LIGHTS OUT FINANCE
Lights Out Finance · In this paper: Regulation

The compliance dividend

T+1, MiCA, DORA, the AI regimes, e-invoicing: five regulatory waves demanding the same three capabilities. How the firms that architect for it get their autonomous back office co-funded by the rulebook.

AB
Adil Bahir
Founder & Editor, Lights Out Finance · Two decades in finance transformation, quantitative finance, and enterprise AI
Interactive white paper · July 2026 · lightsoutfinance.net · 9-min read · Print / PDF
In the thesisLayer 5, co-funded by the rulebook.
In brief
Five waves, one specification. T+1, MiCA, DORA, AI-governance regimes, and e-invoicing mandates all reduce to governed data, continuous controls, and evidence on demand.
Every mandate offers the same fork: a point solution that serves one rulebook and dies, or an installment on a shared control plane the next mandate finds already running.
Compliance money approves itself. A CFO who forces regulatory programs to deliver into the shared plane is co-funding the autonomous operating model with mandatory spend.

Somewhere in your organization, several programs are running that do not speak to each other. One is compressing settlement operations for T+1. One is building MiCA-grade record-keeping for the digital asset desk. One is documenting operational resilience for DORA. One is standing up AI-governance documentation. One is wiring the ERP for a tax authority’s e-invoicing mandate. Each has its own steering committee, its own consultants, its own deadline-driven despair. And each is, underneath the rulebook citations, asking finance and operations for the same three things: governed data, continuously running controls, and evidence on demand.

Which happens to be, word for word, the architecture of the autonomous back office this publication has spent nine papers assembling. That coincidence is the thesis of this one: regulation is quietly financing the lights-out transition — for the firms that notice, and taxing everyone else twice.

Read the mandates as one specification

Strip the legal prose and look at the operational asks. T+1 does not care how you compress affirmation and allocation; it simply removes the overnight in which manual work used to hide — a clock constraint only continuous, exception-based processing meets gracefully (The Desk After Dark’s ladder, compressed by statute). MiCA’s custody segregation, record-keeping, and reporting duties assume books that reconcile to the chain continuously, not monthly — The Autonomous Digital Asset Back Office’s argument, now with supervisory teeth. DORA demands proven fallbacks and incident evidence — the tested kill-switch and immutable logging The Auditor Will See You Now put in the control plane. The AI regimes ask for logging, human oversight, and transparency — artifacts the attestable architecture produces as exhaust. And the e-invoicing wave is the bluntest of all: tax authorities moving to transaction-level, near-real-time data have effectively mandated the continuous data foundation of The Foundation Eats the Roadmap, because you cannot stream to a regulator what you have not governed for yourself.

Exhibit 1
The mandate stack
T+1 settlementUS live · UK/EU on the runway — halves the ops clock MiCAEU digital-asset regime — segregation, records, reporting DORAoperational resilience — tested fallbacks, incident evidence EU AI Actlogging, oversight, transparency for consequential AI E-invoicing & digital reporting mandatestransaction-level, near-real-time tax data Common denominator: governed data, continuous controls, evidence on demand
Five regulatory waves, one common denominator. Each can be met with a point solution that serves one rulebook — or as an installment on a shared control plane.

The two ways to spend the same money

Every mandate offers the same fork. The point-solution path: a bolt-on tool per rulebook, a reporting layer per regulator, a documentation binder per regime — fastest to the deadline, and it converts the entire budget into shelfware the day the next mandate lands with an 80%-overlapping ask. The control-plane path: treat each mandate as a delivery installment on shared capabilities — the governed data layer, the policy engine, the evidence store, the exception desk — and let each successive regulation find most of its requirements already running. The first path buys compliance. The second buys compliance and the operating model, with the same approved money.

Exhibit 2 · Interactive
The compliance-dividend calculator
Compliance budgets are the only transformation money that approves itself. The question is what fraction you architect as reusable control plane versus point solutions that serve one rulebook and die.
Reusable control-plane asset built
Duplicate build avoided across mandates
Point-solution spend that serves one rulebook
Effective transformation co-funding
Duplicate-build avoidance assumes 60% of each subsequent mandate’s requirements are already served by the shared plane. The arithmetic is illustrative; the strategic point is not: five mandates asking for the same three capabilities is an architecture opportunity wearing a deadline.
Five mandates asking for the same three capabilities is not a burden. It is an architecture opportunity wearing a deadline.

The collision calendar

Regulatory programs are budgeted one rulebook at a time, which is precisely how the duplication survives: no single business case ever sees the portfolio. The planner above restores the portfolio view with three inputs any regulatory-affairs calendar can supply, and its fourth output is the one that changes meetings — the mandate number at which the shared-plane path becomes cumulatively cheaper. In most realistic parameterizations that break-even arrives at the second or third mandate, which is to say inside the current planning horizon, which is to say the point-solution path is not the prudent default it pretends to be; it is a decision to pay a visible premium later in exchange for an invisible discount now. Committees behave differently once that number is on the slide. Put it on the slide.

Exhibit 3 · Interactive
The collision planner
Your next N mandates, priced both ways. The break-even arrives earlier than the point-solution habit assumes.
Point-solution path, total
Shared-plane path, total
Portfolio saving
Break-even mandate
Shared-plane path: first mandate carries the platform premium; each subsequent mandate lands at ~45% of point cost because the common capabilities already run. The fourth output is the political number: it tells the steering committee how quickly the “expensive” path becomes the cheap one — typically at the second or third mandate, i.e., within the same budget cycle that approved the first.

