The four realistic alternatives — and where each one actually wins
You're not really choosing between RegAlign and "nothing". You're choosing between RegAlign, the spreadsheets you have, a generic GRC platform, a compliance consultant, or building it yourselves. This page tells you when each of those is the right answer — including the cases where it isn't us.
Built for: Jersey-regulated firms (TCB, fund admin, NRFSB, banking) running a Compliance Monitoring Programme under JFSC Codes of Practice.
| What buyers actually compare | RegAlign Jersey-CMP-native | Spreadsheets + SharePoint Status quo | Generic GRC platform Archer / LogicGate / Diligent | Compliance consultant Interim CCO / advisory | In-house build Engineer it yourself |
|---|---|---|---|---|---|
Time to first regulator-pack export How long until a CCO can hand a regulator a reproducible pack with its own integrity hash. | Days — built into the pilot week-one deliverable. | Weeks of manual collation per request; no integrity hash. | 3–9 months of implementation before first usable export. | As long as the engagement runs; rebuilt each time staff change. | Quarters to ship MVP; usually deprioritised after launch. |
Reproducible sampling Same input, same sample, every time — so a regulator (or your QA) can re-run it. | Seeded sampler with the seed and population stored on the test run. | Excel RAND() is non-deterministic; no audit trail of the draw. | Most platforms sample but don't expose the seed for replay. | Depends on the individual — usually documented, rarely reproducible. | Buildable, but rarely on the v1 roadmap. |
Evidence with integrity receipts Hash-chained evidence so 'this file existed unchanged on this date' is provable to a regulator. | SHA-256 hash on upload; hash-chain verified at /verify. | SharePoint version history is mutable by admins. | Some offer immutable storage; integrity hash rarely publicly verifiable. | Evidence lives in shared drives — same mutability problem. | Buildable; almost never built in v1. |
Jersey-specific obligation library JFSC Codes, MLO/POCJL, NRFSB — pre-mapped, not a generic ISO/NIST template. | 908 obligations tracked across JE/GG/IM/GB with version history. | Whatever the firm built; maintenance is a person's side job. | Built for US SOX / EU GDPR; Jersey content is BYO. | Strong on JE expertise; perishable when they leave. | Re-creating the library is the bulk of the work. |
Cost predictability (year 1 → year 2) What you'll pay next year, written into the contract today. | Written year-2 price + reference-price-protection clause in the pilot MSA. | Cheap on licence, opaque on people-time. | List-price gaming, seat creep, mandatory professional services. | Day-rate inflation; scope-creep is the business model. | TCO usually 3–5× the original estimate by year 2. |
Survives a key person leaving Does the programme keep working when the CCO/MLRO changes? | Methodology is installed, not memorised. New CCO inherits the loop. | The CCO's brain IS the system. | Configuration survives; the institutional logic often doesn't. | Departure resets the relationship. | Maintainer-dependent; bus-factor of one. |
Board-pack output Quarterly board pack ready to present, in your branding, without re-keying. | Generated from live data; cover, exec summary, evidence appendix. | Hand-built each quarter; quality varies by who's free. | Dashboards exist; board-ready PDF usually means consulting hours. | Will produce the pack — until you stop paying. | Rarely makes the v1 cut. |
When the alternative is the right answer We're being honest about where to NOT pick us. | If you're a tier-1 bank with a 50-person assurance team — overkill. | Single-licensee, no regulator-pack expectation, founder-CCO. | Multi-jurisdiction global firm needing IRM / vendor-risk / IT-GRC in one. | You need a remediation programme, not a system. | You already have a 5+ engineer regtech team and a 3-year mandate. |
Days — built into the pilot week-one deliverable.
Weeks of manual collation per request; no integrity hash.
3–9 months of implementation before first usable export.
As long as the engagement runs; rebuilt each time staff change.
Quarters to ship MVP; usually deprioritised after launch.
Seeded sampler with the seed and population stored on the test run.
Excel RAND() is non-deterministic; no audit trail of the draw.
Most platforms sample but don't expose the seed for replay.
Depends on the individual — usually documented, rarely reproducible.
Buildable, but rarely on the v1 roadmap.
SHA-256 hash on upload; hash-chain verified at /verify.
SharePoint version history is mutable by admins.
Some offer immutable storage; integrity hash rarely publicly verifiable.
Evidence lives in shared drives — same mutability problem.
Buildable; almost never built in v1.
908 obligations tracked across JE/GG/IM/GB with version history.
Whatever the firm built; maintenance is a person's side job.
Built for US SOX / EU GDPR; Jersey content is BYO.
Strong on JE expertise; perishable when they leave.
Re-creating the library is the bulk of the work.
Written year-2 price + reference-price-protection clause in the pilot MSA.
Cheap on licence, opaque on people-time.
List-price gaming, seat creep, mandatory professional services.
Day-rate inflation; scope-creep is the business model.
TCO usually 3–5× the original estimate by year 2.
Methodology is installed, not memorised. New CCO inherits the loop.
The CCO's brain IS the system.
Configuration survives; the institutional logic often doesn't.
Departure resets the relationship.
Maintainer-dependent; bus-factor of one.
Generated from live data; cover, exec summary, evidence appendix.
Hand-built each quarter; quality varies by who's free.
Dashboards exist; board-ready PDF usually means consulting hours.
Will produce the pack — until you stop paying.
Rarely makes the v1 cut.
If you're a tier-1 bank with a 50-person assurance team — overkill.
Single-licensee, no regulator-pack expectation, founder-CCO.
Multi-jurisdiction global firm needing IRM / vendor-risk / IT-GRC in one.
You need a remediation programme, not a system.
You already have a 5+ engineer regtech team and a 3-year mandate.
Two things buyers always ask at this point
"You're a new entrant — what about continuity?"
Fair. Three things in the pilot pack address it: a source-escrow clause, a documented data-export format your next vendor can ingest, and an RTO/RPO of 24 h / 1 h with the BCP outline published. See trust centre and security roadmap.
"How do we know you'll still be here in year 3?"
Honest answer: we're pilot-stage. The pilot MSA includes a written year-2 price and a reference-price-protection clause so the engagement never becomes your future anchor. Founder economics are published so you can see the runway maths yourself.
Still the right fit?
Apply for the 90-day pilot — or read the methodology first.
Last reviewed June 2026 · We update this page when the alternatives change, not when our marketing does.