← Portal
CrossVal
M/HQ Group · Stage 1 Tech Strategy

Future-State Technology Strategy and Operating Model

An owned data core, an automated ingestion layer, and swappable specialist tools, with the operating model for steady state

Deliverable two of three
M/HQ · Rethink · RAA
Prepared by CrossVal · June 2026
Confidential

1Executive summary

Deliverable 1 established the current state and the gaps. It found a Group that has scaled faster than its systems have integrated, with a capable but dated core, no automated integration between platforms, and data captured and moved by hand. It named one root cause beneath the three success criteria, accuracy, governance and scalability, and it was not the absence of a capable system. It was how data gets in and how it moves.

This deliverable sets the design that answers that. The design principle is simple and it follows directly from that finding: the answer to a data problem is to own the data, not to buy another application to hold it. The Group's single source of truth becomes a data layer the Group controls, the golden record and the single client and entity identifier, fed by an automated ingestion layer that fixes capture at the point of entry, with the applications around it kept as specialist, swappable tools. It is a data-centric architecture: systems and data first, with AI as the layer that gets data in and drafts documents on top.

  • Own the record. The source of truth is a data layer the Group owns, not a platform a vendor delivers. This is the golden record the gap report said the Group lacked, put where it belongs.
  • Automate the input. An ingestion layer, automated intake, extraction and validation, closes the capture problem the gap report identified as the root cause. This is the part no platform migration was ever going to solve on its own.
  • Keep the applications swappable. Finance, screening, audit and statutory filing sit around the record as specialists, connected by a governed integration layer. None is load-bearing, and any can be replaced without touching the record.
  • AI is the layer, not the strategy. Claude and Co-pilot do the extraction at the input boundary and the document drafting on top, governed and human-reviewed, not the architecture itself.
A direction change, flagged openly

The engagement began with the working assumption that the Group would migrate to Quantios as the system of record. On the evidence gathered during discovery and vendor due diligence, this deliverable recommends a different direction: the record is owned data, and a trust-and-corporate-services platform is no longer the core. This departs from the Deliverable 2 acceptance criterion of alignment with the Quantios deployment programme, and is put to the Group Systems lead and the sponsor for an explicit decision. The reasons are set out in Section 7.

The headline recommendation. Build and operate an owned data core and ingestion layer, keep the specialist applications as swappable spokes chosen on integration and replaceability, and use AI at the input boundary and for drafting. This removes the single-vendor dependency that the platform route carried, puts the golden record under the Group's control, and lets the quick wins land without waiting on any one system to go live. The onboarding workstream, the top of the gap report's value-against-risk matrix, is the first proof of the design, not a special case.

AI layer (Claude and Co-pilot): extraction at the input boundary, drafting and summarisation on top, governed and human-reviewed. INPUTS Client documents Emails and forms Portal intake Ingestion extract · validate de-duplicate before it lands Owned data core single source of truth golden record · one client and entity ID FinanceXero (swappable) Screening / intakeKYC360 AuditInflo Statutory filingAEOI + ADGM/DIFC templates Corp sec / entityworkflows off the record The hub is data the Group owns, not an application a vendor controls. Every spoke is a swappable specialist connected by a governed integration. None is load-bearing, and any can be replaced without touching the record.
Target-state architecture. The centre is data the Group owns. The ingestion layer fixes capture at the point of entry, and the specialist applications sit around the record and can be changed out without disturbing it. Contrast with the current-state map in the gap report, where the same tools connected only through a person and a spreadsheet.

2How to read this report

2.1 What this deliverable covers

This is the second of the three Stage 1 deliverables set out in the proposal. It covers the future state: the target technology architecture, the to-be workflows for the priority workstreams, the data and automation strategy, the AI tools integration plan including Co-pilot and Claude, the capability evolution framework, and the operating model for steady state. It does not size the work or sequence the build, that is the transformation roadmap in Deliverable 3.

2.2 The system-of-record direction

The Group entered this engagement leaning toward migrating to Quantios as the system of record, and the earlier drafts of this design were built around it. Discovery and vendor due diligence changed the recommendation, and this deliverable reflects the changed view rather than the starting assumption. The full reasoning is in Section 7. In short, a platform migration would place the Group's operating reality inside a single vendor's delivery timeline against a hard Q4 2026 deadline, it would not by itself solve the capture problem that is the Group's largest source of manual work, and the one capability that most justified the platform, regulatory reporting, turned out to be jurisdiction-gated on precisely the two regimes the Group most needs. The design here keeps what a platform did well and removes the dependency the Group cannot control.

