The hidden complexity, organisational blind spots and long-term consequences of “we can build this ourselves” thinking
Introduction: A comfortable fiction that costs companies millions
In every industry, there comes a moment when an organisation decides to replace a spreadsheet-based process with a system. At that moment, someone – often well-intentioned, often brilliant – says the seven words that have sunk countless internal initiatives:
“IT can build this. How hard can it be?”
Those words have launched countless projects that begin with confidence and end in frustration, budget overruns, missed deadlines, partial functionality, abandoned code and ultimately, a return to manual processes or a late-stage purchase of the very technology the organisation initially declined (often years later, having to write-off millions and wasting valuable time)..
Financial crime risk assessments are particularly vulnerable to this fallacy. They appear deceptively simple from the outside: inherent risk questions, control ratings, scoring logic, residual risk outputs, workflows, approvals. To an engineer unfamiliar with regulatory nuance, it looks like a structured form with a scoring model – hardly rocket surgery!
But beneath the surface, a financial crime risk assessment platform is one of the most complex operational systems a regulated institution will ever attempt to build.
Those who try to build it internally discover this truth the hard way.
The false simplicity: Why it looks easy from the outside
IT teams are typically exposed only to the output of the risk assessment – a structured spreadsheet, a methodology document, a set of business requirements. On paper, it seems straightforward: build screens, add inputs, calculate scores, produce reports.
But risk assessments live in a world of nuance, interpretation, evolving regulatory expectation, governance frameworks, cross-functional inputs, audit scrutiny, and continuous change. The scoring model is only the visible tip of a vast methodological, regulatory and operational iceberg.
What appears to be a simple form is, in reality, an entire regulatory ecosystem: risk logic that must evolve with changing regulations; methodology that requires central governance; workflows that synchronise dozens of stakeholders; evidence that must be attached, versioned and auditable; control libraries that shift with assurance findings; risk appetite thresholds that need Board approval; jurisdictional risk tied to geopolitical volatility; sanctions logic that updates dynamically; calibration that must be enforced across business units; audit trails robust enough for regulatory scrutiny; and dashboards, reports and data structures capable of multi-entity aggregation.
None of this is visible in the spreadsheet – yet all of it (and more) is required in a platform.
This is why internal builds fail: the problem was never the form, but everything hidden behind it.
The inescapable reality: Regulation changes faster than internal builds
One of the most damaging misconceptions in internal builds is the belief that risk assessment logic is static. In reality, regulatory expectations shift continuously, typologies evolve monthly, sanctions lists update weekly, products and channels change rapidly, and business models pivot without warning. A financial crime risk assessment platform must evolve in step with all of this. Internal builds rarely can. At best, they release annual updates and even then, IT becomes the bottleneck, with every methodological adjustment requiring tickets, coding, QA cycles, release planning and regression testing. Risk teams patiently wait, whilst the financial crime risk assessment platform becomes out of date, losing accuracy, which regulators easily notice
The truth is simple: organisations consistently underestimate the cost of change, yet change is constant.
In-house builds often collapse under the weight of requirements
A financial crime risk assessment platform isn’t just a system, it’s a governance engine. It must preserve version histories, track who changed what, maintain clear line-of-sight from inherent to residual risk, capture rationales, support Board approvals, embed audit trails, document evidence, enforce workflows and safeguard permissions. These requirements grow exponentially in multi-entity or global organisations. Internal IT teams rarely possess the regulatory depth needed to build governance at this standard, resulting in systems that “function” but cannot withstand regulatory scrutiny. When auditors ask for the rationale behind a decision made nine months earlier, internal tools often can’t produce it. That isn’t a minor gap, it’s an existential one.
In-house builds depend on people who eventually leave
One of the most underestimated risks in internal builds is the issue of human continuity. The two or three engineers who truly understand the system, its data model, logic and edge cases, will eventually move teams, leave the organisation or shift to new priorities. When they do, the business is left with undocumented logic, fragile code, inconsistent structures, missing documentation, unclear data lineage and broken integrations.
The cost of rebuilding, replacing or retrofitting the system quickly becomes enormous. Internal builds rarely fail on day one; they fail two years later, quietly, structurally and expensively.
In-house development creates unintended dependencies
Ironically, organisations build internal systems to reduce dependency, yet they end up creating a new and even more constraining one: dependence on the IT department. Every change to a new risk methodology, new risk models, new control effectiveness assessment technique, regulatory shift or other requirements, must pass through development cycles. Requests accumulate, priorities clash, operational urgency gets deprioritised, backlogs swell and risk teams are left waiting. Internal builds don’t remove bottlenecks; they turn IT into the biggest one.
Conclusion
There is no doubt that an internal IT team can build a system. With enough time, money and determination, a capable engineering function can construct almost anything. But a financial crime risk assessment platform is not merely a system – it is a living regulatory architecture that must continuously adapt to shifting expectations, geopolitical instability, evolving criminal behaviours and ongoing organisational change.
A true ML/TF/PF risk assessment platform demands far more than code: it requires specialist financial crime expertise, a deep understanding of risk methodology and scoring logic, and forensic audit readiness embedded into every interaction.
It must incorporate regulator-aligned updates delivered annually, often more frequently, while supporting multi-entity scalability for complex groups and continuous enhancements as products, channels and typologies evolve. It must enforce structural governance through workflow, approvals and oversight; provide defensible, transparent logic capable of withstanding external scrutiny; enable seamless collaboration across compliance, business, risk and audit; and maintain calibration integrity across jurisdictions. It must generate advanced reporting aligned to Board expectations and respond rapidly to geopolitical shocks, sanctions updates and emerging fraud patterns.
None of this can be coded once; it must be sustained, refined and revalidated continuously and it is here that most internal builds inevitably collapse. The true cost of an in-house platform is not the initial development effort but everything else that follows: creeping complacency, accumulating technical debt, increasing operational fragility, widening governance gaps, escalating regulatory exposure and the strategic drag caused by falling out of sync with a rapidly evolving risk landscape. Building something is easy; maintaining it is hard; keeping pace with regulators, typologies and global volatility is extraordinarily difficult.
This is why so many internal systems fail quietly and expensively and why specialist RegTech platforms, battle-tested across industries and continuously refined in line with regulatory expectations, outperform them across every dimension: accuracy, governance, resilience, scalability, cost efficiency and strategic value. Internal builds produce tools; RegTech delivers the infrastructure that modern financial crime risk management fundamentally depends on.
