Home  ›  Blog  ›  Financial Services Software Compliance
Industry · Financial Services · Compliance

Financial services compliance — DORA, audits, and the regulatory overlay.

Financial services organisations carry a compliance profile no other industry shares. The estate is larger, the regulatory overlay is denser (PRA, FCA, OCC, FFIEC, DORA, MAS, SAMA), the audit appetite of the major publishers is more aggressive, and the consequence of compliance error is amplified by the regulator's own software supply-chain expectations.

Updated: April 2026 Reading time: 13 min Audience: CIO, Head of Vendor Risk, Procurement
Financial services skyline
An industry-specific compliance pattern

Why financial services buyers face a different audit profile.

Financial services organisations carry a compliance profile that no other industry shares. The estate is larger than average (top-quartile US banks run 6,000–12,000 distinct applications); the regulatory overlay is denser (PRA, FCA, OCC, FFIEC, MAS, SAMA, plus data-residency rules across each jurisdiction); the audit appetite of the major software publishers is more aggressive because the deal sizes are bigger; and the consequence of compliance error is amplified by the regulator's own software supply-chain expectations under DORA and the OCC third-party risk guidance.

In our work with banks, asset managers and insurers in 2024 and 2025, the compliance patterns recur across the segment. Oracle audits show up at the Capital Markets workload boundary, where VMware-hosted Oracle Database is dense. Microsoft audits show up at the merger boundary, where two EAs need to be reconciled after a sub-integration. SAP audits show up in the Finance system after an S/4HANA cutover. IBM audits show up around mainframe MIPS allocations and DB2. Salesforce becomes the largest single SaaS spend at most asset managers. ServiceNow becomes the largest single SaaS spend at most universal banks. Each pattern has a defensible response — but only if the compliance posture is built ahead of time.

The DORA overlay

The EU Digital Operational Resilience Act, which came into application on 17 January 2025, changed the compliance conversation for financial services in a specific way. Software providers classified as "critical ICT third-party providers" — likely to include Oracle, Microsoft, SAP, IBM, Salesforce and ServiceNow — fall under direct EU regulatory oversight. The buyer-side implication is that contractual clauses governing exit, sub-contracting, audit access and resilience now have a regulatory backstop that did not exist before 2025. Buyer-side counsel is using DORA as renewal-cycle leverage to lock terms that vendors would historically have resisted.

Financial-services compliance review coming up?

The estate-wide audit posture is different — and the regulatory overlay matters more than buyers usually credit.

Contact Us →

The Capital Markets Oracle pattern

Capital Markets and Investment Banking workloads carry an outsized Oracle Database footprint, typically dense VMware-hosted Real Application Clusters with Active Data Guard and Advanced Security options enabled. Oracle's Partitioning Policy treats VMware as a soft partition and claims licensing of every host in the cluster. The defensive posture, built before any audit lands, includes: isolating Oracle workloads to dedicated clusters; documenting the partitioning architecture; disabling unused options at the database parameter level; and pinning the prevailing Partitioning Policy version into the Ordering Document at renewal. None of these is hard. All of them require deliberate work before the audit notice lands.

SaaS at scale

Why FSI SaaS estates look different at renewal.

Financial services SaaS estates carry two distinguishing features at renewal. First, regulatory archive and audit-log retention drives an upward bias in tier selection — buyers gravitate to the highest tier because the audit-log retention sits there, even when most other features go unused. Second, the data-residency and sovereignty overlay drives a multi-region cost premium that is rarely benchmarked. The renewal-cycle work that consistently recovers cost in FSI SaaS includes: reconciling tier selection against actually-used audit-log retention; consolidating multi-region deployments where regulatory rules permit; and unbundling the data-residency premium from the feature premium.

Download the Software Price Benchmarking Report.

Industry-specific benchmarks for the major software publishers — including financial services pricing patterns.

Get the playbook →

M&A reconciliation

Financial services consolidation creates the second-most common compliance pattern in the industry. Two EAs reconcile into one; two ServiceNow tenants reconcile into one; two Oracle ULAs reconcile into one. Each reconciliation event is a vendor opportunity — the vendor's view is that the entity boundary has changed and the prevailing licensing rules now apply differently. The defensive posture is to treat the M&A event as a renewal event in advance: build the combined entitlement register, baseline the deployment footprint of the acquired entity, and negotiate the consolidation terms before the vendor's audit window opens.

The annual review that pays

The compliance review that consistently pays in FSI is the annual estate-wide audit-posture review. It is not a SAM tool deployment, not a vendor audit response, and not a renewal benchmarking exercise — it is a deliberate exercise that asks, for each of the top five publishers, what is the audit exposure, what is the regulatory overlay, and what is the next 12-month leverage event. Banks that run this review annually report 60–75% fewer audit-cycle surprises than those that run it ad hoc. For regulated FSI estates that lack the in-house bandwidth, an independent software license compliance assessment baselines that audit exposure across the top publishers before the next examination cycle.

FAQ

Common questions.

Why does financial services carry a different audit profile?
Three reasons: estate size (6,000–12,000 applications at top-quartile banks); regulatory overlay (DORA, OCC, FCA, PRA, FFIEC, MAS, SAMA); and deal-size economics that draw more aggressive vendor audit attention.
How does DORA affect software contracts?
DORA classifies critical ICT third-party providers under direct EU regulatory oversight. Buyer-side counsel uses DORA as leverage at renewal to lock contractual exit, sub-contracting, audit access and resilience clauses that vendors previously resisted.
What is the Capital Markets Oracle pattern?
Dense VMware-hosted Oracle workloads on Capital Markets infrastructure. Oracle's Partitioning Policy treats VMware as a soft partition, claiming licensing of every host in the cluster. The defensive posture requires isolation, documentation and pre-renewal Policy pinning.
Why do FSI SaaS estates run at higher tiers?
Regulatory archive and audit-log retention drives an upward tier bias — buyers gravitate to the highest tier because the retention features sit there. Renewal-cycle work reconciles tier selection against actually-used retention.
How should M&A reconciliation be handled?
Treat the M&A event as a renewal event in advance: build the combined entitlement register, baseline the acquired entity's deployment footprint, and negotiate the consolidation terms before the vendor's audit window opens.
What is the annual estate-wide audit-posture review?
A deliberate exercise that asks, for each of the top five publishers: what is the audit exposure, what is the regulatory overlay, and what is the next 12-month leverage event. Banks that run it annually report 60–75% fewer audit-cycle surprises.

Financial-services compliance review
coming up?

Our financial services practice covers Oracle, Microsoft, SAP, IBM, Salesforce and ServiceNow under the DORA regulatory overlay. Buyer-side only.

The Compliance Brief

Weekly compliance intelligence for IT leaders.