Build or Buy? The LLM Decision Your Compliance Team Needs to Own

July 10, 2026by Robert Cruz

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing [email protected].

For financial services firms with multi-jurisdictional obligations, choosing whether to build a proprietary LLM for communications surveillance — or buy from a specialist vendor — is not just a technology decision. It is a compliance architecture decision with direct consequences for regulatory exposure, litigation risk, and operational resilience.

Generative AI is prompting more financial services firms to ask whether they should build their own large language model (LLM) for communications surveillance or buy a purpose-built solution. While the appeal of greater customization and control is understandable, the decision carries significant regulatory, operational, and financial implications. For firms operating across multiple jurisdictions, it's not simply a technology investment. It's a decision that shapes how risk is managed, supervised, and defended.

Key takeaways

  • Model accountability under examination. Regulators, including FINRA (Rule 3110) and the FCA under its Consumer Duty framework, expect firms to demonstrate that surveillance systems are reasonably designed, explainable, and auditable. Proprietary LLMs place the entire burden of defending model logic during examinations or litigation directly on compliance and legal teams, without a vendor's compliance documentation to rely on.

  • Regulatory obligations of model outputs. As highlighted in the Eason Report on discoverability of AI outputs, AI-generated records are increasingly subject to retention and production obligations under SEC Rule 17a-4 and FINRA Rule 4511. Firms building their own models must determine in advance whether model outputs, training logs, and fine-tuning decisions are themselves discoverable records.

  • Cross-border data governance. Training an LLM on employee communications across the US, EU, and UK simultaneously implicates GDPR, the EU AI Act's high-risk classification requirements, and SEC/FINRA books-and-records rules. Compliance teams must proactively assess data privacy and consent obligations in each jurisdiction before a model enters development.

Three reasons firms choose to build

For large, complex institutions, there are several reasons to pursue proprietary LLM development for communications surveillance — and they deserve honest acknowledgment before the risks are weighed.

1. Customization to firm-specific risk typologies

No commercial surveillance vendor's model is trained on your firm's specific communication patterns, trading strategies, or employee language. A proprietary LLM can be fine-tuned on years of labeled internal communications data, potentially producing materially higher detection rates for firm-specific misconduct patterns. This includes spoofing language endemic to a specific desk or obfuscation tactics unique to a product line. Industry research, such as Gartner's "5 critical failure points sabotaging GenAI success," consistently shows that domain-specific models outperform general-purpose models on narrow, well-defined tasks when sufficient quality training data exists.

2. Data sovereignty and confidentiality control

Under GDPR Article 5 and equivalent data minimization principles across multiple jurisdictions, there is regulatory and strategic value in keeping sensitive employee communications data within the firm's own infrastructure. Proprietary models eliminate the contractual and governance complexity of managing what a vendor does with client data, how data residency obligations across the EU, US, and UK are satisfied, and whether vendor training practices comply with applicable privacy law.

3. Speed to adapt as regulation evolves

Firms with deep in-house AI capabilities can adapt their surveillance posture faster than those dependent on vendor release cycles. When regulators issue new guidance, such as FINRA Regulatory Notice 24-09's emphasis on tailored keyword searches or the FINRA 2025 Annual Regulatory Oversight Report's findings on inadequate electronic communications supervision, proprietary model owners can update detection logic immediately rather than waiting for a vendor's next software release.

Take action

See how AI-enhanced communications surveillance helps compliance teams reduce false positives, uncover meaningful risks faster, and stay ready for regulatory scrutiny.

Talk to Smarsh sales here.

Five risks of building your own surveillance LLM

The disadvantages of building proprietary LLMs for multi-jurisdictional communications surveillance are substantial. The industry's early GenAI track record — with reported failure rates ranging from 50 to 95 percent — suggests firms should approach this path with significant caution.

1. Model risk and explainability obligations

Under the Federal Reserve's SR 11-7 guidance on model risk management, and under EU AI Act Articles 9–17, which classify communications surveillance tools as high-risk AI systems subject to mandatory conformity assessments, logging, and human oversight requirements, firms bear full accountability for validating, documenting, and explaining their models' outputs. A proprietary LLM places the entire model validation burden squarely on the firm's compliance and technology teams. When a regulator asks how a system flagged one communication and missed another, the firm building its own model must answer that question alone.

