Case Study 36.1 — Rafael's Worst-Case Contract: The AML Platform That Held Its Client Hostage

Background

In February 2020, Bridgewater Merchant Bank — a mid-size UK bank with approximately £8.4 billion in assets, specializing in trade finance and correspondent banking — signed a five-year contract with an AML transaction monitoring vendor for what its Chief Compliance Officer at the time described as "the most significant compliance technology investment in the bank's history."

The platform was genuinely capable. The vendor had an established name in the transaction monitoring space, credible references from comparable institutions, and an implementation team that knew the product well. The CCO, Diane Farrell, had run a reasonable evaluation process: she had seen four vendors, run demonstrations, and spoken to two reference clients. The RFP had been abbreviated — more of a structured questionnaire than a formal weighted evaluation — but the selection felt well-founded.

The contract was a different matter. It had been reviewed by the bank's technology procurement team, who had compared it against the bank's standard vendor contract template and flagged two minor deviations. It had been reviewed by one member of the legal team, who had checked the limitation of liability clause and the governing law provision. It had not been reviewed by compliance counsel. It had not been reviewed by anyone who understood what AML platform contracts should contain and almost universally do not.

Diane Farrell signed it in February 2020. She left the bank in late 2021. By early 2024, when Bridgewater retained Rafael Torres, the contract had become an institutional crisis.

What Rafael Found

Rafael received the contract by secure email on a Monday morning and spent the following six hours reading it carefully and making notes in a yellow legal pad — a practice he had maintained since his early days as a compliance lawyer, because the physical act of writing slowed him down enough to catch things that screen reading missed.

By the time he reached the end of the contract, his legal pad contained the following findings:

No audit right. The contract contained a standard vendor right to audit the customer's use of the platform (to ensure compliance with license terms), but no reciprocal right for Bridgewater to audit the vendor's security controls, data handling practices, or platform performance. There was a reference to "information available upon reasonable request," which was the contractual equivalent of nothing.

Annual price escalation of 12%, compounding. The base contract price in 2020 had been £580,000 per year. By 2024 — year five — the escalated price was £912,000. By the end of year five in early 2025, the bank would have paid approximately £3.5 million for a platform that it had contracted for at £580,000 per year — an aggregate spend 21% above what a non-escalating five-year contract would have cost.

No exit assistance obligation. The termination provisions required 90 days' notice for either party to terminate at expiry. They said nothing about what the vendor was required to do during those 90 days. "Return of customer data in a format to be agreed" was the entire data portability provision.

No meaningful SLA remedy. The uptime guarantee was 99.0% — permitting 87.6 hours of downtime per year — with a remedy of a 5% credit on the monthly fee for each hour below the threshold, capped at 20% of the monthly fee. For a £76,000 per month platform, the maximum monthly remedy was £15,200 — regardless of operational impact.

Regulatory change as a billable change order. A clause buried in the Change Management section specified that "modifications to the platform required by changes in applicable law or regulatory guidance shall be implemented pursuant to the parties' agreed change order process." There was no agreed change order process. There was a reference to the vendor's "standard professional services rates," which by 2024 were £2,200 per day.

The 2022-2024 Regulatory Update Crisis

In 2022 and 2023, the UK's approach to AML transaction monitoring evolved materially. The FCA published three editions of its Financial Crime Guide updates, the Joint Money Laundering Steering Group published revised guidance on transaction monitoring typologies, and the NCA issued updated SAR narrative guidance. The Bridgewater platform, configured in 2020, addressed none of these developments adequately.

When Bridgewater's compliance team raised the issue with the vendor, the response was precise: each typology update was a configuration change; each configuration change required a change order; each change order would be scoped and priced individually. Over the period from Q2 2022 to Q4 2023, the bank received and paid eight change orders totaling £342,000, covering typology updates that, in Rafael's assessment, should have been within the scope of a platform vendor's core regulatory maintenance obligation.

By the time the bank's current CCO, Thomas Reeves, commissioned Rafael's engagement in January 2024, the bank was paying £912,000 per year for a platform whose typology library was still six months behind current JMLSG guidance, whose model outputs could not be audited because the vendor held the model parameters as proprietary, and whose data export functionality — when tested at Rafael's request — produced a comma-separated output that omitted 17 fields present in the platform's database.

