Regulatory moats: when compliance becomes a competitive advantage

Regulation is one of the few things that most founders agree on: it's a cost, a distraction, and ideally someone else's problem for as long as possible.

This is an understandable position. Compliance is expensive, slow, and operationally unglamorous. Engaging with regulators — whether the FCA, the FDA, or any of the alphabet soup of sector-specific bodies that govern the industries tech companies want to disrupt — takes time and expertise that most early-stage teams would rather direct at product and growth. The instinct to defer, to operate under lighter licensing regimes, to use regulatory ambiguity as a feature rather than a risk, is a rational short-term response to a genuinely difficult set of constraints.

It's also, in most regulated markets, a strategic error that compounds over time.

The companies that treat regulatory investment as a product decision rather than a legal obligation — that acquire licences, certifications, and regulatory relationships early, when they're lean enough to do so without operational disruption — tend to arrive at growth stage with something that competitors trying to enter the same market cannot easily replicate: a structural permission to operate that took years to build and that the regulatory process is now significantly slower to grant to late arrivals.

That's not a product advantage. It's a positional one. And it can be worth considerably more.

Not all regulatory compliance produces a moat. Filing your GDPR documentation and maintaining ISO 27001 is table stakes. It may be a prerequisite for enterprise sales, but it doesn't create structural defensibility because it's achievable by any reasonably organised competitor.

A regulatory moat exists when three conditions are present simultaneously.

First, the regulatory process is genuinely slow and capacity-constrained. This means that even a competitor who starts the process today cannot meaningfully accelerate it by throwing resources at it. The FCA's banking licence application process, for example, involves a substantive review of governance, systems, risk management infrastructure, and capital adequacy that cannot be compressed below a certain timeline regardless of how good the applicant's lawyers are. A competitor who begins this process today will not hold a full UK banking licence for at minimum two to three years, and realistically longer.

Second, the market has moved in ways that make late-stage regulatory entry more costly, not less. This happens when early incumbents have used the time their licence buys them to deepen customer relationships, accumulate proprietary data, and build product integrations that depend on their regulatory permissions. By the time a well-funded competitor completes the same regulatory process, they enter a market where the structural position of the early movers has had years to compound.

Third, the regulatory permission itself is not sufficient — it must be combined with operational credibility that regulators develop over time through observation of how an authorised firm actually behaves. Revolut's experience in the UK is instructive here. The company received conditional authorisation for a UK banking licence in July 2024, beginning a mobilisation phase that should have concluded within twelve months. It extended beyond fourteen months. The PRA was evaluating not just whether Revolut could satisfy its initial application conditions, but whether the risk management infrastructure of a company with 65 million customers across 40 countries was adequate for the full permissions it sought. The licence itself was only the beginning. The operational credibility required to exercise it fully was a separate and harder-to-accelerate process.

These three conditions describe why regulatory moats, when they are genuine, are among the most durable forms of structural advantage in any sector where they apply. They are slow to build, actively difficult for competitors to replicate, and compound in value as the incumbent uses the permissions the licence provides to expand into adjacent products and markets.

Revolut's Nik Storonsky made a candid admission at the opening of the company's Canary Wharf headquarters in 2025. When Revolut began its international expansion years earlier, it had deliberately sought lighter regulatory permissions — e-money licences, FX licences, payment institution licences — because they were faster to obtain and allowed the company to launch more quickly in new markets. "It was a worse product," Storonsky acknowledged. The regulatory shortcuts that enabled rapid expansion had also constrained the product. An e-money institution cannot offer deposit accounts with FSCS protection. It cannot offer a full range of credit products. It cannot compete for the institutional and high-net-worth relationships that require the trust and regulatory standing of a full bank.

“That's not a product advantage. It's a positional one. And it can be worth considerably more.”