2.3 The closure-path ordering, carried forward

The gap report classified every gap by how it could be closed, in order from the lowest cost and risk to the highest: configure what exists, integrate what exists, remediate the data, and only then build. That ordering still governs. The difference in this design is that the one thing worth building, the owned data core and its ingestion layer, is the thing the first three paths cannot substitute for, because it is the Group's data, not an application.

TagClosure pathHow it is applied
CConfigurationNative capability of a specialist tool the Group keeps, such as Xero, KYC360 or Inflo, used before anything is built.
IIntegrationGoverned connections between the record and the spokes, so data moves without a person in the middle.
DData remediationStandardise, de-duplicate and resolve legacy data into the owned record, and enforce one identifier.
NNew capabilityThe owned data core and the ingestion layer. Assessed against the four paths in Section 7.
On the diagrams

The architecture and workflow diagrams are drafts for the Group Systems lead to review and approve. Because this deliverable revisits the system-of-record direction, that sign-off is also the point at which the Group confirms or amends the direction itself.

3Target technology architecture

The current-state map in the gap report showed every system connected through a manual Excel hub. The target state replaces that hub with data the Group owns. The record sits at the centre, data enters it through a single ingestion layer that fixes capture, and the specialist applications sit around it as swappable spokes. What changes is not mainly which tools are used, most are the ones the Group already runs, but where the source of truth lives.

3.1 The owned data core, the source of truth

A data layer the Group owns holds the golden record: one client, one entity, one filing, each existing once, under a single enforced identifier. This is the thing the gap report said the Group lacked, and it is the thing a platform migration would have placed inside a vendor's product. Owning it directly is what makes every other decision reversible: tools around it can change, but the record does not move. It is also what most directly serves the intercompany servicing model, where M/HQ onboards and Rethink or RAA service the same client, the model that multiplies duplication today.

3.2 The ingestion layer, how data gets in

This is the part of the design that answers the gap report's root cause. Automated intake, extraction and validation sit at the boundary, so that a document, a form or a portal submission is turned into structured, validated data before it reaches the record, rather than being keyed by hand and re-keyed across systems. It is the layer that stops the Group defaulting to Excel, because for the first time capture is a system function rather than a manual one. Fixing input is the highest-leverage move in the whole architecture, and it is deliberately independent of any one downstream system going live.

3.3 The specialist spokes, swappable, none load-bearing

Around the record sit the applications that do specialist work: Xero for accounting, KYC360 for screening and client intake, Inflo for audit execution, a statutory-filing capability, and corporate-secretarial workflow. Each connects to the record through a governed integration and each is chosen on two tests: does it expose a proper API, and can it be replaced without disturbing the record. Because the source of truth is owned, no spoke is load-bearing. The finance spoke is the clearest illustration of why this matters. The Group tested the new AI-enabled version of Xero and found the output quality wanting, so rather than depend on it, the design feeds Xero clean, prepared data from the ingestion layer. That reduces dependency on Xero's own AI to the point where it can be turned down to zero, or Xero itself swapped out, without touching the record.

3.4 Regulatory reporting without a platform dependency

Regulatory reporting was the strongest argument for a trust-and-corporate-services platform, so the design keeps the capability and removes the dependency. Two things carry it. Statutory filings for ADGM and DIFC, the annual returns and change filings the Group makes most often, are generated as templated documents off the owned entity data, which is a bounded, well-understood set of forms. AEOI (FATCA and CRS) runs on a single OECD schema that is the same across jurisdictions and is handled by a dedicated component, either a commodity provider or built to the schema. Neither depends on a platform holding the record.

3.5 The AI layer

Across the top sits the AI layer: Claude and Co-pilot, doing the extraction at the ingestion boundary and the document drafting on top of the record. It is drawn as a layer touching the architecture rather than a box inside it, because its role is to assist capture and drafting, not to be the system of record. Section 6 sets out the plan, and the framing throughout is the one the ops team asked for: systems and data first, AI as the layer.

