top of page
Stephen-Taylor-Advisory-logo
Book a Consultation

Build, Buy, or Partner: The Framework Regulated SaaS Companies Actually Need

  • Writer: Stephen Taylor
    Stephen Taylor
  • May 20
  • 5 min read

By Stephen Taylor  ·  Stephen Taylor Advisory  ·  Product Strategy

 

Every regulated SaaS company faces this decision at some point. Usually more than once.

Build the capability internally. Acquire a company or technology that has it. Form a partnership or reseller arrangement. All three paths are defensible in the right circumstances. All three are expensive in the wrong ones.



What I have observed, having led three technology acquisitions across two organizations and lived through the integration consequences of each, is that the decision almost never fails for technical reasons. It fails because the organization asked the wrong question first.

The wrong question is: “should we build this or buy it?”


The right question is: “what is our fastest path to a capability that is defensible in our regulated environment and what is the real cost of each route to get there?”


The build vs buy decision is not primarily a technology decision. It is a time, capability, and governance decision that happens to involve technology.


Why the Standard Framework Breaks Down in Regulated Environments

The traditional build vs buy framework weighs factors like cost, time to market, customization, and vendor dependency. These are all relevant. But in regulated environments, they are incomplete.

Two additional constraints change the calculus significantly.


Regulatory defensibility.

Whatever you build or buy, you own the regulatory outcome. A vendor’s technology deployed in your platform is your technology in the eyes of an examiner. The FCA, FinCEN, or FINRA does not accept “the vendor was responsible” as an answer to a compliance question about your product. This means the buy decision carries a validation and governance burden that the standard framework does not price in. Before acquiring or licensing a capability in a regulated context, you need to understand not just whether it works, but whether you can explain how it works to an examiner who is looking for a reason to be concerned.


Integration as a product decision, not a technical one.

In regulated SaaS, integration is not a post-acquisition IT project. It is a product decision with direct commercial and compliance consequences. The clients using your platform before the acquisition signed contracts against a specific set of capabilities, behaviors, and data flows. Changing those, which integration almost always requires, has contractual, regulatory, and relationship implications that the deal team rarely prices in fully. The most expensive acquisitions I have seen were not expensive because of the price paid. They were expensive because the integration work disrupted existing clients in ways that took eighteen months to stabilize.


Five Criteria That Actually Matter in Regulated Environments

Before committing to any of the three paths, these five questions should have clear, honest answers:


  1. How long until this capability is defensible, not just functional? A capability is functional when it works. It is defensible when you can explain how it works, who is accountable for it, and what happens when it does not work to a regulator, a client, and a board. The timeline to defensible is almost always longer than the timeline to functional. For an acquisition, defensibility includes completing your own validation of the acquired technology, not just accepting the vendor’s documentation. For an internal build, it includes the governance infrastructure around the capability, not just the capability itself.

  2. What is the real total cost of ownership? For a build, this includes not just development but the ongoing maintenance burden, the institutional knowledge risk if key engineers leave, and the compliance overhead of owning the capability entirely. For a buy, this includes integration costs, client migration costs, the cost of any capability gaps between what was acquired and what is needed, and the regulatory validation cost. For a partnership, this includes the dependency risk if the partner changes their product direction, pricing, or exits the market.

  3. Does the capability need to be differentiated, or just sufficient? Not every capability needs to be a competitive advantage. Some capabilities are table stakes, necessary to operate but not a source of differentiation. For table stakes capabilities, buying or partnering is almost always faster and cheaper than building. The mistake is treating every build vs buy decision as a question of competitive differentiation when the real question is simply: do we need to own this, or do we need to have it?

  4. What is the integration risk to existing clients? In regulated environments, existing clients have regulatory obligations of their own. A change to your product that affects their compliance posture, their data flows, or their audit trail requires advance notice, sometimes contractually mandated. This is not an IT consideration. It is a product and commercial one that should be part of the build vs buy analysis before the decision is made, not a discovery during implementation.

  5. Who will own the outcome when something goes wrong? Every technology eventually has a failure mode. Before committing to any path, the organization should have a clear answer to who owns the outcome when the capability fails, produces an incorrect result, or attracts regulatory scrutiny. For a built capability, that answer is internal. For an acquired capability, it depends on how thoroughly it has been validated and integrated. For a partnership, the answer may be ambiguous and ambiguous accountability in a regulated environment is a systemic risk.


The best build vs buy decision is not the one that looks best in the business case. It is the one your team can execute, your clients can absorb, and your regulator can understand.


The Question Nobody Asks Before the Deal Closes

In all three of the acquisitions I have been closest to, there was a question that did not get asked clearly enough before the deal closed. Not a financial question or a technical one. This one:

“What does the acquired capability assume about the environment it will operate in and does our environment match those assumptions?”


Every technology is built against a set of assumptions about data quality, infrastructure, user behavior, and regulatory context. When those assumptions do not match the acquiring organization’s reality, the integration work is not just technical. It is a product rebuild. And product rebuilds under the time pressure of a completed acquisition, with existing clients watching, are among the most expensive situations a product organization can find itself in.


The answer to the build vs buy question is never the answer to the integration question. Asking both, in that order, before the decision is made, is the difference between a strategic capability and an eighteen-month distraction.

 

The Decision That Looks Wrong on Paper

One of the most strategically valuable acquisitions I have witnessed looked wrong by every standard financial metric at the point of decision. The technology was early stage, the integration path was unclear, and the addressable market was not yet proven.


What it had was a capability that would take three to four years to build internally, in a regulatory context where being first mattered, and a team that understood both the technology and the compliance environment it needed to operate in.


Three years later, it had opened a new market vertical, contributed directly to a FedRAMP High Authorization process, and generated commercial outcomes that no internal build program could have achieved in the same timeframe.


The framework that got there was not sophisticated. It was honest about time, capability gaps, and regulatory defensibility and it asked the integration question before the deal closed, not after.

 

Facing a build, buy, or partner decision in a regulated market?


This is exactly the kind of strategic question the advisory practice at Stephen Taylor Advisory is built for. A 30-minute conversation costs nothing — and it tends to clarify the real question faster than any internal debate.


Book a scoping conversation →  stephentayloradvisory.com

 
 
 

Comments

bottom of page