In the fintech sector, sustainable growth is the goal. While investment has gone up across the sector – Innovate Finance
points
to $24 billion across
2,597 deals during H1 2025, up six percent on H2 2024 – those investments are focused more on companies that have already proved their value and potential. In the BCG
Global 2025
report,
“sustainable growth will be the yardstick of success…”, compared to previous years where explosive growth at all costs was the only goal.
Yet, this focus on sustainability brings its own set of challenges. The Financial Conduct Authority’s
Operational Resilience guidance
came into force in March 2025, pointing to how companies in this sector have to maintain their operations and ensure they can keep running in the face of cyber attacks or availability problems. This set of rules covers security issues like sensitive data being
accessed, or the systems themselves being affected.
Whereas there was a seemingly endless pot of cash available to support development, today those expenses are being scrutinised. This puts many teams in a
tough spot – they are in a market where there are strict regulations to follow around data security, privacy and retention, even if they are not subject to the exceedingly stringent rules that banks have to follow. And with that data stored, processed, and
governed across global cloud environments, the actual infrastructure is out of their hands too.
Areas like encryption, backups, audit logs, and data residency can’t be ignored. But they can also be a significant cost that fintech teams need to understand
as part of their cost of doing business. At the same time, that data is essential for future development – according to the
World Economic
Future of Global Fintech 2025
report, 80 percent of fintechs are implementing AI across their organisations. These projects are potentially game-changing for the business in terms of cost to serve customers, but they
also increase that potential cost to manage more and more data in a secure and compliant fashion.
For fintech teams, running in the cloud and achieving compliance is a hidden cost that can quickly spiral out of control. The first step to solving this
problem is to know the scale of the issue, so that it is then easier to justify the solution.
How big is this issue?
Compliance involves keeping customer data secure. To meet this, you will need to implement techniques like encryption around customer data, as well as other
security measures to protect that data and prove that you are meeting your requirements.
However, each of these techniques has a cost. Encryption at rest will protect your customer data, but it also needs a key management system (KMS) to track
every interaction with that data over time. Similarly, audit logs will provide a record for all transactions and application calls that take place, but those logs have to exist and be stored somewhere. That requires a centralised data store that will host
those logs over time, as well as the ingestion, storage, and retention for that data. Essentials like data backups have to be stored in multiple locations, while recovery plans have to change with your organisation as it grows. For fintech companies in payments,
PCI DSS 4.0 has even stricter requirements around encryption of cardholder data, detailed logging, real-time monitoring, and robust backup and recovery.
In the cloud, every action has a cost. The cloud services that support your compliance actions are often the same ones that erode cost efficiency.
For example, the cost to store one terabyte of audit logs for a year is more than $25,000 using AWS CloudTrail and S3 Glacier. Each application will have its own log data that it
produces, and that data has to be stored for at least a year; under Sarbanes-Oxley, corporations in the US have to retain data for
more than seven
years, while the
Basel Framework
has a similar requirement. That figure also doesn’t include the costs to carry out any actions around that data such as running queries. For every application or service that you have in place, that cost of compliance goes up.
On top of this, you also have to consider data residency rules. Under the European Union’s General Data Protection Requirement, customer data must be located
on instances within the EU. This reduces the number of potential locations that you can use to ones that are potentially more expensive.
Taking the right approach
The cost of compliance is therefore real and potentially painful. Many teams have underestimated how much it would cost to manage this infrastructure. Yet
it is necessary for the business to operate and serve customers in the first place. The biggest challenge and source of cost is storage.
Storage covers where data is located, but it also involves how it is managed, encrypted, backed up, and retained for years. It should be no surprise that
database deployments are therefore subject to the strictest conditions and regulations, as they hold sensitive information and have to be always available, always secure, and always compliant. But they’re also among the least flexible parts of your architecture.
At this point, you have two choices: do you go into the detail around how these processes work, or do you rely on your cloud provider’s approach? The first
option involves more detail and planning, but it also frees up your choices to make decisions and save on costs. The second option means staying with that more expensive approach. While the cloud provider’s tools are fast to get running, you do get charged
for every action that takes place and the bill can grow exponentially alongside your success and growth. Rather than sustaining growth, it can quickly make your expansion unprofitable.
The alternative option is to look at open source databases and implement your own processes around encryption, backup and security. This does require more
planning to achieve. However, that transparency around encryption, where backups are stored, what logging tools are used, and how long you retain your logs ensures that you are familiar with how much it costs to deliver compliance. This can make it more cost-effective,
as you can decide how to implement those requirements to suit your own organisation, rather than following what your chosen cloud provider already has in place.
The biggest opportunity is, however, based on how and where you run those workloads. This kind of infrastructure decision might seem to be a small one, but
it can have a profound impact on how much it costs to run your overall operations, not just store data. Rather than relying on a public cloud database as a service, you can run on virtual machines or Kubernetes, in your own data centre or your preferred cloud,
or using a mix of different environments for resiliency.
Rather than relying on the cloud provider’s own tools to carry out those necessary compliance operations like backups, you can automate your tasks using
Kubernetes with database operators. Similarly, you can integrate your own choice of security and observability tools, as well as your own key management system for encryption. Using these tools avoids some of that additional expense to carry out tasks, adding
up to a significant real world saving over time. Similarly, sending data to low cost object storage for long term audit and archival saves a huge amount over using a regular cloud service.
This kind of setup also gives you real portability. If you need to change your deployment location to meet local data protection rules or meet sovereignty
requirements, you can implement your same approach and move with minimal friction and no data egress charges. Overall, your data is open for you to use and potentially profit from. What makes this approach effective is not just the use of open-source tools.
It is the decision to build around them intentionally. Compliance, security, and cost become outcomes you can manage, because the infrastructure is yours to shape.
You do not have to choose between staying compliant and staying lean. To save on costs and achieve that sustainable growth model does require deliberate
choices that increase transparency and reduce risk. Taking on responsibility for encryption, audit logging, and data locality is not just about the approach to implementation – instead, it shapes your entire compliance strategy and how much it costs to deliver
that approach. This fits with the whole ethos of companies that are successful in the fintech sector around disrupting markets while still delivering compliance and growth in a sustainable manner.