For five years I built software inside Credit Suisse and then UBS. For the last year I've been the CTO of a regulated UK credit union. The regulator's job is to assume the worst about everyone in the system, including the engineers, and to insist on evidence that the worst hasn't actually happened.
This is uncomfortable when you're inside it. Every decision has to leave a trail. Every change to a customer record has to be attributable. Every staff member has to be tested on the policy before they can press the button. Every action by an administrator has to be reviewable by a separate person before it takes effect. Nothing happens quietly.
This is also exactly the discipline that consumer software is missing.
A consumer SaaS will happily let an admin change a customer's email address with no log of who did it or why, on a Tuesday at 2pm, with the customer asleep in another timezone. A regulated platform will not. Every field on every record carries an immutable history of which staff identity changed it, when, from what value to what value, with which case reference attached.
A consumer app will happily store user data forever because storage is cheap and nobody internally has a reason to delete it. A regulated platform deletes it on a category-specific schedule because the retention rule says so, and the retention rule says so because the regulator says so. Transaction records survive seven years. Marketing-consent records survive until consent is withdrawn. Failed-onboarding photographs vanish after thirty days. None of it survives by accident.
A consumer admin tool will let one person approve a refund of any amount at any time. A regulated admin tool asks for four-eyes approval above a threshold. The action goes into a pending state. A second authorised user has to open it, see the original action and its justification, and approve it on a separate device, ideally on a separate session. Only then does the money move.
A consumer app will let support log into a customer's account "to help". A regulated platform won't. Support sees a redacted version of the account, with the actions they're allowed to take exposed as discrete buttons. Each one writes its own audit entry under the support user's identity, not the customer's. The customer's password and session are never touched.
When something goes wrong in consumer software, the post-mortem usually starts with "we don't have visibility into..." The team didn't log it, didn't keep a copy, didn't ask a second person to look. The fire is in the dark and everyone is reconstructing the room.
When something goes wrong in regulated software, the post-mortem starts with the audit chain. Who did what, when, from where, with which version of the policy in force, with which decision recorded against which evidence. The fire is in full light and the reconstruction is mechanical. Within an hour you know exactly what happened and exactly who needs to be told.
The difference between those two worlds is not regulation. It is engineering discipline that the regulator forced you to adopt earlier than you would have on your own.
The cost of building this discipline in from day one is not high. Adding an immutable audit log to the database costs a few hours of schema work and a single insert hook on every mutating endpoint. Writing a four-eyes approval gate around irreversible actions costs a few hours of state machine work and one extra UI surface. Defining a retention policy and enforcing it costs an afternoon and a nightly cron job. None of these are weeks of work. They are hours.
The cost of doing this after a breach, or a customer complaint to the press, or an investor due-diligence question that you couldn't answer cleanly, is enormous. It is enormous on three axes. Engineering cost to retrofit, because you're adding fields and hooks to a schema with millions of existing rows. Reputation cost, because the breach is now public. Opportunity cost, because the team that should be building the next feature is rewriting the foundations.
Treat regulated as the floor. Audit chains. Retention policies. Four-eyes gates. Attestation training. You won't need all of them on every project. You will, eventually, need most of them, on most projects. Building them in early is far cheaper than retrofitting them under pressure.
The same discipline that keeps a credit union out of trouble is the discipline that turns a consumer app into a serious tool. Both kinds of customer want the same thing in the end. Software that does what it says, remembers what happened, and lets a real human ask "show me how" without flinching.
That is the bar I work to. The regulator was right.