AboutBlogBusiness First AIFounder FreedomBook a conversation

Buy or build AI in a regulated financial firm

Person reviewing documents at an office desk with a laptop and printed papers
TL;DR

For owner-managed financial services firms, the buy-or-build question carries a criterion beyond cost: the system must be explainable and auditable to a regulator. Proprietary builds often optimise for predictive accuracy rather than interpretability, creating a liability precisely where they were meant to create advantage. Established vendors have already cleared regulatory scrutiny; their audit documentation and explainability reports come ready-made.

Key takeaways

- The buy-or-build decision in financial services adds a third criterion beyond cost and timeline: the system's decision logic must be explainable to a regulator on demand. - Vendor-led AI projects succeed at roughly double the rate of internal builds at owner-managed business scale, according to mid-market implementation research. - Proprietary builds that prioritise predictive accuracy over interpretability can fail regulatory scrutiny precisely where they were meant to create competitive advantage. - Established vendors in AML and fraud detection have already faced regulatory examination; their audit trails and explainability documentation are available to show a regulator. - Before signing any vendor contract, ask for output-level decision explanations, the regulatory jurisdictions where the product has been audited, and whether the audit trail is exportable in a format your regulator can read.

A founder’s read on the numbers is usually the same. The vendor quote looks steep, the in-house build looks cheaper at first glance, and owning the IP feels like a competitive edge worth having. You may be sitting with exactly that proposal right now. The question worth asking before you commit to either path is what happens when the FCA or the SEC requests a walk-through of how the system makes its decisions.

That question does not come up in most generic buy-or-build guides. In a regulated financial services firm, it is the one that shapes everything else.

What is the buy-or-build decision in a regulated financial firm?

In an unregulated business, buy-versus-build comes down to cost, timeline, and whether the proprietary build creates lasting competitive advantage. In a regulated financial services firm, that calculation gains a third criterion. The system’s decision logic must be explainable and auditable on demand, which shifts the question from “what’s cheaper to build?” to “what can we defend when the FCA or the SEC asks?”

The FCA has been clear that AI in financial services must be actively supervised and understood, not simply deployed and monitored from a distance. The Bank of England’s framework for AI spells out seven required properties under the acronym TRUSTED. The system must be Targeted, Reliable, Secure, clearly Understood, supported with Ethical guidance, stress-Tested, and Durable. Each of those criteria requires documentation. A proprietary model built quickly to capture a first-mover advantage often runs ahead of the firm’s capacity to document it to that standard.

The EU AI Act strengthens this position for any firm operating in or connected to EU markets. AI systems used for credit scoring, AML, or fraud detection are classified as high-risk under Annex III, meaning they must meet specific transparency and human oversight requirements before deployment. A bespoke model built without those requirements in mind needs considerable rework before it operates legally in those markets.

Why does explainability change the calculation?

Many high-performing models built in-house optimise for predictive accuracy rather than interpretability. When a compliance officer or regulator asks why a transaction was flagged, a credit application rejected, or an alert generated, “the algorithm decided” is not a defensible answer. The Bank of England’s guidance for AI in financial services is explicit on this point, specifying that systems must be clearly understood and stress-tested before deployment.

The SEC has brought enforcement action against firms that made unsubstantiated claims about AI capabilities. Two recent cases, Global Predictions Inc. and Delphia USA, found that both firms had made false or misleading claims about their AI-driven investment processes. In each case, the firms could not adequately document how their systems reached their outputs. The inability to show their working was the core of the enforcement finding.

This matters directly for the build decision. A founder building a proprietary model to protect competitive advantage is, by design, making it harder for others to understand how the model works. That opacity protects the IP but compromises the explainability the regulator requires. Complexity that defends commercial advantage also obscures the decision trail, and at a regulated firm that is a genuine liability.

Where does the audit trail test actually show up in practice?

Three operational points are where explainability requirements become concrete. Anti-money laundering and transaction monitoring systems must be “reasonably designed to detect suspicious activity” under UK money laundering regulations and the US Bank Secrecy Act. Credit decisions affecting consumers trigger disclosure requirements in both jurisdictions. And any AI-driven regulatory reporting must be reproducible, with a clear record of what data the model used and why it reached its conclusion.

For AML specifically, the requirement goes beyond catching suspicious transactions. The system needs to produce output a human compliance officer can review and, if challenged, defend to a regulator. That means generating a rationale alongside the output, the specific factors that triggered the flag, in a form the compliance team can read and verify. A model without an interpretability layer cannot do this consistently without additional engineering, and that engineering needs to be designed in from the start.

Credit and lending decisions face an equivalent constraint. Consumer credit regulations in both the UK and the US require that any adverse decision comes with a specific explanation, generated at decision time as part of the model’s standard output. A vendor system built for a regulated market will have this as a standard feature. An in-house build has to design it in deliberately, and retrofitting it onto a model that was not built with interpretability in mind is expensive and often incomplete.

When does buying protect you and when is building justified?

For owner-managed financial services firms without a dedicated data science team, buying is the safer choice on two counts. Vendor-led AI projects succeed at roughly double the rate of internal builds at this scale, according to research on mid-market AI rollouts. More importantly for a regulated firm, established vendors in AML and fraud detection have already faced regulatory scrutiny. Their audit documentation, explainability reports, and compliance certifications exist and are ready to show a regulator.

Building makes sense in a narrow set of circumstances. The use case must be genuinely novel, the firm’s proprietary data must create an advantage no off-the-shelf vendor can replicate, and the team must have the capacity to design explainability into the model from day one. That is a high bar. For a firm in the 10-to-50 person range, it is rarely met, and the cost of getting it wrong falls on the firm’s licence to operate.

