Red Oak's Podcast

Firms are Consolidating. Should their Compliance Tech Stack?  

Red Oak

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 22:58
Speaker

You know, um when you drive across a massive suspension bridge, there is this sort of comforting assumption that you make.

Speaker 1

Oh, sure. Yeah. You just assume it's safe.

Speaker

Right. You're cruising along at like 60 miles an hour, and you just assume that the entire structure, the steel cables, the concrete pillars, the bolts, you assume it was all designed together.

Speaker 1

Right. As like one unified, cohesive piece of engineering.

Speaker

Exactly. You don't ever stop and think, ah, what if it's a dozen different construction companies built their own little sections, you know?

Speaker 1

Like completely different blueprints.

Speaker

Yeah, different blueprints, totally incompatible materials. And then, I mean, what if someone just came along at the very end and painted it all the exact same color so it just looks like one bridge?

Speaker 1

I mean, the illusion of safety is the real danger there.

Speaker

Yeah.

Speaker 1

Maybe because you would feel perfectly secure right up until uh the exact moment a heavy truck drove over a hidden seam, you know, where two completely incompatible materials were bolted together.

Speaker

Right.

Speaker 1

And the failure wouldn't be gradual at that point. It would be catastrophic.

Speaker

And yet um when it comes to the technology holding up the modern financial system, that uh that painted over bridge is exactly what a lot of incredibly smart people are buying right now.

Speaker 1

It really is. It's wild.

Speaker

So we've got a fascinating deep dive for you today. Our mission is to unpack this crucial, but honestly, often entirely overlooked structural shift happening in how businesses buy and build technology.

Speaker 1

Yeah, we're looking at the architecture of compliance connectivity.

Speaker

Exactly. And it completely reframes how we should think about software.

Speaker 1

It really changes the calculus for anyone, uh anyone relying on technology to keep their operations running safely.

Speaker

which is pretty much everyone.

Speaker 1

Right. Honestly, whether you work in finance, healthcare, or you just rely on digital infrastructure functioning smoothly in your daily life, the mechanics of how these systems fail affects you.

Speaker

It really does. So to set the stage for you, we kind of have to look at the pressure cooker that the financial industry is currently operating inside of.

Speaker 1

Oh, absolutely.

Speaker

The newly published FINRA 2026 Industry Snapshot just lays this out beautifully.

Speaker 1

It does. It's a great report.

Speaker

And um, for those who aren't familiar, FENRA, the Financial Industry Regulatory Authority, they are essentially the referees for Wall Street.

Speaker 1

Right. They track all the broker dealers.

Speaker

Yeah. And the numbers they just released are honestly staggering.

Speaker 1

They really are.

Speaker

So at the end of 2025, there were 3,184 Fine RA registered firms.

Speaker 1

Okay.

Speaker

Which that is actually down from 3,394 firms just four years earlier.

Speaker 1

So we're looking at a pretty noticeable drop.

Speaker

Yeah, 6% drop in the sheer number of companies playing the game.

Speaker 1

Wow.

Speaker

But, and here's the kicker over that exact same four-year period, aggregate industry revenues absolutely skyrocketed.

Speaker 1

Oh, yeah, big time.

Speaker

They went from $399 billion up to $776 billion.

Speaker 1

What's fascinating here is the massive paradox those numbers represent.

Speaker

Totally.

Speaker 1

I mean, you have an industry generating nearly twice the revenue, right? Okay. But doing it with fewer players.

Speaker

Right. Less firms, way more money.

Speaker 1

Exactly. And that means the firms that survived, like the ones left on the board, they are absolute behemoth snow.

Speaker

Oh, yeah. Huge.

Speaker 1

Their internal scale has just exploded. They're operating across dozens of digital channels. They are managing huge remote workforces and uh generating a volume of communications that legacy software systems were simply never designed to handle.

Speaker

They're pushing far more weight across that bridge than ever before.

Speaker 1

Yeah, that's a perfect way to put it.

Speaker

So this brings us to the core question of our deep dive. If these firms are getting this massive and their daily operations are becoming incredibly complex, does their technology stack need to consolidate to keep up?

Speaker 1

Right. That's the big debate.

Speaker

Because I feel like the natural instinct is to say yes. You know? Yeah. You want fewer vendors, fewer contracts, just uh fewer moving parts to manage overall.

Speaker 1

Yeah, it makes sense on paper.

Speaker

But the research we're looking at argues that this instinct is actually a dangerous trap.

Speaker 1

Oh, it's a total mirage. I mean, the urge to simplify is completely understandable, but how vendors are capitalizing on that urge, that is where things get really messy.