Thomas Reeves had an additional problem. In Q3 2023, an FCA supervisory review of Bridgewater's AML controls had produced a Section 166 Skilled Person Review recommendation. The skilled person — a Big 4 firm — had noted, among other findings, that the bank's transaction monitoring typologies did not adequately address the cross-border trade finance patterns identified in the FCA's 2022 sector-specific guidance. The bank was now in a position where a regulatory-driven remediation requirement intersected with a contract that made remediation expensive, slow, and dependent on vendor cooperation that the bank had no contractual leverage to compel.

The Eighteen-Month Renegotiation and Transition

Rafael's engagement had two phases.

Phase 1: Contract Renegotiation (months 1-8)

The immediate priority was not to exit the contract — exiting in the middle of a Section 166 review would have been operationally catastrophic. The priority was to restructure the commercial relationship to make the remediation program executable at a sustainable cost.

Rafael prepared a detailed written analysis of the contract's deficiencies — the missing provisions against DORA Article 29 standards (which, though not yet in force in January 2024, represented the regulatory direction of travel), the inadequate SLA remedy structure, and the regulatory change billing practices that he assessed as inconsistent with market norms. He presented this analysis to the vendor's Head of Enterprise Accounts in a meeting that he described afterward as "professionally hostile."

The vendor's initial position was that the contract was the contract. Rafael's response was measured: the bank was a significant reference client; the Section 166 review created a public record that would be visible to potential clients and to regulators; and the bank's willingness to discuss the contract's structural deficiencies publicly was not unlimited. He did not make threats. He made observations.

Over eight months of negotiation — three in-person sessions, numerous written exchanges — the parties agreed to a contract amendment that: (1) capped future price escalation at 3% for the contract's remaining term; (2) added a limited audit right (third-party security assessment annually); (3) defined "regulatory change updates" as included in the base service for typology library updates and JMLSG-derived configuration changes; and (4) added a data export specification with defined field mapping. The bank agreed to a 12-month contract extension in exchange for these concessions.

Phase 2: Transition Planning (months 9-18)

With the immediate commercial crisis stabilized, Rafael moved to Phase 2: building the capability to exit the vendor relationship at contract expiry and transition to an alternative platform.

The transition planning process required 14 months, not because the technical migration was complex, but because the 2020 data migration into the current platform had been poorly documented. The field mapping between the bank's core systems and the transaction monitoring platform had never been formally recorded; it had been assembled by the implementation team, captured in a shared drive folder, and partially lost when two key implementation consultants left the vendor after the 2020 go-live.

Rafael worked with the bank's technology team to reverse-engineer the data mapping documentation, a process that required six weeks of systematic data comparison between the bank's core banking output and the transaction monitoring platform's ingestion logs. This documentation — which should have been a contractual deliverable in 2020 — became the foundation of the migration specification for the new platform.

The bank went live on the replacement platform in April 2025, five years and two months after the original contract was signed. The total cost of the vendor lock-in — excess price escalation above market rates, regulatory change order charges, remediation consulting, transition planning — was estimated by the bank's finance team at approximately £1.1 million.

Key Lessons

The Bridgewater case illustrates four failure modes that appear in Rafael's engagements with sufficient regularity to constitute a pattern:

Failure Mode 1: Compliance did not own the contract. The contract was reviewed by technology procurement and a junior legal resource. Neither reviewer had a framework for what a RegTech contract must contain. The review found what it knew to look for — price, liability cap, governing law — and missed what it did not know to look for: audit rights, exit assistance, regulatory change treatment.

Failure Mode 2: Price escalation was not modeled. An 8% or 12% annual escalation cap looks like a small number in Year 1. Compounded over five years, it becomes a material cost increase that creates real budget pressure and genuine contractual lock-in. Escalation provisions must be modeled across the full contract term before signing.

Failure Mode 3: Regulatory change treatment was left to chance. In a market where regulatory requirements evolve materially every 12-18 months, a contract that treats every regulatory update as a billable change order is not a compliance partnership. It is a mechanism for transferring the cost of regulatory change from the vendor to the customer, without any of the responsibility.

Failure Mode 4: Exit was not planned. The absence of a data portability specification and exit assistance obligation meant that the bank's exit, when it finally came, required 14 months of reconstruction work that should have been a 30-day data export. The cost of that reconstruction was carried entirely by the bank.

Thomas Reeves, reflecting on the experience, offered an assessment that Rafael has shared in many subsequent client engagements: "We bought the demo. We should have bought the contract."

This case study is based on a composite of multiple real-world vendor contract situations. All names, institutions, and specific financial figures are fictional.