A founder’s argument for building often conflates two separate things. The data advantage is real. The model advantage tends to be claimed rather than demonstrated. Proprietary transaction data is genuinely valuable. Feeding it into a vendor platform that already has regulatory approval and a working audit trail frequently produces better outcomes than building a model from scratch and discovering its decisions cannot be explained on demand.

What should you ask a vendor before you sign?

Five questions separate a vendor that will help you pass regulatory scrutiny from one that will leave you exposed. Ask for documented decision logic, specifically output-level explanations your compliance team can reproduce at audit time. Ask which regulatory jurisdictions the product has been audited in. Ask whether the audit trail is exportable in a format your regulator can read. Ask about data residency.

The fifth question is the one that cuts through most clearly. Has the vendor’s model ever been challenged by a regulator, and if so, what happened? A vendor whose product has survived an FCA or SEC examination with the model remaining in production is a materially different prospect from one whose regulatory experience amounts to a well-written compliance brief.

On the build side, if the founder is pressing for it, the framing that tends to land is that the proprietary data is the asset worth protecting, and the decision model is where the regulatory risk sits. These two things can be separated. Proprietary transaction data can feed a vendor system that already holds regulatory approval, which means the IP argument and the compliance argument need not be in conflict. The firm keeps its data advantage while the vendor carries the explainability obligation.

If you are working through this decision and want a second view before you commit, Book a conversation.

Sources

- Bank of England, Financial Stability in Focus (April 2025). Sets out the TRUSTED framework for AI in financial services; confirms active FCA and PRA supervisory engagement on AI-related risks. https://www.bankofengland.co.uk/financial-stability-in-focus/2025/april-2025 - Financial Conduct Authority (2026). FCA sets out next phase of smarter, more effective regulation. Confirms FCA oversight of AI in regulated financial services firms and use of AI in its own regulatory processes. https://www.fca.org.uk/news/news-stories/fca-sets-out-next-phase-smarter-more-effective-regulation - Federal Reserve (2026). Monitoring AI Adoption in the US Economy. Reports financial sector AI adoption at approximately 30 per cent with 30 per cent year-on-year growth, among the highest of any tracked sector. https://www.federalreserve.gov/econres/notes/feds-notes/monitoring-ai-adoption-in-the-u-s-economy-20260403.html - McKinsey (2025). The State of AI, Global Survey. Notes adoption is accelerating but that larger firms reach the scaling phase at significantly higher rates than smaller ones, particularly in regulated sectors. https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai - EU AI Act, Article 6 and Annex III (2024). Classifies AI used in credit scoring, AML, and fraud detection as high-risk systems, subject to transparency, explainability, and human oversight requirements before deployment. https://artificialintelligenceact.eu/article/6/ - New York State Bar Association (2025). Regulating AI deception in financial markets. Reviews SEC enforcement actions against Global Predictions Inc. and Delphia USA for unsubstantiated AI claims; outlines the audit trail standard regulators apply. https://nysba.org/regulating-ai-deception-in-financial-markets-how-the-sec-can-combat-ai-washing-through-aggressive-enforcement/ - Venable LLP (2026). AI in Financial Services. Covers UDAAP, FCRA, GLBA, and BSA/AML compliance requirements for AI systems, including explainability obligations under each framework. https://www.venable.com/insights/publications/2026/02/ai-in-financial-services-popular-use-cases - Schellman (2025). AI implementation failures in real-world deployments. Analyses mid-market AI implementation outcomes and identifies governance gaps, explainability shortfalls, and data quality as leading failure modes. https://www.schellman.com/blog/ai-services/ai-implementation-failures-in-real-world-deployments - BridgeView IT (2025). AI Readiness. Documents the five pillars of AI readiness and reports the vendor-led versus internal-build success rate differential for mid-market AI rollouts. https://www.bridgeviewit.com/ai-readiness/

Frequently asked questions

Does buying AI from a vendor mean giving up competitive advantage in financial services?

The data advantage stays with the firm regardless of which model reads it. Proprietary transaction history, client behaviour patterns, and risk data are genuinely valuable. Feeding that data into a vendor platform that already holds regulatory approval means the IP advantage and the compliance requirement need not conflict. Many firms build competitive edge through data quality and model configuration, not through model ownership.

What does the FCA actually require from AI systems used in financial services?

The FCA expects firms to supervise and understand AI systems rather than simply deploying and monitoring them passively. The Bank of England's framework specifies that AI must be Targeted, Reliable, Secure, clearly Understood, supported with Ethical guidance, stress-Tested, and Durable. In practice, this means documented decision logic, reproducible audit trails, and human oversight at key decision points, particularly for AML, credit decisions, and fraud detection.

Can a firm build its own AI model if it documents it thoroughly?

Yes, and building makes sense when the use case is genuinely novel and the team has the capacity to design explainability in from the start. The EU AI Act classifies AI used in credit scoring and AML as high-risk, requiring specific transparency and human oversight standards before deployment. The challenge is that proprietary builds often add interpretability features after the fact, which rarely meets the regulator's standard as cleanly as a purpose-built vendor system.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A person reviewing a document at a desk in a naturally lit office

AI vendor lock-in: how to buy without getting trapped

Vendor lock-in is the AI buying risk that's invisible at the point of purchase and hardest to exit years later. Here's how to spot it and contract against it.

A person at a desk reviewing printed notes and documents before a meeting, laptop open nearby

Twelve questions to ask any AI vendor before you sign

Twelve plain-English questions any delegate can ask during an AI vendor evaluation call to protect their business without a procurement team or a CISO.

Two colleagues reviewing a document at a desk with a laptop open between them

Free or paid AI tier: where to draw the line

Free AI tiers train on your team's inputs by default. Here is how to decide when commercial access is worth paying for, and what the line actually is.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd