Case Study 3.2: The Incumbent Trap — When Legacy Systems Resist Replacement

The Situation

Organization: A composite US regional bank ("First Consolidated" — fictional) Asset size: $38 billion Problem: A 2019-vintage AML platform that has become deeply entrenched across the compliance function, despite known capability gaps Context: Rafael Torres consulting as an industry advisor before his Meridian role

Background

First Consolidated implemented its current AML platform — an integrated monitoring, case management, and sanctions screening solution from a major banking technology vendor — in 2019 at a cost of approximately $4.2 million. The platform was state-of-the-art at the time of implementation. By 2024, five years later, it was generating an alert volume that had grown by 140% (partly due to business growth, partly due to regulatory pressure to expand coverage), with no corresponding improvement in alert quality. The false positive rate, estimated at 96% when the platform was implemented, had increased to 98% as the underlying customer and transaction mix changed while the monitoring scenarios remained largely static.

The compliance team had identified the problem clearly and had been requesting budget for a platform upgrade or replacement for two years. The requests had not been approved.

Why the Incumbent Stayed

First Consolidated's experience illustrates what practitioners call the "incumbent trap" — the forces that prevent institutions from replacing compliance technology even when they clearly need to.

Force 1: Switching costs are real and large

The AML platform was integrated with 14 other systems: core banking, CRM, sanctions data feeds, document management, SAR filing system, and a custom case management overlay built by First Consolidated's internal team in 2021. Replacing the platform would require re-implementing all 14 integrations and rebuilding the custom overlay. The technology team's estimate: 18 months of implementation at a cost of $2.1–2.7 million, plus ongoing licensing costs of the new system.

Force 2: Institutional knowledge is embedded in the system

The 340 monitoring scenarios in the current platform represented years of tuning by compliance analysts who understood the bank's specific risk profile. Several of the most important scenarios had been built in response to specific regulatory findings and examiner observations. Moving to a new platform meant either migrating those scenarios (a complex technical task with risk of error) or rebuilding them from scratch (a compliance risk while the new system was being calibrated).

Force 3: The incumbent vendor knows this

The current vendor was well aware of the switching costs. When First Consolidated requested competitive pricing for a renewal negotiation, the vendor's response was minimal: a 3% discount on the renewal price and a commitment to add two features that had been on the roadmap for two years but not yet shipped.

Force 4: Compliance leadership had other priorities

The CCO who championed the original platform implementation had left the firm in 2022. Her successor was focused on a regulatory capital reporting enhancement that had been made a priority by the board after a near-miss in the previous year's OCC examination. The AML platform — which was functioning, even if not well — was third in line for capital investment attention.

Force 5: "Good enough" is the enemy of better

The current false positive rate of 98% was terrible but manageable. The compliance team had built workflows to process the alert volume — stretched, exhausted workflows, but functional ones. The status quo had inertia precisely because it was survivable.

The Breaking Point

The trigger for change came not from internal advocacy but from an external event: a former First Consolidated customer was named in a FinCEN enforcement action against a network of shell companies that had processed approximately $40 million in suspicious transactions. A subsequent review by the compliance team found that First Consolidated's monitoring system had generated 14 alerts related to this customer over the preceding 18 months — all reviewed and closed as false positives by analysts who did not see the full network picture because the monitoring system had no graph analytics capability.

The FinCEN action did not name First Consolidated, but it raised the question internally: had the bank filed the SARs it should have filed? The answer, after a two-week internal review, was: probably not for two transactions.

This was not a regulatory enforcement finding. But it was a near-miss that the CCO could take to the board as concrete evidence of the gap between the current system's capabilities and the bank's actual AML exposure.

The board approved the platform replacement budget within six weeks.

The Replacement Program

First Consolidated ultimately selected a new vendor through a six-month competitive process. The key selection criteria were: - Demonstrated false positive reduction (validated via historical data testing — a condition of the RFP) - Graph analytics capability for network-level pattern detection - API-first architecture to reduce integration complexity on future changes - Implementation track record at banks of First Consolidated's size and complexity

Implementation: 22 months, $2.9 million (within estimate). Final false positive rate after calibration: 84% — a 14-percentage-point improvement from 98%.

The compliance team's estimate of the productivity savings from the false positive reduction: approximately $780,000 per year in analyst time. Payback period on the implementation cost: approximately 3.7 years.

Discussion Questions

1. The "incumbent trap" is characterized by five forces that kept First Consolidated's underperforming platform in place. Rank these five forces from most to least powerful in this specific context, and explain your ranking.

2. The breaking point was an external enforcement action against a former customer. Should compliance technology investment decisions require this kind of catalyst? What organizational processes might enable more proactive investment decisions?

3. First Consolidated's false positive rate improved from 98% to 84%. The chapter notes that the industry average is ~95%. Is 84% a good outcome? What additional information would you need to assess the quality of this result?

4. The bank estimated a $780,000 annual productivity saving from the false positive reduction. What are the limitations of this calculation? What costs or benefits does it potentially miss?

5. The previous CCO championed the original implementation. Her departure contributed to the lack of advocacy for replacement. What organizational structures or processes would maintain ongoing advocacy for compliance technology investment independent of specific individuals?