Speaker

Okay. So what's happened?

Speaker 1

Well, we are seeing a very specific bifurcation in the market right now. Like consolidation is happening, but it is not happening evenly at all.

Speaker

I have to imagine that if these massive firms are just like drowning in complexity, software vendors are basically throwing these all-in-one life rafts at them left and right.

Speaker 1

They absolutely are, particularly down market. Okay. You have newer platforms pitching all-in-one compliance as like a brand new software category.

Speaker

Wow.

Speaker 1

And alongside them, you have these massive roll-up vendors.

Speaker

Roll-up vendors.

Speaker 1

Yeah. These are companies that grow incredibly fast through really aggressive mergers and acquisitions.

Speaker

Okay, I see.

Speaker 1

So they basically buy up a bunch of disparate, entirely separate software products. Um, maybe an archiving tool from 2015, a surveillance tool from 2019, and then like a communications platform from last year.

Speaker

Right, just grabbing all these different pieces.

Speaker 1

Exactly. And they stitch them all together under a single brand.

Speaker

They paint the brig one color.

Speaker 1

Precisely. They just slap a new coat of paint on it. But if you look at the sophisticated enterprise buyers, I'm talking the massive, complex financial institutions and asset managers. They're actively resisting that all-in-one pitch.

Speaker

Really? Why is that?

Speaker 1

They are sticking to best of breed solutions. They want specialized, dedicated tools, especially in really high-risk domains like advertising review or employee compliance.

Speaker

Right, the stuff that actually gets you fined if you mess it up.

Speaker 1

Exactly. They prioritize deep regulatory nuance over the illusion of a simple procurement process.

Speaker

Makes sense.

Speaker 1

Because they've learned the hard way that compliance failures usually don't happen because you have too many vendors.

Speaker

Oh, that's a great point.

Speaker 1

Yeah. They happen because of gaps between systems, you know? Brittle integrations and rigid workflows that just don't match reality.

Speaker

Okay, let's unpack this because this illusion of the unified logo, um, the distinction between commercial bundling and true architectural integration is just so crucial here.

Speaker 1

It really is the whole ballgame.

Speaker

Is this kind of like uh like buying a combo meal at a fast food joint, only to find out that the burger and the fries are actually being cooked in two entirely different kitchens?

Speaker 1

Yes. Oh, that's exactly it.

Speaker

Like the burger kitchen operates in metric, the fry kitchen uses imperial measurements, and uh the drink station requires a completely different currency entirely.

Speaker 1

Ah, yeah, exactly.

Speaker

You get it all handed to you in one bag, but it's just a total mess behind the counter.

Speaker 1

That gets right to the heart of the mechanical failure here. I mean, putting adjacent tools under one website logo and selling them with a single contract, that does not mean they share a unified data model.

Speaker

Right. Right.

Speaker 1

Doesn't mean they use a common workflow engine at all.

Speaker

So it's just marketing.

Speaker 1

In so many of these MA rollups, what looks like a seamless platform to the buyer is really just a portfolio of conflicting database schemas. Oh wow. They structure their data in completely different languages. Every tool under that logo carries its own internal assumptions, its own unique way of tagging data, and literally its own completely separate engineering roadmap.

Speaker

Okay, I get that it's messy under the hood, but uh I have to push back here for a second. Sure. Because put yourself in the shoes of a corporate procurement officer.

Speaker 1

Oh, I don't envy them.

Speaker

Right. Procurement is a nightmare. It is endless vendor reviews, security audits, budget meetings. Totally. Even if it is a Frankenstein combo meal behind the scenes, if the buyer gets just one invoice to pay and one centralized support number to call when things break, why shouldn't they take that deal?

Speaker 1

It's a fair question.

Speaker

Like, why does it matter to you, the buyer, what the underlying code looks like as long as the paperwork is easy?

Speaker 1

Because that single invoice comes with a massive hidden cost.

Speaker

Okay.

Speaker 1

You are trading a temporary paperwork convenience for a permanent structural liability. Buying that Frankenstein combo meal creates something called architectural concentration risk.

Speaker

Architectural concentration risk.

Speaker 1

Yeah.

Speaker

Um that sounds like something an insurance adjuster brings up right before they deny your claim.

Speaker 1

It basically is. I mean, when you buy into one of these monolithic platforms, you are deeply embedding multiple critical compliance domains, you know, archiving, trade approvals, communications supervision into one tightly coupled system. Right. And if they are tightly coupled, the blast radius of a failure is exponential. A disruption in one single part of that environment can simultaneously take down everything else.

