Why do core banking replacements average 3.5 years and 250% budget overruns?

I've watched three core banking replacements up close over the last decade, and honestly, the technology was never what kept anyone up at night. What kept the program director reaching for antacids was the gap, sometimes a canyon, between what regulators require, what business users write in requirements documents, and what engineers ultimately build. These projects ask teams to swap out platforms that have been running for 20 or 30 years, platforms handling millions of daily transactions, while satisfying hundreds of regulatory requirements across multiple jurisdictions. It's heart surgery on a sprinting patient.

Let me paint you a picture I've seen play out more than once. You're 18 months into a 3-year replacement. The original 2,000-page Business Requirements Document felt thorough at the time (it had a table of contents and everything). Then a regulatory audit surfaces compliance gaps nobody saw coming. Different teams reinterpreted the same requirements in different ways. Basel III revisions landed mid-project. New AML rules dropped six months in. Regional compliance shifts arrived without warning. And there was no mechanism, none, to propagate those changes through to code. The rework conversations that followed? Brutal.

$1.1B
actual cost for Commonwealth Bank's core system replacement (budgeted at $580M, completed 2012)
Source: iTnews Australia

Traditional approaches, I'm sorry to say, tend to make things worse. Those massive Business Requirements Documents? Already obsolete before development kicks off. Regulatory mapping? It lives in spreadsheets maintained by a completely separate team who may or may not talk to the architects. Compliance workstreams? They discover gaps only during formal audit cycles. By the time regulators flag a missing requirement (and they will), engineering teams are already too deep in implementation to course-correct without spending a fortune.

How do financial institutions currently approach core replacements?

Most banks follow a risk-averse, document-heavy process built to satisfy audit trails. And here's the cruel irony that I've personally witnessed at two major Canadian financial institutions: that same process creates the coordination problems and late-stage surprises it was supposed to prevent.

Approach 1: Massive Business Requirements Documents with separate compliance spreadsheets

Business analysts spend months creating 2,000 to 3,000 page BRDs (Business Requirements Documents) in business language. Meanwhile, down the hall (or sometimes in a different city), compliance teams maintain separate spreadsheet mappings connecting regulations like Basel III, Dodd-Frank, and MAS Notice 626 to business requirements. Two documents. Two teams. Almost zero cross-visibility into coverage gaps. I once asked a compliance officer whether she'd seen the latest BRD revision. She laughed. She didn't even know there'd been one. And when regulations change mid-project? Updating both the BRD and compliance mapping is manual, error-prone, and painfully slow.

Approach 2: Parallel workstreams with late integration

Business, architecture, and compliance teams work in parallel for months, heads down. Halfway through development, they try to reconcile. This is where I've seen grown adults put their heads on the conference table. Architecture teams realize they missed constraints documented in the compliance spreadsheet. Compliance discovers engineers implemented a requirement differently than the BRD described. Rework spirals from there, fast.

Approach 3: Regulatory reviews at gate milestones, not continuously

Banks conduct formal compliance reviews at fixed gates: design review, system test readiness, UAT (User Acceptance Testing) completion, go-live. The problem? By the time someone spots a gap during gate review, code changes are already expensive. Worse (and I've seen this firsthand in 2019), regulators often require approval of cutover plans only 3 to 6 months before go-live. That leaves zero time to fix architectural compliance gaps you should have caught two years earlier.

None of these approaches give real-time visibility into whether regulatory requirements are fully covered in the specification and actually implemented in code. So what happens? High-risk parallel-run phases. The bank runs old and new systems side-by-side for 6 to 12 months, burning cash to validate correctness before cutover. That adds enormous time and cost. And everyone knows it. But nobody has a better answer.

How does regulation-to-code traceability change banking modernization?

Specira creates a living traceability matrix connecting regulations directly to requirements, architecture, and implementation. Instead of separate documents floating between teams in email attachments nobody opens, all stakeholders work from a single source of truth. Coverage gaps get flagged automatically. When regulations change (and they always do, usually at the worst possible time), the matrix evolves with them.

Here's what actually makes this different from yet another document management tool: regulatory requirements become executable specifications. Instead of burying regulations in narrative BRDs that engineers have to squint at and interpret (I've watched developers argue for 45 minutes about what a single paragraph meant), they're captured as structured rules. Something like: "Account balance calculations must reflect real-time NOSTRO/VOSTRO balances per Basel III Liquidity Ratio requirements." The AI-powered platform then maps that rule to the data model (which database tables need real-time updates), to API endpoints (which services expose balance data), and to audit trails (which events must be logged for regulatory proof). One traceable line from regulation to code. No guessing, no interpretation battles.

Regulation Basel III Dodd-Frank MAS Notice 626 GDPR Real-time balance updates per Basel liquidity rules Requirements Account balance calculations must reflect real-time NOSTRO VOSTRO data with audit trails Implementation Database schema: NOSTRO VOSTRO tables API: /balances Microservice: balance-calc Event log: balance_updates Audit Trail Compliance evidence: all balance changes logged with timestamp user and reason Living traceability matrix: regulations map to requirements, implementation, and audit evidence

Once regulation-to-code traceability is in place, four capabilities change the game:

The upshot? Compliance gaps surface early, during design review, not during parallel-run testing 18 months into the project when fixing them costs ten times as much. Regulatory changes propagate immediately through the entire specification. And because teams finally work from a single source of truth (I can't overstate how rare that is in banking IT), the coordination overhead that causes rework simply disappears.

