Why do core banking replacements average 3.5 years and 250% budget overruns?

Core banking system replacements are the highest-stakes software projects in financial services. Banks replace decades-old legacy platforms with modern systems that must handle millions of transactions daily, maintain perfect data integrity, and comply with hundreds of regulatory requirements across multiple jurisdictions. The problem is not technology. It is the gap between what regulators require, what business users describe in requirements documents, and what engineers ultimately implement.

When regulatory audits occur 18 months into a 3-year replacement, compliance gaps emerge that were invisible in the original specification. Requirements that seemed clear in a 2,000-page Business Requirements Document have been reinterpreted by different teams. Changes to regulatory frameworks (Basel III revisions, new AML rules, regional compliance shifts) arrive mid-project with no mechanism to propagate them through to code. The result is discovery of compliance rework at the worst possible time, derailing timelines and budgets.

$1.1B
actual cost for Commonwealth Bank's core system replacement (budgeted at $580M, completed 2012)
Source: iTnews Australia

The traditional approach compounds the problem: massive Business Requirements Documents that become obsolete before development starts, manual regulatory mapping in spreadsheets maintained in different teams, and separate compliance workstreams that discover gaps only during audit cycles. By the time regulators identify a missing requirement, engineering teams are too deep in implementation to course-correct cheaply.

How do financial institutions currently approach core replacements?

Most banks follow a risk-averse, document-heavy process designed to satisfy audit trails, but which creates coordination problems and late-stage surprises.

Approach 1: Massive Business Requirements Documents with separate compliance spreadsheets

Business analysts create 2,000-3,000 page Business Requirements Documents (BRDs) describing features in business language. Simultaneously, compliance teams maintain separate spreadsheet mappings connecting regulations (Basel III, Dodd-Frank, MAS Notice 626, etc.) to business requirements. These two documents live separately, with limited cross-team visibility into coverage gaps. When regulations change, updating both the BRD and the compliance mapping is manual and error-prone.

Approach 2: Parallel workstreams with late integration

The business team, architecture team, and compliance team work in parallel. Halfway through development, these workstreams try to reconcile. Architecture teams discover that they missed constraints documented in the compliance spreadsheet. Compliance teams discover that engineers implemented a requirement differently than the BRD described. Rework spirals across the project.

Approach 3: Regulatory reviews at gate milestones, not continuously

Banks conduct formal compliance reviews at fixed gates (design review, system test readiness, UAT completion, go-live). By the time a gap is identified in gate review, code changes are expensive. Regulators often require approval of cutover plans only 3-6 months before go-live, leaving no time to fix architectural compliance gaps.

None of these approaches provide real-time visibility into whether regulatory requirements are fully covered in the specification and implemented in code. The result is high-risk parallel-run phases where the bank must run old and new systems side-by-side for 6-12 months to validate correctness before cutover, adding enormous time and cost to the project.

How does regulation-to-code traceability change banking modernization?

Specira creates a living traceability matrix connecting regulations directly to requirements, architecture, and implementation. Instead of separate documents, all stakeholders work from a single source of truth that automatically flags coverage gaps and evolves when regulations change.

The core innovation is treating regulatory requirements as executable specifications. Rather than writing regulations into narrative BRDs that engineers must interpret, they are captured as structured rules: "Account balance calculations must reflect real-time NOSTRO/VOSTRO balances per Basel III Liquidity Ratio requirements." The AI-powered platform then maps this to the data model (which database tables must be updated in real-time), to API endpoints (which services expose balance data), and to audit trails (which events must be logged for regulatory proof). This creates a traceable line from regulation to code.

Regulation Basel III Dodd-Frank MAS Notice 626 GDPR Real-time balance updates per Basel liquidity rules Requirements Account balance calculations must reflect real-time NOSTRO VOSTRO data with audit trails Implementation Database schema: NOSTRO VOSTRO tables API: /balances Microservice: balance-calc Event log: balance_updates Audit Trail Compliance evidence: all balance changes logged with timestamp user and reason Living traceability matrix: regulations map to requirements, implementation, and audit evidence

With regulation-to-code traceability in place, four key capabilities emerge:

The result is that compliance gaps are surfaced early, during design review, not during parallel-run testing 18 months into the project. Regulatory changes propagate immediately through the entire specification. Teams work from a single source of truth, eliminating the coordination overhead that causes rework.

What outcomes can banks expect from regulation-to-code traceability?