Speaker

So wait, walk me through how that actually happens mechanically.

Speaker 1

Okay. So let's say your firm uses an all-in-one suite.

Speaker

Right.

Speaker 1

And on a Tuesday morning, the module that is responsible for archiving marketing emails pushes a bad software update and freezes.

Speaker

Okay, a glitch. Happens all the time.

Speaker 1

Right. But because the entire suite shares a tightly coupled interdependent architecture that frees cascades. Oh. Suddenly your trading desk can't get approvals for new block trades, your onboarding team can't verify new employees.

Speaker

Because it's all connected.

Speaker 1

Exactly. Your entire compliance operation grinds to a halt because of a hiccup in an email archive.

Speaker

Wow. And to bring this back to you, the listener, think about the real world impact of that.

Speaker 1

It's huge.

Speaker

If you are just an everyday person trying to execute a critical trade on your retirement account during a volatile market swing, and your broker's system is completely frozen because their marketing department's email archive had a software glitch.

Speaker 1

Yeah.

Speaker

That is terrifying. You basically put all your eggs in one basket, but the basket is taped together with conflicting blueprints.

Speaker 1

And the danger of that tight coupling goes way beyond just system crashes, too.

Speaker

Really?

Speaker 1

Yeah. It destroys your agility over time.

Speaker

Oh so.

Speaker 1

When your workflows are deeply embedded into a monolithic suite, you are essentially forced to standardize your company's internal processes to match what the software allows. Rather than what your business actually needs.

Speaker

So you are conforming to the software, not the other way around.

Speaker 1

Exactly. If the vendor's tool requires four rigid steps to approve a piece of marking material, and your internal legal policy says you only need two, too bad.

Speaker

You're doing four steps.

Speaker 1

You are doing four steps. And worse, replacing just one piece of that suite becomes an operational nightmare.

Speaker

Because you can't just rip it out.

Speaker 1

Right. You can't just rip out the underperforming ad review module without tearing up the roots of the entire system.

Speaker

Because it's all tangled together, which means the vendors know you can't leave.

Speaker 1

Bingo.

Speaker

They have you trapped, which quietly destroys your firm's pricing leverage.

Speaker 1

Yep.

Speaker

You become a captive audience locked into their innovation timeline. Like if they decide they aren't going to update their communications supervision tool for three years because they are focused on building a new feature to sell to someone else. You are stuck with outdated technology in a world where regulations are changing daily.

Speaker 1

That loss of leverage is often the silent killer of enterprise software. It really is.

Speaker

There is a fantastic rule of thumb to remember here from the text. In regulated environments, flexibility is risk management.

Speaker 1

I love that quote.

Speaker

Flexibility is risk management. That is such a powerful reframe.

Speaker 1

It is.

Speaker

So if the monolithic, tightly coupled suite is the wrong way to go, what is the right way?

Speaker 1

Right.

Speaker

I mean, the alternative we are looking at is called architected connectivity.

Speaker 1

Right. Architected connectivity is about intentionally integrating specialized systems through API's application programming interfaces.

Speaker

Okay. Explain how that works mechanically for someone who isn't a software engineer.

Speaker 1

Sure. So think of an API as a universal translator and like a dedicated delivery service rolled into one. Instead of welding two software programs together into a monolith, an API allows them to remain completely independent, but they talk to each other perfectly. Oh, that makes sense. The components remain entirely modular and replaceable. You get the operational simplicity of having systems that share data smoothly, but you aren't forced into a single vendor's ecosystem. Right. You can just unplug an old tool and plug in a new one without disturbing the rest of the machinery.

Speaker

Okay, but this raises a fundamental question. Why do these one size fits all systems inevitably fail to begin with? I mean, surely with enough money, some brilliant engineering team could just build one massive system that actually does everything perfectly.

Speaker 1

You would think so.

Speaker

Yeah. But to understand why that's essentially a pipe dream, we have to look at the nature of the work itself. Compliance work isn't just one thing. It actually falls into two fundamentally different categories.

Speaker 1

Exactly.

Speaker

Category one is infrastructure compliance.

Speaker 1

Right. And infrastructure compliance encompasses tasks like mass archiving, basic surveillance, record keeping, you know, data ingestion.

Speaker

The heavy lifting.

Speaker 1

Yeah. These are highly standardized, voluminous tasks.

Speaker

And because they are so standardized, they are commoditizing. Yeah. They're basically becoming utilities. You can easily embed them into broader platforms and price them like electricity or water. You just want them running silently in the background.

Speaker 1

Exactly.

Speaker

But then category two is judgment heavy compliance.

