Red Oak's Podcast
Red Oak's Podcast
Firms are Consolidating. Should their Compliance Tech Stack?
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
You know, um when you drive across a massive suspension bridge, there is this sort of comforting assumption that you make.
Speaker 1Oh, sure. Yeah. You just assume it's safe.
SpeakerRight. You're cruising along at like 60 miles an hour, and you just assume that the entire structure, the steel cables, the concrete pillars, the bolts, you assume it was all designed together.
Speaker 1Right. As like one unified, cohesive piece of engineering.
SpeakerExactly. You don't ever stop and think, ah, what if it's a dozen different construction companies built their own little sections, you know?
Speaker 1Like completely different blueprints.
SpeakerYeah, different blueprints, totally incompatible materials. And then, I mean, what if someone just came along at the very end and painted it all the exact same color so it just looks like one bridge?
Speaker 1I mean, the illusion of safety is the real danger there.
SpeakerYeah.
Speaker 1Maybe because you would feel perfectly secure right up until uh the exact moment a heavy truck drove over a hidden seam, you know, where two completely incompatible materials were bolted together.
SpeakerRight.
Speaker 1And the failure wouldn't be gradual at that point. It would be catastrophic.
SpeakerAnd yet um when it comes to the technology holding up the modern financial system, that uh that painted over bridge is exactly what a lot of incredibly smart people are buying right now.
Speaker 1It really is. It's wild.
SpeakerSo we've got a fascinating deep dive for you today. Our mission is to unpack this crucial, but honestly, often entirely overlooked structural shift happening in how businesses buy and build technology.
Speaker 1Yeah, we're looking at the architecture of compliance connectivity.
SpeakerExactly. And it completely reframes how we should think about software.
Speaker 1It really changes the calculus for anyone, uh anyone relying on technology to keep their operations running safely.
Speakerwhich is pretty much everyone.
Speaker 1Right. Honestly, whether you work in finance, healthcare, or you just rely on digital infrastructure functioning smoothly in your daily life, the mechanics of how these systems fail affects you.
SpeakerIt really does. So to set the stage for you, we kind of have to look at the pressure cooker that the financial industry is currently operating inside of.
Speaker 1Oh, absolutely.
SpeakerThe newly published FINRA 2026 Industry Snapshot just lays this out beautifully.
Speaker 1It does. It's a great report.
SpeakerAnd um, for those who aren't familiar, FENRA, the Financial Industry Regulatory Authority, they are essentially the referees for Wall Street.
Speaker 1Right. They track all the broker dealers.
SpeakerYeah. And the numbers they just released are honestly staggering.
Speaker 1They really are.
SpeakerSo at the end of 2025, there were 3,184 Fine RA registered firms.
Speaker 1Okay.
SpeakerWhich that is actually down from 3,394 firms just four years earlier.
Speaker 1So we're looking at a pretty noticeable drop.
SpeakerYeah, 6% drop in the sheer number of companies playing the game.
Speaker 1Wow.
SpeakerBut, and here's the kicker over that exact same four-year period, aggregate industry revenues absolutely skyrocketed.
Speaker 1Oh, yeah, big time.
SpeakerThey went from $399 billion up to $776 billion.
Speaker 1What's fascinating here is the massive paradox those numbers represent.
SpeakerTotally.
Speaker 1I mean, you have an industry generating nearly twice the revenue, right? Okay. But doing it with fewer players.
SpeakerRight. Less firms, way more money.
Speaker 1Exactly. And that means the firms that survived, like the ones left on the board, they are absolute behemoth snow.
SpeakerOh, yeah. Huge.
Speaker 1Their internal scale has just exploded. They're operating across dozens of digital channels. They are managing huge remote workforces and uh generating a volume of communications that legacy software systems were simply never designed to handle.
SpeakerThey're pushing far more weight across that bridge than ever before.
Speaker 1Yeah, that's a perfect way to put it.
SpeakerSo this brings us to the core question of our deep dive. If these firms are getting this massive and their daily operations are becoming incredibly complex, does their technology stack need to consolidate to keep up?
Speaker 1Right. That's the big debate.
SpeakerBecause I feel like the natural instinct is to say yes. You know? Yeah. You want fewer vendors, fewer contracts, just uh fewer moving parts to manage overall.
Speaker 1Yeah, it makes sense on paper.
SpeakerBut the research we're looking at argues that this instinct is actually a dangerous trap.
Speaker 1Oh, it's a total mirage. I mean, the urge to simplify is completely understandable, but how vendors are capitalizing on that urge, that is where things get really messy.