Financial services teams implementing end-to-end regulatory traceability report consistent improvements in compliance rigor and project efficiency:

100%
regulatory coverage mapped to code
50%
faster compliance review cycles
3-6 mo
reduction in parallel-run time

Complete regulatory coverage means no compliance surprises at audit gates. When your external regulators review your system design or test results, they see documented traceability proving that every requirement has been addressed.

Faster compliance review cycles eliminate the 6-8 week gate reviews that slow project momentum. Auditors can query the traceability matrix electronically instead of reviewing thousands of pages of documentation, cutting review time from 6 weeks to 2 weeks.

Parallel-run time reduction comes from confidence that the new system correctly implements all regulatory requirements. Instead of running both systems for 12 months to validate functional equivalence, banks with documented traceability can reduce parallel-run to 3-6 months because auditors can verify compliance through the traceability chain rather than demanding empirical proof from months of operational data.

From the field

Zions Bancorporation, $90 billion regional bank: Zions Bancorporation, operating across 11 U.S. states with $90 billion in assets, undertook one of the most ambitious core banking replacements in recent history. Their leadership evaluated traditional U.S. core banking vendors in 2012 and concluded that none offered technology modern enough for their needs. They selected TCS BaNCS and launched a phased, decade-long transformation. (Source: American Banker)

The migration unfolded in three deliberate phases: consumer loan software finalized in 2017, construction and commercial loan software launched in 2019, and the deposit platform went live in July 2023. Zions chose to start with the loan system because it had lower customer engagement and visibility, minimizing the blast radius if conversion issues arose. Each phase involved thousands of test simulations before going live. (Source: The Financial Brand)

The results were transformative: Zions migrated over 140 million records and normalized all data in their warehouses, positioning them for AI and generative AI capabilities. They consolidated 500 deposit products down to approximately 100 and standardized branch and loan operations. New features and functionalities now ship approximately 40% faster than before the transformation.

Zions' experience highlights why specification completeness matters in core replacements. A decade-long, multi-phase migration across 140 million records demands exhaustive documentation of legacy behavior at every phase boundary. Without it, each cutover becomes a high-risk event where undocumented business logic surfaces as production defects.

Key takeaway

Core banking replacements are high-risk, multi-year projects where regulatory compliance is non-negotiable. Traditional approaches fail because they fragment regulatory requirements into separate documents maintained by different teams, making it impossible to detect coverage gaps early or respond quickly to regulatory changes.

  • Regulation-to-code traceability creates a single source of truth connecting regulations to implementation
  • Automated compliance gap detection surfaces issues during design, not during late-stage audits
  • Living documentation evolves when regulations change, without manual rework
  • Parallel-run time shrinks when regulators have documented proof of compliance, rather than demanding empirical validation

Frequently asked questions

Banks specify core system replacements by creating regulatory traceability matrices that map regulations to business requirements, system requirements, and finally to code. This requires capturing hundreds of regulatory constraints, documenting parallel-run strategies, and maintaining compliance coverage through 3-5 year replacement timelines. Specira automates this process, creating living traceability documentation that evolves as regulations change during the project.
Requirements traceability in banking is the ability to trace every regulatory requirement through to the code that implements it, ensuring zero compliance gaps. A traceability matrix connects regulations (e.g., Basel III capital requirements) to business requirements (e.g., real-time balance calculations), to technical requirements (e.g., database schemas and API contracts), and finally to test cases and code. This allows auditors to verify that every regulation is implemented and tested.
Compliance during migration is maintained through parallel-run testing (running old and new systems side-by-side for 6-12 months), regulatory pre-approval of cutover plans, and automated traceability verification. The key challenge is discovering requirements gaps before cutover occurs. Living traceability documentation that automatically flags coverage gaps when regulations change is essential to preventing compliance violations during multi-year replacement projects.

Related use cases

Fintech: Payment Modernization

How financial services teams reduce compliance risk and accelerate payment system upgrades with AI-powered architectural design.

The Invisible Problem: Technical Debt Before Day One

Why architectural decisions made in the first week compound into technical debt, and how to make them intentionally.
Nicolas Payette
Nicolas Payette
CEO and Founder, Specira AI

Nicolas Payette has spent 20 years in enterprise software delivery, leading digital transformations at companies like Technology Evaluation Centers and Optimal Solutions. He founded Specira AI to solve the root cause of project failure: unclear requirements, not slow code.