Speaker 1

Now this is a completely different beast. Judgment heavy compliance includes things like advertising review, context-dependent communications supervision, and uh complex regulatory workflows that might touch legal, marketing, and distribution teams all at the exact same time. Right. This type of work requires infinite configurability, complex audit trails, and most importantly, human in the loop decisioning.

Speaker

Oh, absolutely.

Speaker 1

You just cannot fully automate the nuance of human judgment in high-stakes regulatory environments.

Speaker

Here's where it gets really interesting. Think about it like a city.

Speaker 1

Okay.

Speaker

Category one, the infrastructure compliance. Yeah. That is the plumbing of the city.

Speaker 1

I like that.

Speaker

It absolutely needs to be standardized. Every pipe needs to fit together perfectly, the pressure needs to be constant, and you want it running invisibly under the streets.

Speaker 1

You don't ever want to think about the plumbing.

Speaker

Exactly. You never want to think about the plumbing. But category two, the judgment-heavy compliance, that is the city's legal system.

Speaker 1

Oh, that's a great analogy.

Speaker

Right. It requires deep context, human judgment, debate, and unique adaptation to highly specific, nuanced situations. You would never hire a plumber to act as a judge in a courtroom. Oh, no. So why would a company try to buy software that treats both tasks like they require the exact same engineering?

Speaker 1

Well, you wouldn't, or at least you shouldn't.

Speaker

Right.

Speaker 1

And that's really the fatal flaw of monolithic systems. They try to treat the legal system like it's just more plumbing. Yeah. But judgment-heavy workflows are inherently cross-system. Think about a piece of marketing material. Okay. It tracks a thread from the creation of an asset by a designer to its approval by legal, to its distribution to clients, and then to its ongoing supervision by compliance.

Speaker

It moves around a lot.

Speaker 1

Right. That workflow cannot live inside a single isolated point solution. It has to travel.

Speaker

So how do you manage that travel? I mean, if you have all these modular best-debreed tools connected by APIs, your separate designer tool, your separate legal tool, your separate archiving tool. How do you keep track of what's happening without losing your mind?

Speaker 1

The solution is shifting value toward what are called orchestration layers.

Speaker

Okay, break that down for us. What exactly is an orchestration layer doing mechanically?

Speaker 1

An orchestration layer sits above your specialized tools. It doesn't try to replace your archiving tool or your ad review tool. Okay. Instead, it acts as the centralized brain and the connective tissue. It uses those APIs we talked about to control the workflow and track the context.

Speaker

I see.

Speaker 1

Let's say an advisor wants to send a complex financial proposal to a client. Right. The orchestration layer takes that request, pings the risk analysis tool for a quick check, routes it to the human supervisor for approval, and once approved, sends a copy to the archive tool for storage.

Speaker

Oh wow.

Speaker 1

Yeah. It maintains the thread of compliance across all those different systems without ever trying to absorb them.

Speaker

So it basically gives you that single pane of glass interface that the procurement officer wants, but respects the modularity underneath.

Speaker 1

Exactly.

Speaker

It doesn't swallow the data, it just directs traffic. You get the combo meal experience, but you know exactly which independent kitchen cooked the burger and which one made the fries.

Speaker 1

Yes, perfectly said.

Speaker

And if the fry cook starts burning the food, you can just fire them and hire a new one without having to tear down the entire restaurant.

Speaker 1

That is a brilliant way to conceptualize it. You retain total control over the components.

Speaker

So if this orchestration layer, this idea of compliance connectivity, is the correct architecture for the future, how do companies actually make sure they're buying the right thing?

Speaker 1

That's the tricky part.

Speaker

Because it seems like the old ways we evaluate software vendors just aren't going to cut it anymore.

Speaker 1

The old playbooks are definitely obsolete for this. Look at traditional vendor risk programs today.

Speaker

Right.

Speaker 1

What do they actually check? They look at the vendor's cybersecurity posture, they check their financial viability, they ask for SOC audits.

Speaker

Which uh for those who don't spend their days in IT procurement, a SOC audit is essentially a standardized report that proves a service organization has secure data controls. Right. It's basically checking to see if the vendor put good deadbolts on their doors.

Speaker 1

Exactly. And while checking the deadbolts is obviously important, those scorecards were built for a different era. They don't measure the hidden risks of how the software's architecture is actually constructed. They check if the house is secure from the outside, but they don't check if it's built on a foundation of quicksand.

Speaker

But in so many organizations, the sheer desire for procurement simplification still drives the buying decision way faster than any kind of deep architectural risk analysis.