SpeakerOkay. So what's happened?
Speaker 1Well, we are seeing a very specific bifurcation in the market right now. Like consolidation is happening, but it is not happening evenly at all.
SpeakerI have to imagine that if these massive firms are just like drowning in complexity, software vendors are basically throwing these all-in-one life rafts at them left and right.
Speaker 1They absolutely are, particularly down market. Okay. You have newer platforms pitching all-in-one compliance as like a brand new software category.
SpeakerWow.
Speaker 1And alongside them, you have these massive roll-up vendors.
SpeakerRoll-up vendors.
Speaker 1Yeah. These are companies that grow incredibly fast through really aggressive mergers and acquisitions.
SpeakerOkay, I see.
Speaker 1So they basically buy up a bunch of disparate, entirely separate software products. Um, maybe an archiving tool from 2015, a surveillance tool from 2019, and then like a communications platform from last year.
SpeakerRight, just grabbing all these different pieces.
Speaker 1Exactly. And they stitch them all together under a single brand.
SpeakerThey paint the brig one color.
Speaker 1Precisely. They just slap a new coat of paint on it. But if you look at the sophisticated enterprise buyers, I'm talking the massive, complex financial institutions and asset managers. They're actively resisting that all-in-one pitch.
SpeakerReally? Why is that?
Speaker 1They are sticking to best of breed solutions. They want specialized, dedicated tools, especially in really high-risk domains like advertising review or employee compliance.
SpeakerRight, the stuff that actually gets you fined if you mess it up.
Speaker 1Exactly. They prioritize deep regulatory nuance over the illusion of a simple procurement process.
SpeakerMakes sense.
Speaker 1Because they've learned the hard way that compliance failures usually don't happen because you have too many vendors.
SpeakerOh, that's a great point.
Speaker 1Yeah. They happen because of gaps between systems, you know? Brittle integrations and rigid workflows that just don't match reality.
SpeakerOkay, let's unpack this because this illusion of the unified logo, um, the distinction between commercial bundling and true architectural integration is just so crucial here.
Speaker 1It really is the whole ballgame.
SpeakerIs this kind of like uh like buying a combo meal at a fast food joint, only to find out that the burger and the fries are actually being cooked in two entirely different kitchens?
Speaker 1Yes. Oh, that's exactly it.
SpeakerLike the burger kitchen operates in metric, the fry kitchen uses imperial measurements, and uh the drink station requires a completely different currency entirely.
Speaker 1Ah, yeah, exactly.
SpeakerYou get it all handed to you in one bag, but it's just a total mess behind the counter.
Speaker 1That gets right to the heart of the mechanical failure here. I mean, putting adjacent tools under one website logo and selling them with a single contract, that does not mean they share a unified data model.
SpeakerRight. Right.
Speaker 1Doesn't mean they use a common workflow engine at all.
SpeakerSo it's just marketing.
Speaker 1In so many of these MA rollups, what looks like a seamless platform to the buyer is really just a portfolio of conflicting database schemas. Oh wow. They structure their data in completely different languages. Every tool under that logo carries its own internal assumptions, its own unique way of tagging data, and literally its own completely separate engineering roadmap.
SpeakerOkay, I get that it's messy under the hood, but uh I have to push back here for a second. Sure. Because put yourself in the shoes of a corporate procurement officer.
Speaker 1Oh, I don't envy them.
SpeakerRight. Procurement is a nightmare. It is endless vendor reviews, security audits, budget meetings. Totally. Even if it is a Frankenstein combo meal behind the scenes, if the buyer gets just one invoice to pay and one centralized support number to call when things break, why shouldn't they take that deal?
Speaker 1It's a fair question.
SpeakerLike, why does it matter to you, the buyer, what the underlying code looks like as long as the paperwork is easy?
Speaker 1Because that single invoice comes with a massive hidden cost.
SpeakerOkay.
Speaker 1You are trading a temporary paperwork convenience for a permanent structural liability. Buying that Frankenstein combo meal creates something called architectural concentration risk.
SpeakerArchitectural concentration risk.
Speaker 1Yeah.
SpeakerUm that sounds like something an insurance adjuster brings up right before they deny your claim.
Speaker 1It basically is. I mean, when you buy into one of these monolithic platforms, you are deeply embedding multiple critical compliance domains, you know, archiving, trade approvals, communications supervision into one tightly coupled system. Right. And if they are tightly coupled, the blast radius of a failure is exponential. A disruption in one single part of that environment can simultaneously take down everything else.
SpeakerSo wait, walk me through how that actually happens mechanically.
