Financial services organisations carry a compliance profile no other industry shares. The estate is larger, the regulatory overlay is denser (PRA, FCA, OCC, FFIEC, DORA, MAS, SAMA), the audit appetite of the major publishers is more aggressive, and the consequence of compliance error is amplified by the regulator's own software supply-chain expectations.
Financial services organisations carry a compliance profile that no other industry shares. The estate is larger than average (top-quartile US banks run 6,000–12,000 distinct applications); the regulatory overlay is denser (PRA, FCA, OCC, FFIEC, MAS, SAMA, plus data-residency rules across each jurisdiction); the audit appetite of the major software publishers is more aggressive because the deal sizes are bigger; and the consequence of compliance error is amplified by the regulator's own software supply-chain expectations under DORA and the OCC third-party risk guidance.
In our work with banks, asset managers and insurers in 2024 and 2025, the compliance patterns recur across the segment. Oracle audits show up at the Capital Markets workload boundary, where VMware-hosted Oracle Database is dense. Microsoft audits show up at the merger boundary, where two EAs need to be reconciled after a sub-integration. SAP audits show up in the Finance system after an S/4HANA cutover. IBM audits show up around mainframe MIPS allocations and DB2. Salesforce becomes the largest single SaaS spend at most asset managers. ServiceNow becomes the largest single SaaS spend at most universal banks. Each pattern has a defensible response — but only if the compliance posture is built ahead of time.
The EU Digital Operational Resilience Act, which came into application on 17 January 2025, changed the compliance conversation for financial services in a specific way. Software providers classified as "critical ICT third-party providers" — likely to include Oracle, Microsoft, SAP, IBM, Salesforce and ServiceNow — fall under direct EU regulatory oversight. The buyer-side implication is that contractual clauses governing exit, sub-contracting, audit access and resilience now have a regulatory backstop that did not exist before 2025. Buyer-side counsel is using DORA as renewal-cycle leverage to lock terms that vendors would historically have resisted.
The estate-wide audit posture is different — and the regulatory overlay matters more than buyers usually credit.
Capital Markets and Investment Banking workloads carry an outsized Oracle Database footprint, typically dense VMware-hosted Real Application Clusters with Active Data Guard and Advanced Security options enabled. Oracle's Partitioning Policy treats VMware as a soft partition and claims licensing of every host in the cluster. The defensive posture, built before any audit lands, includes: isolating Oracle workloads to dedicated clusters; documenting the partitioning architecture; disabling unused options at the database parameter level; and pinning the prevailing Partitioning Policy version into the Ordering Document at renewal. None of these is hard. All of them require deliberate work before the audit notice lands.
Financial services SaaS estates carry two distinguishing features at renewal. First, regulatory archive and audit-log retention drives an upward bias in tier selection — buyers gravitate to the highest tier because the audit-log retention sits there, even when most other features go unused. Second, the data-residency and sovereignty overlay drives a multi-region cost premium that is rarely benchmarked. The renewal-cycle work that consistently recovers cost in FSI SaaS includes: reconciling tier selection against actually-used audit-log retention; consolidating multi-region deployments where regulatory rules permit; and unbundling the data-residency premium from the feature premium.
Industry-specific benchmarks for the major software publishers — including financial services pricing patterns.
Financial services consolidation creates the second-most common compliance pattern in the industry. Two EAs reconcile into one; two ServiceNow tenants reconcile into one; two Oracle ULAs reconcile into one. Each reconciliation event is a vendor opportunity — the vendor's view is that the entity boundary has changed and the prevailing licensing rules now apply differently. The defensive posture is to treat the M&A event as a renewal event in advance: build the combined entitlement register, baseline the deployment footprint of the acquired entity, and negotiate the consolidation terms before the vendor's audit window opens.
The compliance review that consistently pays in FSI is the annual estate-wide audit-posture review. It is not a SAM tool deployment, not a vendor audit response, and not a renewal benchmarking exercise — it is a deliberate exercise that asks, for each of the top five publishers, what is the audit exposure, what is the regulatory overlay, and what is the next 12-month leverage event. Banks that run this review annually report 60–75% fewer audit-cycle surprises than those that run it ad hoc. For regulated FSI estates that lack the in-house bandwidth, an independent software license compliance assessment baselines that audit exposure across the top publishers before the next examination cycle.
Our financial services practice covers Oracle, Microsoft, SAP, IBM, Salesforce and ServiceNow under the DORA regulatory overlay. Buyer-side only.
Weekly compliance intelligence for IT leaders.