliance solutions on the market?
Whether you build or buy, you’ll want a solution that offers incredible performance, ensuring compliance and preventing fraud. Fraud is rapidly changing, with new schemes popping up regularly. You’ll need to keep pace, staying abreast of all regulatory changes and applying them to your compliance tech stack.
If you think you can manage these updates yourself - and perform them either (1) more cost effectively than existing solutions on the market, or (2) perform them better than existing solutions on the market, then building your own solution may be worth it. Otherwise, buying is likely a better option. It will get you immediate access to a solution finely tuned for fraud and AML cases.
Performance is critical. Let’s compare buying vs building when it comes to efficiency and output:
4. Adapting and scaling with growth
While building your own solution may give you more control over customization, it also means you need to keep your solution up-to-date and on top of AML best practices. When you build a solution yourself, you’ll need to make sure it can scale and adapt as your team needs.
This is more challenging in practice than it seems in theory, and will require a significant investment of time and money. Any time that you need a new feature, you’ll need to build this in-house and integrate it with your existing system. Each time you need to add a new feature or rule, your team will need to do this themselves. Not only that, but they’ll need to test that it functions as intended.
It’s best to purchase a flexible solution that enables customization, adaptability, and ease-of-use. This will let you tailor rules to your specific needs (and how your customers use your platform) as well as the most prominent threats you’re facing. Some solutions come with out-of-the-box rules that are built based on the fraud schemes that are currently trending, allowing you to use these almost immediately with very little setup.
Below, we cover how building and buying compare when it comes to adjusting to growth.
5. Automate and improve compliance operations
AML regulations are updated constantly to keep pace with the tactics of criminals. Rules and regulations for compliance are specific to the region a business operates in. Because of this, it can be difficult to keep track of all the regulations that apply, as national, state, and regional regulations can apply in different cases.
You need to be aware of where you conduct operations and the variety of regulations that may apply in different areas. Any fraud and AML solution worth its cost will be flexible enough to let you easily scale as regulations change, and should do as much as possible to simplify this process for you. This will keep your business compliant as well, typically without any (or very little) work from your team.
When you build a compliance system yourself, you’re responsible for ensuring it’s up to compliance standards and that it adheres to all relevant regulations. Your compliance officer will need to be on top of any regulations that apply to you (based on all the regions you operate in).
Your engineering team will need to create and implement new rules as fraud schemes come up and will need to make updates when AML regulations change. Even for adept fraud and AML teams, this can be a hefty undertaking (in terms of both effort and cost). With AI and machine learning modernizing what fraud and AML solutions are capable of, it's important to consider if you can truly keep up.
The system also needs to fit within your overall compliance program, integrating with your other risk and compliance operations.
Below, we compare how the two stack up when it comes to compliance:
Closing Thoughts About Buying Vs. Building
If you really believe you can execute each of the steps to build your own solution (and that you can do it better or cheaper than existing products), then you may want to build a solution in house. But be prepared to not only build out the software, but upkeep and upgrade it over time.
In most cases, buying a solution is a more cost effective method, as it will be cheaper overall and is also a set monthly cost that won’t change based on your internal needs. Risk and compliance solutions are also designed with best practices in mind, and are meant to be easy to adopt and use, giving you the customization options you need to build out risk and compliance rules that protect your platform.
One of the best advantages to buying over building is that you can purchase a comprehensive solution that performs all fraud and AML compliance tasks from one place. You’ll never have to rely on amalgamating software from different vendors - as you typically will when building your own tool.
Building your own solution is a constant balance between cost and performance. Because of this, building your own solution typically comes with one of two downsides: you either save on costs but don’t meet the same performance of existing software (and therefore your competitors), or you develop high-quality performance that costs you a fortune to develop and manage (limiting your actual revenue potential).
Now, everything we’ve covered in this article is all well and good if you are the one making the decision about what system the organization will implement.
But, if you aren’t, you may feel like your opinion has no weight. But, as a risk and compliance officer, analyst, or investigator, you understand the importance of having an easy-to-use, high-performance solution that helps you do your job more efficiently. It can be difficult to convince higher-ups or board members that buying is a better option, but we’re here to help.
While the board might easily be thrown off by the perceived monthly cost of a solution that would allow you to optimize your risk and compliance operations (and ultimately earn you greater revenue through reduced fraud losses and false positives), you will need to convince them that the right tool can save you a fortune compared to the cost of building - and maintaining - your own solution.
Remember, in order to appeal to your leadership about your preference for purchasing a solution instead of waiting for one to be built, speak to these critical points:
- Fraud schemes are always changing and we need to be able to move quickly. This requires an agile solution that can be updated without the help of engineering resources.
- In-house builds are expensive. One of the main ways to cut costs on compliance is to move away from home-grown solutions that drain company resources so we can spend our money on revenue-driving activities like product development and customer experience.
- In-house builds are inherently less scalable. If we want to expand our business to operate in new jurisdictions, an in-house solution would be difficult to update, which would slow our ability to grow responsibly.
- Cost is much more predictable when buying. This is especially true over the long wrong as your organization scales.
- Automation is key to productivity, but it is challenging to build. The more manual tasks we can eliminate from the risk and compliance process, the faster we can manage our alert workload. Using a solution with these features already accessible from the beginning will save time in the short and long term.
- Solutions should be designed so Risk and Compliance teams love to use them. Tools should improve workflows and optimize operations for your team. They should be easy to adopt, learn how to use, and then effective solutions for teams to use.
Need assistance convincing your board or leadership team to invest in a software solution that can be implemented in a matter of weeks and doesn’t rely on engineering resources to maintain? Get in touch with our team today.