What outcomes can banks expect from regulation-to-code traceability?

Financial services teams that implement end-to-end regulatory traceability see improvements across both compliance rigor and project efficiency. The numbers won't shock anyone who's lived through a failed core replacement, but they're worth spelling out:

100%
regulatory coverage mapped to code
50%
faster compliance review cycles
3-6 mo
reduction in parallel-run time

Complete regulatory coverage means no compliance surprises at audit gates. When external regulators review your system design or test results, they see documented traceability proving every requirement's been addressed. I've sat in rooms where the auditor asked "show me where Basel III section 4.2 is implemented" and the team spent three days finding the answer. That shouldn't happen.

Think about the typical 6 to 8 week gate review that kills project momentum. (I remember one that ran 11 weeks because of a single missing requirement chain.) With queryable traceability matrices, auditors can verify coverage electronically instead of reviewing thousands of pages. Review time drops from 6 weeks to 2 weeks.

Parallel-run time reduction comes from confidence, plain and simple. Instead of running both systems for 12 months to validate functional equivalence, banks with documented traceability can reduce parallel-run to 3 to 6 months. Why? Because auditors can verify compliance through the traceability chain rather than demanding empirical proof from months of operational data. That's real money saved: every month of parallel-run is millions in infrastructure and staffing.

From the field

Zions Bancorporation, $90 billion regional bank: Zions Bancorporation, operating across 11 U.S. states with $90 billion in assets, undertook one of the most ambitious core banking replacements in recent history. Their leadership evaluated traditional U.S. core banking vendors in 2012 and concluded that none offered technology modern enough for their needs. They selected TCS BaNCS and launched a phased, decade-long transformation. (Source: American Banker)

The migration unfolded in three deliberate phases: consumer loan software finalized in 2017, construction and commercial loan software launched in 2019, and the deposit platform went live in July 2023. Zions chose to start with the loan system because it had lower customer engagement and visibility, minimizing the blast radius if conversion issues arose. Each phase involved thousands of test simulations before going live. (Source: The Financial Brand)

Zions migrated over 140 million records and normalized all data in their warehouses, positioning them for AI and generative AI capabilities. They consolidated 500 deposit products down to approximately 100 and standardized branch and loan operations. New features and functionalities now ship approximately 40% faster than before the transformation.

What does Zions' experience teach us? A decade-long, multi-phase migration across 140 million records demands exhaustive documentation of legacy behavior at every phase boundary. Skip that step, and each cutover becomes a high-risk event where undocumented business logic surfaces as production defects.

Key takeaway

Core banking replacements are high-risk, multi-year projects. Regulatory compliance isn't negotiable. Traditional approaches fail because they fragment requirements into separate documents maintained by different teams; nobody can detect coverage gaps early or respond quickly when regulations change.

  • Regulation-to-code traceability creates a single source of truth connecting regulations to implementation
  • Automated compliance gap detection surfaces issues during design, not during late-stage audits
  • Living documentation evolves when regulations change, without manual rework
  • Parallel-run time shrinks when regulators have documented proof of compliance, rather than demanding empirical validation

Frequently asked questions

Banks specify core system replacements by creating regulatory traceability matrices that map regulations to business requirements, system requirements, and finally to code. This requires capturing hundreds of regulatory constraints, documenting parallel-run strategies, and maintaining compliance coverage through 3-5 year replacement timelines. Specira automates this process, creating living traceability documentation that evolves as regulations change during the project.
Requirements traceability in banking is the ability to trace every regulatory requirement through to the code that implements it, ensuring zero compliance gaps. A traceability matrix connects regulations (e.g., Basel III capital requirements) to business requirements (e.g., real-time balance calculations), to technical requirements (e.g., database schemas and API contracts), and finally to test cases and code. This allows auditors to verify that every regulation is implemented and tested.
Compliance during migration is maintained through parallel-run testing (running old and new systems side-by-side for 6-12 months), regulatory pre-approval of cutover plans, and automated traceability verification. The key challenge is discovering requirements gaps before cutover occurs. Living traceability documentation that automatically flags coverage gaps when regulations change is essential to preventing compliance violations during multi-year replacement projects.

Related use cases

Fintech: Payment Modernization

How financial services teams reduce compliance risk and accelerate payment system upgrades with AI-powered architectural design.

The Invisible Problem: Technical Debt Before Day One

Why architectural decisions made in the first week compound into technical debt, and how to make them intentionally.
Nicolas Payette, CEO and Founder of Specira AI
Nicolas Payette
CEO and Founder, Specira AI

Nicolas Payette has spent 25 years in enterprise software delivery, leading digital transformations at companies like Technology Evaluation Centers and Optimal Solutions. He founded Specira AI to solve the root cause of project failure: unclear requirements, not slow code.