Name the anti-pattern too, because it wears the same vocabulary: the compliance-branded platform program — a multi-year “strategic control plane” that swallows every mandate’s budget and ships none of their deadlines. The dividend play is disciplined in exactly the way that beast is not: every mandate is delivered on its own clock, fully compliant, with the shared components as the delivery mechanism rather than a prerequisite. The first mandate ships the evidence store because it needed one; the second inherits it and ships the policy engine; the third inherits both. If any single regulatory deadline is ever held hostage to the platform roadmap, the play has failed — and deserves the steering-committee fate it will get. Installments, not cathedrals: the architecture accumulates precisely because no mandate is ever asked to wait for it.

Supervisors as design partners

A final reframe, unfashionable but earned: the supervisor is not the adversary of this architecture — the supervisor is its most demanding user. Every capability the shared plane builds (evidence on demand, policy versioning, continuous control monitoring, tested fallbacks) maps to what examination teams spend their fieldwork extracting from firms one document request at a time. The pattern to expect follows the logic of assurance itself: examinations narrow as supervisory confidence in the system replaces item-by-item verification — the regulator’s version of the sampling-to-census flip from The Auditor Will See You Now. The mature move is to treat the supervisory relationship as a design input: brief them on the control plane before they ask, walk them through the evidence store, let them test the kill switch. A regulator who has seen the machinery examines a different firm than one who has only read its policies — and prices the difference in scope, frequency, and tone.

Running the play: three design-review questions

The arbitrage operationalizes as three questions the architecture authority asks of every regulatory program at design review, before a euro of the budget moves. One: which of your requirements are instances of the shared capabilities — governed data, executable policy, evidence store, exception desk — and which are genuinely rulebook-specific? Honest programs discover the split runs roughly 70/30. Two: what are you building that the last mandate already built? The overlap audit is routinely embarrassing and always lucrative. Three: what will the next mandate inherit from you? A program that cannot answer the third question is building shelfware on a deadline. Enforced consistently, the three questions convert a regulatory calendar into a delivery roadmap — and they cost nothing but the authority to ask them.

There is also a defensive version of the same play worth naming: firms that meet AI-governance regimes with a genuine control plane (The Auditor Will See You Now) get a second dividend — the supervisory examination itself gets cheaper. Evidence on demand is a different conversation from evidence on request, and supervisors, like auditors, price the difference in scope.

The CFO’s quiet arbitrage

There is a practical reason this framing changes outcomes, and it is budgetary physics: compliance money approves itself. Transformation business cases fight for capital against every other initiative; regulatory deadlines do not. A CFO who insists — as a standing architectural principle, enforced at design review — that every regulatory program deliver its requirements as components of the shared control plane is running a perfectly legitimate arbitrage: mandatory spend, discretionary asset. The precedent is the BCBS 239 wave: the banks that built genuine data lineage rather than a reporting bolt-on acquired an asset they have stood on for a decade — the compounding this play is designed to repeat.

The play has one prerequisite, and it is organizational rather than technical: someone must own the shared plane across the siloed programs — an architecture authority with the standing to tell five steering committees they are building one thing. Absent that owner, entropy wins and the enterprise buys five copies of 60% of the same capability. The Last Org Chart’s argument, at the program layer.

Where to start is, as ever, an empirical question about your own estate: which processes sit lowest on the maturity path and in the path of the nearest deadline. Two minutes with the Index below answers the first half; your regulatory calendar answers the second.

What leaders should do
Portfolio-view your regulatory calendar this quarter.

Run the collision planner across the next 24 months of mandates; put the break-even mandate number on the steering-committee slide.

Appoint the architecture authority across programs.

One owner with standing to tell five steering committees they are building one thing — and the three design-review questions to ask each of them.

Deliver every mandate on its own clock.

Installments, not cathedrals: the shared plane accumulates only if no deadline is ever held hostage to it.

Where does your operation sit?

The Lights Out Maturity Index: six questions, two minutes, no scales to interpret. Your anonymous result joins the inaugural Lights Out Finance Survey — the benchmark this publication reports on.

Take the Autonomy Readiness CheckTake the Maturity Index Browse all papers
Notes & references
BCBS 239 — the Basel Committee principles for risk-data aggregation and reporting; the origin of bank-grade data lineage.
DORA — the EU Digital Operational Resilience Act, in application since January 2025; operational-resilience obligations for financial entities.
EU AI Act — the EU’s AI regulation, phasing in through 2025–2027; logging, human-oversight, and transparency duties for high-risk systems.
MiCA — the EU Markets in Crypto-Assets regulation; authorization and conduct regime for crypto-asset service providers (transition ended July 1, 2026).
T+1 — one-day settlement, live in US markets since May 2024, with the UK and EU targeting October 2027.
E-invoicing mandates — the global wave of tax-authority-cleared invoicing (EU ViDA and national regimes), which machine-readable billing must satisfy.
Interactive models in this paper are the author’s analysis. Default values are illustrative; every input is exposed so you can calibrate with your own figures.
About the author
AB
Adil Bahir

Founder & Editor of Lights Out Finance. Big 4 partner in CFO Advisory & Finance Transformation with two decades across the Americas, EMEA, and APAC; DEng in AI (George Washington), MBA in Finance (Cornell), Master in Financial Engineering (Queen’s Smith); US CPA, CGMA, FRM, CQF, CTP, CDAA. Full profile →

Related papers