The Architecture Tax: Why Banks Spend Over $200B on Compliance

Why do banks spend over $200 billion per year on compliance? Because we're asking 1970s architecture to solve 2026 problems.

In fact,compliance hours increased 61% between 2016 and 2023, three times faster than headcount growth. Nearly half of C-suite time now goes to regulatory compliance. 

This is the result of using payment systems that were built decades ago (in a simpler financial world); now, every new regulation, however well-designed, becomes expensive to implement - because it applies to infrastructure that was never built to accommodate it.
‍
Modern payments infrastructure, the kind being built now in 2026, changes this. We can design compliance into the architecture from day one, making identity verification, sanctions screening, and regulatory reporting native capabilities rather than retrofits. Infrastructure built today can support continuous customer risk monitoring, cross-jurisdictional regulatory interoperability, and beneficial ownership verification as foundational features. (These are requirements that legacy systems struggle to bolt on at any cost). Modern distributed digital infrastructure, AI-driven monitoring, and automated policy engines make this practical. Manual batch reviews become real-time compliance checks that are faster, more consistent, and continuously improving. 

However, the solution for many banks remains, for now, to layer compliance into legacy systems. Here’s why that isn’t working.

Layering Compliance Onto Legacy Systems

Traditional payment systems were designed to move money efficiently, and most of the compliance requirements we take for granted today simply didn't exist when they were built. The foundations of modern payment infrastructure go back decades: the UK's BACS system launched in 1968, the US ACH network was established in the early 1970s, SWIFT went live in 1977, and before all of them, banks relied on telex networks to move money across borders. Citibank was among the first to push electronic funds transfer in the late 1970s. These systems were engineering achievements built to solve one problem: speed and reliability of value transfer.

Compliance requirements came later, and they came in waves. The Bank Secrecy Act (1970) introduced basic reporting requirements in response to growing concerns about money laundering and financial crime. The PATRIOT Act (2001) added sweeping anti-money laundering mandates after the September 11 attacks exposed vulnerabilities in the financial system. OFAC sanctions lists have continued to expand in scope and complexity as geopolitical risks evolve. Each new regulation required banks to layer monitoring systems on top of rails that were never designed for them. Since the original architecture wasn't built for it, every regulatory addition becomes an expensive patch job.

This creates a cascade of problems that compound over time:

First, it's expensive. At many institutions, compliance accounts for 10 to 15 percent of total personnel expenses, and that share keeps growing. Banks employ massive compliance teams to manually review flagged transactions. Technology helps, but when your underlying architecture lacks compliance workflows, automation can only do so much. The work remains fundamentally labor-intensive, which is why compliance budgets have reached the hundreds of billions. Those costs flow downstream: average remittance costs sit at 6.49% globally, and significantly higher in underserved corridors, with Sub-Saharan Africa averaging 8.78% and some routes exceeding 14%. Much of that covers compliance overhead.

Second, it's slow. Cross-border payments can take one to five business days to settle through correspondent banking. Even after years of modernization investment, only 46% of retail cross-border payments reach the actual recipient within an hour, well short of the G20's 75% target. Much of that delay comes from compliance checks that happen in batches, often manually, at each intermediary along the chain. Banks are running compliance processes built for batch operations in an era that demands real-time speed.

Third, accuracy suffers. Legacy systems catch some bad actors while missing others, and false positives clog the system. Banks file millions of suspicious activity reports annually, overwhelming regulators with more noise than signal. Everyone involved knows the system could work better, but improving it requires architectural changes that are prohibitively expensive and risky to implement on live systems moving trillions of dollars daily. 

A payments infrastructure with compliance-native design solves for these problems.

What Compliance-Native Design Means 

Technology has evolved to the point where we can fundamentally redesign how compliance functions. Early blockchain architectures prioritized openness over regulatory enforceability, but the convergence of mature distributed systems technology, clearer regulatory frameworks, and AI-driven monitoring now makes it possible to build for both. AI makes compliance faster and more accurate. Distributed infrastructure makes it undeniable. Every check, every screening decision, every approval is permanently recorded in a way that can be independently verified but never altered. Programmable rules that execute consistently mean the process itself can be examined, not just the results.

