London's compliance economy runs on deadlines. The FCA's Consumer Duty regime is now fully in force [Complyport]. The EU's Digital Operational Resilience Act (DORA) hit financial firms in January. NIS2 is reshaping cybersecurity obligations across the bloc. Somewhere in that thicket of acronyms, Complyport Limited has spent 24 years building a book of business that now spans more than 1,000 financial services firms [Complyport].
The London-based consultancy, founded in 2001, is not a venture-funded upstart. It is something rarer in the fintech press cycle: a profitable specialist that has quietly become one of the UK's larger independent compliance shops, and is now trying to bolt a software product onto a services business. That product, COMPDEFAI, is pitched as a governance, risk and compliance platform aimed squarely at firms scrambling to meet NIS2 and DORA obligations [Complyport].
The bet
Complyport's wedge is regulatory authorization. The firm says it has helped more than 1,000 firms become authorised with the FCA and EU regulators, and provides ongoing regulatory support to over 600 regulated firms globally [Complyport]. That is a deep installed base for cross-sell. AML audits, regulatory reporting, financial crime forensics, ESG support, Consumer Duty advisory, s166 skilled person reviews: the catalog reads like a checklist of every line item a mid-market asset manager or payments firm has to staff for or outsource [Complyport].
The team backing it numbers more than 75 multidisciplinary consultants and advisors [Complyport]. Leadership leans heavily on alumni of the regulator itself. James Borley, who runs the Payment Services and Digital Assets practice, spent 23 years inside the UK financial services regulator before joining [Complyport; LinkedIn]. Martin Schofield was appointed in November 2021 to lead the Financial Crime and Forensics Division [Complyport, 2021]. The pitch to clients is straightforward: the people writing your supervisory letter used to write supervisory letters for a living.
Why it could be big
The market is moving Complyport's way. DORA went live in January 2025 with extraterritorial reach, pulling in any firm that touches an EU financial entity's ICT supply chain. NIS2 widens the cybersecurity perimeter to thousands of additional mid-market companies. The FCA's Consumer Duty has forced UK firms to re-document product governance, pricing, and the entire customer journey [Complyport]. Each of those regimes generates recurring work: gap analyses, policy drafting, board reporting, third-party risk assessments, incident response playbooks.
For a consultancy with 600-plus retainer relationships, that is a structural tailwind. The interesting move is COMPDEFAI, which Complyport positions as the productized layer for NIS2 and DORA compliance [Complyport]. If even a fraction of the existing client base adopts a software seat alongside the advisory hours, the revenue mix starts to look less like a partnership and more like a recurring-revenue business. That is the arithmetic that makes compliance services interesting to growth investors, and it is the same arithmetic that has driven RegTech valuations across Europe.
The team and traction
| Metric | Disclosed figure |
|---|---|
| Firms served (lifetime) | 1,000+ [Complyport] |
| FCA/EU authorizations assisted | 1,000+ [Complyport] |
| Firms on ongoing regulatory support | 600+ [Complyport] |
| Multidisciplinary consultants | 75+ [Complyport] |
| Year founded | 2001 [Complyport] |
Complyport's executive bench combines former regulators, industry practitioners, and legally qualified individuals [Complyport]. Borley's 23 years at the UK regulator give the payments and digital assets practice unusually direct lineage into how supervisors actually think [Complyport; LinkedIn]. Schofield's financial crime division, stood up in late 2021, lines up with a period in which the FCA has visibly escalated AML enforcement against payments firms and crypto registrants [Complyport, 2021]. The firm's competitor set, per market positioning, includes Bovill, the regulatory consultancy acquired by Ocorian in 2023, and Kroll, the global risk and advisory group. Both are larger. Neither is a pure-play UK independent in the way Complyport remains.
The honest counterfactual
What bears say: compliance consulting is a high-touch, partner-led business that historically resists software margins. Bovill and Kroll bring scale and global brand. A 75-consultant independent competing on the same RFPs faces real pricing pressure, and a self-built GRC platform must contend with established RegTech vendors that already sit inside the IT stacks of large banks. What bulls answer: Complyport is not chasing tier-one banks. Its 1,000-firm base skews toward mid-market asset managers, wealth firms, payments institutions, and crypto-asset businesses [Complyport], a segment that is underserved by enterprise GRC suites and over-served by generalist consultancies. A platform tuned to NIS2 and DORA workflows, sold into an existing retainer base, does not need to win Goldman Sachs to be a meaningful business. The question is attach rate, not addressable market.
What to watch
The next twelve months should clarify whether COMPDEFAI is a real product line or a marketing wrapper around services. Watch for named platform customers, a published pricing model, and any disclosure of recurring software revenue as a share of group turnover. Watch the headcount mix between consultants and engineers. Watch whether the firm raises outside capital for the first time in its history; a growth round would be the clearest signal that management sees a software-led path rather than a partnership-led one. And watch the EU enforcement docket: every DORA fine and NIS2 incident report is, in effect, a sales lead for someone in this category.
The question for readers: in a regulatory environment where the rulebook keeps thickening, does the next decade of compliance spend flow to the consultancies that hire ex-regulators, the software vendors that automate the workflow, or the hybrids that try to do both at once?