Speaker 1Okay. So let's say your firm uses an all-in-one suite.
SpeakerRight.
Speaker 1And on a Tuesday morning, the module that is responsible for archiving marketing emails pushes a bad software update and freezes.
SpeakerOkay, a glitch. Happens all the time.
Speaker 1Right. But because the entire suite shares a tightly coupled interdependent architecture that frees cascades. Oh. Suddenly your trading desk can't get approvals for new block trades, your onboarding team can't verify new employees.
SpeakerBecause it's all connected.
Speaker 1Exactly. Your entire compliance operation grinds to a halt because of a hiccup in an email archive.
SpeakerWow. And to bring this back to you, the listener, think about the real world impact of that.
Speaker 1It's huge.
SpeakerIf you are just an everyday person trying to execute a critical trade on your retirement account during a volatile market swing, and your broker's system is completely frozen because their marketing department's email archive had a software glitch.
Speaker 1Yeah.
SpeakerThat is terrifying. You basically put all your eggs in one basket, but the basket is taped together with conflicting blueprints.
Speaker 1And the danger of that tight coupling goes way beyond just system crashes, too.
SpeakerReally?
Speaker 1Yeah. It destroys your agility over time.
SpeakerOh so.
Speaker 1When your workflows are deeply embedded into a monolithic suite, you are essentially forced to standardize your company's internal processes to match what the software allows. Rather than what your business actually needs.
SpeakerSo you are conforming to the software, not the other way around.
Speaker 1Exactly. If the vendor's tool requires four rigid steps to approve a piece of marking material, and your internal legal policy says you only need two, too bad.
SpeakerYou're doing four steps.
Speaker 1You are doing four steps. And worse, replacing just one piece of that suite becomes an operational nightmare.
SpeakerBecause you can't just rip it out.
Speaker 1Right. You can't just rip out the underperforming ad review module without tearing up the roots of the entire system.
SpeakerBecause it's all tangled together, which means the vendors know you can't leave.
Speaker 1Bingo.
SpeakerThey have you trapped, which quietly destroys your firm's pricing leverage.
Speaker 1Yep.
SpeakerYou become a captive audience locked into their innovation timeline. Like if they decide they aren't going to update their communications supervision tool for three years because they are focused on building a new feature to sell to someone else. You are stuck with outdated technology in a world where regulations are changing daily.
Speaker 1That loss of leverage is often the silent killer of enterprise software. It really is.
SpeakerThere is a fantastic rule of thumb to remember here from the text. In regulated environments, flexibility is risk management.
Speaker 1I love that quote.
SpeakerFlexibility is risk management. That is such a powerful reframe.
Speaker 1It is.
SpeakerSo if the monolithic, tightly coupled suite is the wrong way to go, what is the right way?
Speaker 1Right.
SpeakerI mean, the alternative we are looking at is called architected connectivity.
Speaker 1Right. Architected connectivity is about intentionally integrating specialized systems through API's application programming interfaces.
SpeakerOkay. Explain how that works mechanically for someone who isn't a software engineer.
Speaker 1Sure. So think of an API as a universal translator and like a dedicated delivery service rolled into one. Instead of welding two software programs together into a monolith, an API allows them to remain completely independent, but they talk to each other perfectly. Oh, that makes sense. The components remain entirely modular and replaceable. You get the operational simplicity of having systems that share data smoothly, but you aren't forced into a single vendor's ecosystem. Right. You can just unplug an old tool and plug in a new one without disturbing the rest of the machinery.
SpeakerOkay, but this raises a fundamental question. Why do these one size fits all systems inevitably fail to begin with? I mean, surely with enough money, some brilliant engineering team could just build one massive system that actually does everything perfectly.
Speaker 1You would think so.
SpeakerYeah. But to understand why that's essentially a pipe dream, we have to look at the nature of the work itself. Compliance work isn't just one thing. It actually falls into two fundamentally different categories.
Speaker 1Exactly.
SpeakerCategory one is infrastructure compliance.
Speaker 1Right. And infrastructure compliance encompasses tasks like mass archiving, basic surveillance, record keeping, you know, data ingestion.
SpeakerThe heavy lifting.
Speaker 1Yeah. These are highly standardized, voluminous tasks.
SpeakerAnd because they are so standardized, they are commoditizing. Yeah. They're basically becoming utilities. You can easily embed them into broader platforms and price them like electricity or water. You just want them running silently in the background.
Speaker 1Exactly.
SpeakerBut then category two is judgment heavy compliance.
Speaker 1Now this is a completely different beast. Judgment heavy compliance includes things like advertising review, context-dependent communications supervision, and uh complex regulatory workflows that might touch legal, marketing, and distribution teams all at the exact same time. Right. This type of work requires infinite configurability, complex audit trails, and most importantly, human in the loop decisioning.
SpeakerOh, absolutely.
Speaker 1You just cannot fully automate the nuance of human judgment in high-stakes regulatory environments.
SpeakerHere's where it gets really interesting. Think about it like a city.
Speaker 1Okay.
SpeakerCategory one, the infrastructure compliance. Yeah. That is the plumbing of the city.
Speaker 1I like that.
SpeakerIt absolutely needs to be standardized. Every pipe needs to fit together perfectly, the pressure needs to be constant, and you want it running invisibly under the streets.
Speaker 1You don't ever want to think about the plumbing.
SpeakerExactly. You never want to think about the plumbing. But category two, the judgment-heavy compliance, that is the city's legal system.
Speaker 1Oh, that's a great analogy.
SpeakerRight. It requires deep context, human judgment, debate, and unique adaptation to highly specific, nuanced situations. You would never hire a plumber to act as a judge in a courtroom. Oh, no. So why would a company try to buy software that treats both tasks like they require the exact same engineering?
Speaker 1Well, you wouldn't, or at least you shouldn't.
SpeakerRight.
Speaker 1And that's really the fatal flaw of monolithic systems. They try to treat the legal system like it's just more plumbing. Yeah. But judgment-heavy workflows are inherently cross-system. Think about a piece of marketing material. Okay. It tracks a thread from the creation of an asset by a designer to its approval by legal, to its distribution to clients, and then to its ongoing supervision by compliance.
SpeakerIt moves around a lot.
Speaker 1Right. That workflow cannot live inside a single isolated point solution. It has to travel.
SpeakerSo how do you manage that travel? I mean, if you have all these modular best-debreed tools connected by APIs, your separate designer tool, your separate legal tool, your separate archiving tool. How do you keep track of what's happening without losing your mind?
Speaker 1The solution is shifting value toward what are called orchestration layers.
SpeakerOkay, break that down for us. What exactly is an orchestration layer doing mechanically?
Speaker 1An orchestration layer sits above your specialized tools. It doesn't try to replace your archiving tool or your ad review tool. Okay. Instead, it acts as the centralized brain and the connective tissue. It uses those APIs we talked about to control the workflow and track the context.
SpeakerI see.
Speaker 1Let's say an advisor wants to send a complex financial proposal to a client. Right. The orchestration layer takes that request, pings the risk analysis tool for a quick check, routes it to the human supervisor for approval, and once approved, sends a copy to the archive tool for storage.
SpeakerOh wow.
Speaker 1Yeah. It maintains the thread of compliance across all those different systems without ever trying to absorb them.
SpeakerSo it basically gives you that single pane of glass interface that the procurement officer wants, but respects the modularity underneath.
Speaker 1Exactly.
SpeakerIt doesn't swallow the data, it just directs traffic. You get the combo meal experience, but you know exactly which independent kitchen cooked the burger and which one made the fries.
Speaker 1Yes, perfectly said.
SpeakerAnd if the fry cook starts burning the food, you can just fire them and hire a new one without having to tear down the entire restaurant.
Speaker 1That is a brilliant way to conceptualize it. You retain total control over the components.
SpeakerSo if this orchestration layer, this idea of compliance connectivity, is the correct architecture for the future, how do companies actually make sure they're buying the right thing?
Speaker 1That's the tricky part.
SpeakerBecause it seems like the old ways we evaluate software vendors just aren't going to cut it anymore.
Speaker 1The old playbooks are definitely obsolete for this. Look at traditional vendor risk programs today.
SpeakerRight.
Speaker 1What do they actually check? They look at the vendor's cybersecurity posture, they check their financial viability, they ask for SOC audits.
SpeakerWhich uh for those who don't spend their days in IT procurement, a SOC audit is essentially a standardized report that proves a service organization has secure data controls. Right. It's basically checking to see if the vendor put good deadbolts on their doors.
Speaker 1Exactly. And while checking the deadbolts is obviously important, those scorecards were built for a different era. They don't measure the hidden risks of how the software's architecture is actually constructed. They check if the house is secure from the outside, but they don't check if it's built on a foundation of quicksand.
SpeakerBut in so many organizations, the sheer desire for procurement simplification still drives the buying decision way faster than any kind of deep architectural risk analysis.
Speaker 1Oh, absolutely. And this raises an important question. What should buyers actually be asking instead?
SpeakerRight.
Speaker 1We need a much more sophisticated approach. Buyers must now evaluate two new concepts: functional concentration risk and workflow dependency mapping.
SpeakerMeaning instead of just asking, is your software secure? Yeah. You need to ask, is this tool truly integrated at the workflow level? Or are you just selling me three separate duct tape tools under one brand name?
Speaker 1Yes. You have to push the vendor, ask them. If one component of the suite fails or underperforms next year, how easily can I unplug it and replace it with your competitor's product?
SpeakerGood luck getting a straight answer on that.
Speaker 1Right. You have to ask, are we collapsing our future optionality just so we can get a unified invoice today?
SpeakerAnd let's be real. If you ask a vendor who is selling a monolithic, tightly coupled system, those questions, they are going to squirm.
Speaker 1Oh, they will hate it.
SpeakerBecause their entire business model relies on you not being able to easily replace their underperforming parts.
Speaker 1Yeah.
SpeakerThey want the lock-in.
Speaker 1They do. But the market dynamics are shifting, and buyers won't be the only ones asking these questions soon.
SpeakerWhat do you mean?
Speaker 1We are seeing really strong indicators that these architectural risk analyses are not just going to be internal IT preferences.
SpeakerReally?
Speaker 1Yeah. They are increasingly going to show up on formal regulatory exams, in board of director reviews, and in third-party risk assessments. Regulators are waking up to the fact that tightly coupled monolithic systems represent a systemic risk to the entire industry.
SpeakerWow. So if a company is buying one of these massive all-in-one suites right now just to make their procurement life a little easier, they might literally be setting themselves up to fail a regulatory exam three years from now simply because their architecture is too concentrated.
Speaker 1It's very possible.
SpeakerThe cost of a bad architectural decision isn't just an IT headache anymore. It is becoming a measurable, auditable compliance failure.
Speaker 1The definition of risk is expanding. I mean, if your system design prevents you from adapting to new regulations quickly, your system design is noncompliant.
SpeakerSo what does this all mean? Let's bring this all together for you. We started by looking at those wild fininara numbers. A financial industry that is nearly doubling its revenue while shrinking the number of firms.
Speaker 1Yeah.
SpeakerThat means the surviving firms are growing massively in scale and complexity. The natural knee-jerk reaction to that complexity is to blindly consolidate software into massive monolithic suites. Right. Give me one invoice, give me the combo meal, paint the bridge one color. But as we've seen, that all-in-one pitch is a trap.
Speaker 1Because commercial simplicity getting one bill is not the same thing as architectural integration. Not at all. Buying a tightly coupled system creates enormous concentration risk. It forces your business to standardize to the software rather than adapting the software to your business.
SpeakerYeah.
Speaker 1It destroys your pricing leverage and just locks you in.
SpeakerInstead, because complex environments require both standardized infrastructure and highly nuanced human-in-the-loop judgment, we need a different approach.
Speaker 1Exactly.
SpeakerThe true goal is commercial simplicity without architectural overconcentration. We need modular connected ecosystems driven by APIs. Right. We need an orchestration layer that acts as the brain, tying specialized tools together so you have the flexibility to swap out parts as the world changes, because flexibility is risk management.
Speaker 1And I want to leave you with something to ponder, you know, building on where this entire field is heading.
SpeakerOkay, let's hear it.
Speaker 1We talked a lot today about how judgment-heavy compliance relies heavily on human-in-the-loop context. Right. But what happens in the next three to five years when advanced AI agents start actively participating in these orchestration layers? Aaron Powell Will an AI evaluator prefer to work inside a rigid, monolithic system that traps its data in silos and limits its actions? Or will an AI thrive precisely because it can navigate a flexible, API connected ecosystem, pulling context from a dozen different modular tools faster and more comprehensively than a human ever could?
SpeakerThat is a fascinating question to chew on.
Speaker 1Right.
SpeakerBecause if the AI revolution is coming to compliance and complex business operations, you definitely don't want to trap it inside a walled garden.
Speaker 1Definitely not.
SpeakerYou want it running across an open connected ecosystem. It really brings us back to that suspension bridge we talked about at the very beginning.
Speaker 1It really does.
SpeakerYou can't just paint over a disjointed foundation and hope it holds up under the weight of the future. You have to design the connections intentionally.
Speaker 1Absolutely.
SpeakerWell, thank you so much for joining us on this deep dive. Keep asking the tough questions about the systems, running your own industries. Watch out for the illusion of the unified logo, and we will catch you next time.