Speaker 1

Oh, absolutely. And this raises an important question. What should buyers actually be asking instead?

Speaker

Right.

Speaker 1

We need a much more sophisticated approach. Buyers must now evaluate two new concepts: functional concentration risk and workflow dependency mapping.

Speaker

Meaning instead of just asking, is your software secure? Yeah. You need to ask, is this tool truly integrated at the workflow level? Or are you just selling me three separate duct tape tools under one brand name?

Speaker 1

Yes. You have to push the vendor, ask them. If one component of the suite fails or underperforms next year, how easily can I unplug it and replace it with your competitor's product?

Speaker

Good luck getting a straight answer on that.

Speaker 1

Right. You have to ask, are we collapsing our future optionality just so we can get a unified invoice today?

Speaker

And let's be real. If you ask a vendor who is selling a monolithic, tightly coupled system, those questions, they are going to squirm.

Speaker 1

Oh, they will hate it.

Speaker

Because their entire business model relies on you not being able to easily replace their underperforming parts.

Speaker 1

Yeah.

Speaker

They want the lock-in.

Speaker 1

They do. But the market dynamics are shifting, and buyers won't be the only ones asking these questions soon.

Speaker

What do you mean?

Speaker 1

We are seeing really strong indicators that these architectural risk analyses are not just going to be internal IT preferences.

Speaker

Really?

Speaker 1

Yeah. They are increasingly going to show up on formal regulatory exams, in board of director reviews, and in third-party risk assessments. Regulators are waking up to the fact that tightly coupled monolithic systems represent a systemic risk to the entire industry.

Speaker

Wow. So if a company is buying one of these massive all-in-one suites right now just to make their procurement life a little easier, they might literally be setting themselves up to fail a regulatory exam three years from now simply because their architecture is too concentrated.

Speaker 1

It's very possible.

Speaker

The cost of a bad architectural decision isn't just an IT headache anymore. It is becoming a measurable, auditable compliance failure.

Speaker 1

The definition of risk is expanding. I mean, if your system design prevents you from adapting to new regulations quickly, your system design is noncompliant.

Speaker

So what does this all mean? Let's bring this all together for you. We started by looking at those wild fininara numbers. A financial industry that is nearly doubling its revenue while shrinking the number of firms.

Speaker 1

Yeah.

Speaker

That means the surviving firms are growing massively in scale and complexity. The natural knee-jerk reaction to that complexity is to blindly consolidate software into massive monolithic suites. Right. Give me one invoice, give me the combo meal, paint the bridge one color. But as we've seen, that all-in-one pitch is a trap.

Speaker 1

Because commercial simplicity getting one bill is not the same thing as architectural integration. Not at all. Buying a tightly coupled system creates enormous concentration risk. It forces your business to standardize to the software rather than adapting the software to your business.

Speaker

Yeah.

Speaker 1

It destroys your pricing leverage and just locks you in.

Speaker

Instead, because complex environments require both standardized infrastructure and highly nuanced human-in-the-loop judgment, we need a different approach.

Speaker 1

Exactly.

Speaker

The true goal is commercial simplicity without architectural overconcentration. We need modular connected ecosystems driven by APIs. Right. We need an orchestration layer that acts as the brain, tying specialized tools together so you have the flexibility to swap out parts as the world changes, because flexibility is risk management.

Speaker 1

And I want to leave you with something to ponder, you know, building on where this entire field is heading.

Speaker

Okay, let's hear it.

Speaker 1

We talked a lot today about how judgment-heavy compliance relies heavily on human-in-the-loop context. Right. But what happens in the next three to five years when advanced AI agents start actively participating in these orchestration layers? Aaron Powell Will an AI evaluator prefer to work inside a rigid, monolithic system that traps its data in silos and limits its actions? Or will an AI thrive precisely because it can navigate a flexible, API connected ecosystem, pulling context from a dozen different modular tools faster and more comprehensively than a human ever could?

Speaker

That is a fascinating question to chew on.

Speaker 1

Right.

Speaker

Because if the AI revolution is coming to compliance and complex business operations, you definitely don't want to trap it inside a walled garden.

Speaker 1

Definitely not.

Speaker

You want it running across an open connected ecosystem. It really brings us back to that suspension bridge we talked about at the very beginning.

Speaker 1

It really does.

Speaker

You can't just paint over a disjointed foundation and hope it holds up under the weight of the future. You have to design the connections intentionally.

Speaker 1

Absolutely.

Speaker

Well, thank you so much for joining us on this deep dive. Keep asking the tough questions about the systems, running your own industries. Watch out for the illusion of the unified logo, and we will catch you next time.