The UK banking licence — announced in conditional form in July 2024, after a process that began in 2021 — changed that calculation entirely. With full banking authorisation, Revolut can offer FSCS-protected current accounts, consumer credit, mortgages, and lending at a scale that was structurally unavailable to it as an e-money institution. The FCA investment permissions announced alongside its private banking launch in 2026 added discretionary portfolio management, leveraged investment products, and professional-tier wealth services. Private banking itself — with its £500,000 entry threshold and relationship-managed model — would have been impossible to launch without the combination of banking and investment permissions that the licensing process unlocked.

The sequence Storonsky described — licence first, regulatory permissions second, product expansion third — is precisely the compounding logic that makes a regulatory moat structural rather than incidental. Each regulatory permission enables a product capability. Each product capability deepens customer relationships and data accumulation. Each deepened relationship increases the cost of departure for customers who now hold their current account, investment portfolio, and mortgage with the same institution. The regulatory investment made at the beginning of the sequence is the foundation on which every subsequent product layer depends.

The important lesson for founders is not that Revolut was right to pursue a banking licence. It's that the decision to defer it — to choose lighter regulatory permissions for their short-term speed advantage — demonstrably constrained the product for years. In 2025, 21 fintechs applied for banking charters in the United States, more than in the previous four years combined. The growing recognition that a banking licence is a strategic infrastructure asset rather than a compliance burden is a sign of a maturing sector. But it also means that the window in which obtaining a banking licence creates genuine first-mover advantage is narrowing.

Veeva's relationship with pharmaceutical regulation is structurally different from Revolut's, and in some ways more instructive for B2B SaaS founders operating in industries where regulatory compliance is a customer requirement rather than a company permission.

The FDA's 21 CFR Part 11 standard governs electronic records and electronic signatures in the pharmaceutical industry. It requires that any system used to manage regulated data — clinical trial records, quality documentation, regulatory submissions, promotional materials — must maintain tamper-evident audit trails, enforce role-based access controls, and support compliant electronic signatures. The standard is technically specific and operationally demanding. Building a system that meets its requirements is a meaningful investment. Having that system validated for use in regulated workflows — an ongoing process that pharmaceutical companies must document and maintain — is another.

Veeva built compliance with 21 CFR Part 11 and the related GxP frameworks into the Vault platform from the ground up. It is not a feature layer applied to a general-purpose document management system. It is the architectural foundation on which every product is built. This means that when a pharmaceutical company evaluates Vault against a general-purpose alternative, the regulatory compliance question is not "can the platform be configured to meet the requirements?" — which is a long and expensive validation exercise — but "is the platform already validated for our regulated workflows?" The answer for Vault is yes, with documentation provided for each release that customers can use in their own compliance submissions.

The compounding effect of this design decision is visible in the competitive dynamics of the market. Salesforce launched a Life Sciences Cloud to compete with Veeva directly. With vastly superior resources and an existing Salesforce relationship at many pharmaceutical companies, Salesforce should have been a formidable competitor. It has not meaningfully displaced Veeva's position in its core regulated workflows. The regulatory compliance architecture that Veeva built into its foundation — and the validation documentation, the audit trail infrastructure, the release-by-release compliance support — represents years of accumulated regulatory credibility that Salesforce cannot replicate by deploying a sales team, regardless of how large or well-resourced.

Veeva's deep domain expertise has allowed the company to develop highly tailored solutions that address the unique and stringent requirements of pharmaceutical and biotechnology firms, including critical compliance with regulations like FDA 21 CFR Part 11. That compliance is not just a feature. It's the reason that replacing Veeva in a live regulated environment requires pharmaceutical companies to revalidate their systems, rebuild their audit trail documentation, and assume compliance risk during the transition. The regulatory architecture of the product is the switching cost.

Palantir presents a third variant of the regulatory moat — one that is less about sector-specific compliance frameworks and more about the security accreditation infrastructure required to operate in the most sensitive government and defence environments.

Palantir operates in classified environments that require FedRAMP High, IL-5, and IL-6 certifications. Very few commercial software vendors can operate at these security levels. FedRAMP High authorisation — the credential required to process the most sensitive unclassified government data — involves a security assessment process that takes typically twelve to eighteen months and requires continuous monitoring and annual reassessment thereafter. IL-5 and IL-6 authorisations, which govern classified and secret government networks, are substantially more demanding and involve security review processes that are not publicly documented in detail.

