Compliance tax is stalling your banking innovation roadmap

A sustained drag on velocity

Going into 2026, we're moving from policy intent to operational evidence across operational resilience and conduct regimes including UK Operational Resilience and Consumer Duty, alongside EU DORA.

The urgency has shifted from what you plan to do, to how you prove you are doing it, continuously, at scale, and without breakage. Even the more nimble neo-banks like Starling and Monzo are not immune to the impact of this increased load.

While boards demand AI-led growth, the resources to deliver it are quietly being eroded. This shows up as board meetings being dominated by the weight of tackling fraud or the lack of real headway towards improved customer experiences.

Several major UK banks are still operating under the shadow of earlier enforcement actions, where historic issues continue to drive conservative change controls and large-scale remediation programmes. Once burnt, twice shy as the old adage goes.

The combined effect is a sustained drag on innovation: engineering capacity is diverted to fixing foundations, product change is slowed and customer experience improvements take longer to reach the market. Fines from regulatory enforcement are only a small part of the issue.

We call this the 'Compliance Tax'.

Table: Major UK Enforcement Actions Shaping Innovation & Change Capacity

This pattern is consistent across incumbents and challengers alike. Regulatory pressures accumulate over time, and once a bank enters remediation, innovation slows long after the fine is paid.

Measuring the hidden cost

While compliance is often cited as a single line item, the true cost is hidden in the diversion of talent and capital. Recent research from TheCityUK estimates that annual compliance costs for the UK financial services sector now exceed £33.9 billion, representing roughly 13% of average operating costs.

However, for many institutions, the Compliance Tax runs even deeper. When you account for end-to-end activities, from engineering foundations to manual remediation, the actual impact on change capacity is significantly higher. AWS’s Industry benchmarks suggest that mandatory regulatory changes and remediation can absorb up to 18% of total IT spend, while "run-the-bank" activities swallow up to 70% of the remaining budget.

Perhaps most critically, we are seeing that this could create a gap of up to a third of your change budget, with the engineers, architects and designers meant to be building the future instead being pulled into reactive remediation loops.

This isn't just a cost of doing business, but the opportunity cost of the innovation you can no longer afford to ship. We see this tax manifesting in three distinct scenarios:

• When compliance runs as a gate at the end of delivery rather than being embedded throughout, every release slows, regardless of how agile teams claim to be.
• When legacy monitoring generates more alerts than teams can investigate, the backlog becomes permanent. You end up hiring just to stand still.
• When AI initiatives scale faster than the audit trail beneath them, explainability gaps become the next remediation cycle before the current one is even closed.

Reclaim your growth capacity

The challenge for 2026 is not simply complying, but doing so without sacrificing the roadmap. From what we’re seeing across regulated organisations, the challenge isn’t a lack of compliance effort, it’s where that effort lives. When regulatory controls sit outside delivery, they tend to slow change and absorb capacity.

Our working belief is that progress comes from treating compliance as an engineering discipline rather than a reporting layer. This isn’t a problem that will be solved through documentation or spreadsheets; it is an architectural challenge. In practical terms, that means automating evidence generation, embedding regulatory controls into delivery pipelines, and decoupling compliance logic from legacy platforms so it can evolve independently.

The goal is to move from recovery from regulatory pressure to automating responses. This isn’t a silver bullet, but by solving the architecture of compliance, banks can finally unlock the capacity they need to lead in the AI era and release that trapped resource back into growth and innovation. We’re actively testing and refining this approach with banks today and we’re interested in how others are tackling the same challenge.

If what you’ve read resonates, contact the author, Sam Bhatt to learn more about how we’re exploring this space.