Most compliance technology is sold as SaaS. The vendor hosts the data, runs the monitoring, and delivers results through an API or dashboard. This works for fintechs and smaller banks, but it hits a wall with Tier-1 institutions.
The wall is data sovereignty. Large banks, especially in Europe, are increasingly unwilling to send transaction data to a third-party cloud. GDPR, DORA, and internal risk policies create genuine constraints. When the data is the most sensitive information in the institution, "trust us, it's encrypted" isn't enough for the CISO or the board.
ZQUAS starts from a different premise. The engine deploys on-premise, inside the bank's own infrastructure. The bank's data never leaves. This isn't just a deployment option. It's an architectural principle that shapes the entire business model.
Phase 1: Land
The initial sale is a single-bank deployment. The bank runs ZQUAS on its own hardware (or private cloud). The engine processes the bank's transactions against its policy set. The bank gets real-time monitoring with full graph context, deterministic policy enforcement, and cryptographic attestation of every decision.
This is a pure compliance infrastructure sale. The value proposition is concrete: better detection, fewer false positives, real-time processing, and an audit trail that the regulator can independently verify.
Pricing is annual licensing, tiered by transaction volume and policy complexity. Enterprise compliance budgets are large, non-discretionary, and growing. Banks don't cut AML spending. They increase it, especially after regulatory actions in their sector.
The sales cycle for a Tier-1 bank is typically 12-18 months. For mid-market banks and fintechs, 3-6 months. Regulator traction (DNB, FCA sandbox engagement) shortens the cycle because it addresses the buyer's primary concern: "will my regulator accept this?"
The land phase establishes revenue, proves the technology in production, and generates the case studies and regulatory validation needed for expansion.
Phase 2: Expand
Once a bank is running ZQUAS, expansion happens along two dimensions.
Internal expansion: more business lines, more transaction types, more policy domains. A bank that starts with payment transaction monitoring for commercial accounts can expand to retail accounts, trade finance, correspondent banking, and sanctions screening. Each expansion is an upsell within an existing relationship.
Cross-institutional expansion: when two or more banks run ZQUAS, MPC-based cross-institutional detection can activate between them. This is where the architecture pays off. Because each bank retains full data sovereignty and the risk comparison happens cryptographically, there's no data-sharing agreement needed, no central processor, and no GDPR exposure.
The MPC capability turns a single-bank compliance tool into a multi-bank detection network. And the activation is incremental. It doesn't require all five banks in a consortium to agree simultaneously. Two banks running ZQUAS can start MPC detection between them. When a third joins, the network gets better for all three. The value increases with each node.
Phase 3: Network
Here's where the economics become interesting. In a traditional SaaS compliance model, the value per customer is roughly flat. Each bank gets the same software, and there's no relationship between one bank's deployment and another's effectiveness.
In a network model, each new node increases detection capability for all existing nodes. A money laundering network that touches Bank A and Bank B is visible to both once both are on the network. Add Bank C, and patterns involving all three become detectable. The marginal detection value of each new node increases because the number of cross-bank patterns that become visible grows combinatorially.
This creates a genuine network effect, which is rare in enterprise software. The network effect is also hard for competitors to replicate because it requires the MPC architecture. A SaaS competitor would need all the banks to send data to a central platform, which is the model that failed for privacy reasons. You can't get the network effect without the privacy-preserving architecture, and you can't build the privacy-preserving architecture in a year.
Revenue Dynamics
The revenue model has three layers.
Base licensing: annual fee per bank, scaled by volume. This is predictable, recurring revenue with strong retention (banks don't switch compliance systems voluntarily, especially once the cryptographic audit chain is established).
Expansion revenue: additional business lines and policy domains within existing banks. This is net revenue retention above 100%, driven by the bank's own internal growth and regulatory pressure to expand monitoring coverage.
Network revenue: a premium for MPC cross-institutional capability, charged when two or more institutions activate shared detection. This revenue only exists once the network reaches critical mass, but it creates margin expansion because the marginal cost of adding a node to the MPC network is low.
The combination of high retention, internal expansion, and network premium creates a revenue profile that accelerates over time. Year 1 is dominated by base licensing. Year 2-3 adds expansion. Year 3+ adds network revenue as the installed base grows.
Why This Matters for Investors
Most enterprise compliance startups compete on features and price within an established architecture. They win a few customers, hit a growth ceiling when they run out of early adopters, and either get acquired or stall.
The network model changes the growth trajectory. The product gets better with each customer, which reduces the cost of acquiring the next one. The switching cost compounds with the cryptographic audit chain. And the MPC capability creates a structural barrier that SaaS competitors can't match.
If the land phase works (prove the technology at 2-3 banks), the expand phase follows naturally from internal bank dynamics. And the network phase, once critical mass is reached, creates a flywheel that's extremely hard to disrupt.
The critical risk is the land phase. Getting the first 2-3 banks through procurement is the hardest step. Regulatory sandbox engagement (DNB, FCA) is designed specifically to de-risk this phase by providing third-party validation that compliance buyers require.