The practical implication is stark: a software company that wants to compete for US government contracts involving sensitive data cannot simply build a good product and submit a proposal. It must first obtain security credentials that require years to accumulate and that are actively revoked if the company fails to maintain the required security posture. Palantir's moat is built on high switching costs and unparalleled security credentials, with its software including robust, granular access controls, mandatory data encryption, and comprehensive audit logging capabilities that are essential for operating in highly regulated industries and classified government environments.

The deeper structural element here is the relationship credibility that accumulates alongside the formal accreditations. Palantir has operated inside US intelligence and defence programmes since the mid-2000s. The programme managers who championed its deployment have built careers around its use. The classified data pipelines that Gotham and Foundry manage have been operational for years. Displacing Palantir in these programmes requires not just a competing product with comparable accreditations — itself a multi-year project — but also the political capital to argue for a transition that disrupts live intelligence and defence operations. That barrier is not regulatory in the narrow sense. But it was created and is maintained by the regulatory and security infrastructure that Palantir invested in early and has sustained continuously.

The most common mistake is treating regulatory investment as something to do when the market demands it — when a big enterprise prospect requires a specific certification, or when a regulator raises concerns, or when a competitor's regulatory position becomes visible as a commercial disadvantage.

By that point, the window to build a regulatory moat has typically closed. The competitors who invested early have had years to accumulate the operational credibility, the product integrations, and the customer relationships that depend on their regulatory permissions. Catching up requires not just completing the same regulatory process — it requires completing it while trying to compete with incumbents who are operating in market conditions your regulatory position doesn't yet allow you to address.

The investment that creates a regulatory moat is almost always made at a point when it looks premature. Veeva was building 21 CFR Part 11 compliance into its architecture before pharmaceutical companies were expecting it from a CRM vendor. Revolut's CEO ultimately conceded that the years spent operating under lighter permissions were years of competitive disadvantage that the banking licence would have addressed. Palantir invested in government security accreditation infrastructure long before there was an obvious commercial return on that investment.

The correct framing is not "when does our market require this regulation?" It is "in the market we are building toward, which regulatory positions will create genuine barriers to entry for competitors starting this process today — and how long will it take us to achieve them?"

If the answer to the second part is "two to three years," the time to start is now.

There is a dimension of regulatory positioning that founders — including those with legal backgrounds — systematically undervalue: the structural relationship between regulatory permissions and the commercial terms that depend on them.

A banking licence is not just a permission to offer banking products. It is the basis on which enterprise contracts with financial institutions are signed, on which regulatory capital treatment is determined, and on which the trust of institutional customers — who have their own regulatory obligations regarding the partners they work with — is extended. The commercial value of the licence is not fully captured by the products it enables. It is also embedded in the contractual relationships that the licence makes possible and in the pricing power that comes from being one of a small number of firms that holds it.

Similarly, a FedRAMP High authorisation is not just a technical credential. It is the precondition for being included in government procurement frameworks, for being listed on approved vendor lists, and for being eligible for the large multi-year enterprise agreements that define the government technology market. The revenue that flows from those agreements is structurally unavailable to unaccredited competitors.

For founders operating in regulated markets, the regulatory strategy and the commercial strategy are not separable. The regulatory permissions you hold determine which customers you can serve, which products you can offer, and which contractual structures you can enter. Building the regulatory position early — before the commercial pressure to serve those customers is acute — is the decision that determines whether the regulatory permission becomes a moat or merely the price of market entry.

Those two outcomes look similar from the outside. They are structurally very different.

The Moat Review is a series on structural advantage for founders of tech and SaaS companies. Next: Platform lock-in vs. ecosystem gravity — there's a difference, and it matters more than most founders realise.

“The investment that creates a regulatory moat is almost always made at a point when it looks premature.”