2. Cost escalation at scale is frequently underestimated

Research from Gartner and others indicates that the most common cause of GenAI project failure is the discovery that costs blow up at scale. Processing millions of communications daily across multiple languages, modalities — voice, text, chat, video — and jurisdictions requires not just initial model development but continuous retraining as communication patterns evolve, ongoing infrastructure investment, and a dedicated team of ML engineers and compliance data scientists. For most firms outside the largest global banks, this investment profile is difficult to justify against purpose-built surveillance solutions with equivalent capabilities already embedded.

3. Multi-jurisdictional data privacy compliance during training

Training an LLM on employee communications data implicates GDPR Article 6 lawful basis requirements for EU employees, UK GDPR equivalents post-Brexit, and various US state privacy laws. The EU AI Act's Article 10 imposes additional data quality and documentation obligations on training datasets used in high-risk AI systems. Satisfying these obligations simultaneously across jurisdictions, while retaining enough high-quality labeled data to produce a performant model, is a governance challenge that most firms have not fully scoped before committing to a build path.

4. Operational fragility and key-person dependency

A proprietary surveillance LLM creates internal concentration risk: if the small team that built and maintains the model departs, or if the underlying foundation model is deprecated by its provider, the firm's entire surveillance capability may be at risk. FINRA's 2025 Annual Regulatory Oversight Report calls out inadequate third-party vendor supervision as an area of concern, but the equivalent failure mode for an in-house model is inadequate internal maintenance. Firms have been cited for surveillance gaps resulting from exactly this kind of operational fragility.

5. A shifting regulatory environment that demands architectural agility

The EU AI Act's high-risk requirements, the SEC's focus on AI disclosure, FINRA's evolving guidance on electronic communications supervision, and the FCA's Consumer Duty obligations are each moving on separate timelines. A proprietary LLM built to satisfy today's regulatory environment may require fundamental architectural changes, not just parameter updates, to remain compliant as these frameworks mature. Vendors whose business model depends on regulatory compliance can absorb this adaptation cost. A firm's internal team typically cannot.

Tip

Many firms find that fine-tuning a purpose-built surveillance platform offers greater flexibility while reducing operational complexity and governance overhead.

Five questions to frame your decision

Before committing to either path, compliance and technology leadership should be able to answer the following with evidence, not assumption:

  1. Do you have sufficient data depth? Does the firm generate enough high-quality, labeled communications data across all relevant languages and channels to train a materially better model than what is commercially available? Without this foundation, the customization argument largely collapses.
  2. Have you modeled total cost of ownership — fully loaded? Has the firm rigorously calculated the five-year cost of model development, validation, retraining, infrastructure, talent retention, and governance overhead against the cost of a purpose-built vendor solution? And has it considered more than just the initial build cost?
  3. Can you demonstrate regulatory defensibility? Can the firm credibly show, in a regulatory examination, that its proprietary model satisfies explainability, human oversight, and audit trail requirements under FINRA Rule 3110, EU AI Act Article 14, and equivalent FCA obligations? Is there a written model risk management framework aligned with SR 11-7 to support that defense?
  4. Is your data governance posture ready? Has legal confirmed that training the model on communications data is consistent with GDPR Article 6 lawful bases, EU AI Act Article 10 data governance requirements, and applicable US data privacy laws across all jurisdictions in which the firm operates?
  5. Have you explored hybrid alternatives? Has the firm fully evaluated approaches such as fine-tuning a commercially available foundation model on firm-specific data or deploying a vendor's surveillance platform with a firm-specific model layer? These options may capture the benefits of customization without the full operational and regulatory burden of a truly proprietary build.

The bottom line

Choosing whether to build or buy an LLM for communications surveillance ultimately comes down to more than technical capability. Firms should weigh regulatory accountability, long-term operating costs, governance requirements, and the resources needed to maintain a defensible surveillance program over time.

Before committing to either approach, compliance, legal, and technology leaders should complete a formal build-versus-buy assessment that evaluates regulatory obligations, total cost of ownership, and operational readiness. The right decision is the one that aligns with your firm's risk profile, compliance objectives, and long-term strategy — not simply its AI ambitions.

Frequently asked questions

Share this post!

Robert Cruz
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Contact Us

Tell us about yourself, and we’ll be in touch right away.

icon-angle icon-bars icon-times