In legacy systems, compliance watches transactions after they happen. In compliance-native systems, compliance is part of the transaction itself. Requirements are checked and satisfied as value moves – not reviewed manually afterward.

The most immediate difference is real-time monitoring. Instead of screening transactions in overnight batches and investigating flags days later, transactions are screened against current sanctions lists, risk-scored, and either approved or flagged before they settle. Bad transactions get caught before they execute rather than flagged for investigation after the money has moved. For regulators, this means better signal. For institutions, it means fewer false positives consuming analyst hours.

AI makes this dramatically more effective. Traditional rule-based systems generate false positive rates as high as 90 to 95 percent, burying compliance teams in alerts that lead nowhere. HSBC deployed AI-driven AML monitoring that reduced false positives by 60% while detecting two to four times more genuine suspicious activity across its retail and commercial banking operations. JPMorgan has reported similar results: a 95% reduction in false positives and an estimated $1.5 billion in prevented losses. These results come from AI that learns from historical investigations, recognizes patterns across millions of transactions, and improves continuously. The compliance team's role shifts from manually reviewing thousands of low-quality alerts to supervising AI systems and focusing on the cases that actually matter.

Agentic AI takes this further. Rather than a single model running in the background, specialized AI agents handle distinct compliance tasks: one monitors transactions in real time, another manages sanctions screening, another handles KYC verification and ongoing customer risk assessment. These agents work together, share context, and escalate to human analysts when cases require judgment. The result is a compliance operation that scales with transaction volume without scaling headcount at the same rate. Already in 2026, industry projections suggest 70% of new account onboarding will be fully automated through these systems.

Programmable compliance rules make the broader system scalable. When sanctions lists update, the system blocks relevant transactions immediately. When a jurisdiction requires additional documentation, the system enforces that before processing. AI determines what to flag and refines those decisions continuously. The infrastructure ensures those decisions execute consistently regardless of volume or geography. Neither works without the other. Intelligence without infrastructure can't be enforced. Infrastructure without intelligence produces the 90%+ false positive rates we see today.

Privacy-preserving verification methods address one of the biggest tensions in financial regulation: the need to verify identity while protecting personal data. Think of it like showing your ID to prove you're over 21 without revealing your birth date, address, or other information. The technology now exists to confirm compliance without exposing unnecessary data, which matters as regulators worldwide tighten both AML enforcement and data protection requirements simultaneously.

When compliance is native to the architecture, adapting to new requirements becomes a policy update rather than a multi-year implementation project. That changes the economics of regulation entirely.

Why This Matters Now: Stablecoins

The growth of stablecoin markets, which moved $33 trillion in volume in 2025 alone, is accelerating a broader shift in how financial infrastructure gets built. Countries are launching central bank digital currencies. The regulatory framework is coming into focus globally: MiCA in Europe, the UAE's CBUEA regulations, Singapore's MAS requirements, and in the US, the GENIUS Act signed into law with bipartisan support, establishing the first federal framework for stablecoin regulation. As this new infrastructure takes shape, there's a rare opportunity to rethink how compliance works at the foundational level rather than inheriting the limitations of legacy systems.

The $206 billion currently spent on compliance represents both a cost and an opportunity. When compliance is architectural rather than procedural, the return on that spending improves dramatically. Resources shift from manual review to higher-value work. Transactions settle faster and cheaper, without sacrificing security. 

The institutions and jurisdictions building this infrastructure today are setting the patterns everyone else will follow. Because, in infrastructure builds, early movers define the architecture. Late movers inherit it.

The Pivot to Compliance-Native Infrastructure is Underway 

The global financial system is pivoting toward real-time, cross-border, digitally native infrastructure. Every major regulatory framework introduced in the past five years points in the same direction: broader scope, cross-border coordination, and faster enforcement cycles. Money moves in milliseconds. Compliance still runs on business days. That gap is either going to close or it's going to become a systemic problem.

Compliance-native infrastructure is how it closes. It still requires human oversight for sophisticated threats and emerging risks. Compliance requirements will continue to evolve. But infrastructure designed to accommodate change through policy updates rather than system overhauls means the industry can finally keep pace. The builders who understand this are already at work.