4Data strategy: conversion, quality and automation

In this architecture the data strategy is not a supporting workstream, it is the centre. The gap report rated data quality the highest current-state risk and named manual, out-of-system capture as the root cause of duplicate entry and broken trails, alongside unstandardised legacy data. Bringing that data up to standard is therefore not a clean-up after the build, it is the build. This section sets out how existing data, wherever it currently sits, is converted into the owned record and lifted to a quality the architecture can rely on.

4.1 One identifier, one golden record, owned

A single client and entity identifier is enforced across the architecture, and the golden record lives in the owned data layer. This directly answers the finding that the same record is held in two or three systems with no single source of truth. Owning it rather than housing it in a platform is what keeps the Group's data portable and the surrounding tools replaceable.

4.2 Bringing existing data up to standard: the conversion pipeline

Every source the Group holds today feeds one pipeline into the owned record: ViewPoint's SQL back end, Xero, the shared drives, the Excel workbooks that currently act as glue, KYC360, and the documents held across the four digital stores and the physical file room. The pipeline runs in seven stages, and nothing reaches the golden record until it has passed through them.

One pipeline, seven stages. Nothing reaches the golden record until it has passed through them. Profilemeasure baseline Standardiseformats and naming Resolveone identifier Enrichfill the gaps Validaterules, exceptions Loadinto the record Governkeep it clean The first six are a one-time Stage 2 conversion. The seventh is the ongoing practice that keeps the uplift from decaying.
The data conversion pipeline. All existing data, from every source, is standardised, resolved to one identifier, enriched, validated and loaded into the owned record, then held to standard by governance.
StageWhat happens
ProfileAssess every source for completeness, consistency, duplication and validity, and set a measured quality baseline per domain so progress is visible rather than asserted.
StandardiseApply consistent formats and naming, resolving the class of inconsistency the gap report named, such as Ltd. against Ltd, address and jurisdiction formats, and date formats.
ResolveMatch records that describe the same client or entity across systems, assign the single enforced identifier, and set survivorship rules that decide which value wins where sources disagree.
EnrichFill gaps from authoritative sources, including registry data, screening results and the underlying documents, so records are complete and not merely consistent.
ValidateRun data-quality rules and route exceptions to human review. Nothing writes to the record until it passes.
LoadMigrate the cleansed, resolved and enriched data into the owned record as the golden record.
GovernMaintain quality as an ongoing practice, so the uplift holds rather than decaying back to the current state.

4.3 The uplift, by data domain

The pipeline is applied domain by domain, in the priority the gap report set. Each domain starts from a known current state and has a defined target, so the uplift can be measured rather than claimed.

Data domainCurrent stateTarget state
Client masterDuplicated across systems, names mismatched between them.One golden client record under a single identifier.
Entity masterAbout 1,200 entities, relationships captured across many separate places in ViewPoint.A structured entity record with the fund-to-underlying-party fan-out resolved.
Compliance statusCalendars rebuilt each year, no system memory.Status held on the record and driving workflow.
FinanceViewPoint and Xero, merged by hand.Reconciled to the record for a single Group view.
DocumentsFour digital stores plus the physical file room.Indexed against the record and retrievable.

4.4 The ingestion layer does the heavy lifting on the backlog

The same ingestion layer that fixes go-forward capture is what makes the historic uplift feasible at scale. Standardisation and de-duplication are largely rules-based, but enrichment is where the AI extraction earns its place: the layer reads the source documents, the passports, trade licences, incorporation papers and prior filings, and pulls the structured fields needed to complete a record. This is the one place the architecture deliberately runs AI on dirty data, because extracting from a messy historic set is exactly how that set gets cleaned. The bulk conversion is a one-time Stage 2 workstream, and the governance stage keeps it clean thereafter.

4.5 Match the automation tier to the task

Automation tierWhat it doesWhere it is used
IngestionAutomated intake, extraction and validation at the input boundary.Onboarding documents, forms, portal submissions, every point where data is currently keyed by hand.
IntegrationData moved automatically between the record and the specialist spokes.Screening results, accounting data, audit data, every re-keying point in the current-state map.
Workflow and AI-assistedNative workflow off the record, plus AI drafting and summarisation with human review.Compliance calendars, renewals, board minutes, working papers, compliance summaries, file notes.

4.6 AI on clean data, and where dirty data is tolerable

The distinction the proposal drew still governs sequencing. Document drafting can begin before the record is fully clean, because the AI works on the document in front of it, which is why the drafting quick wins can start early. Anything that reads the master data or feeds a regulatory submission waits for the clean identifier. The one deliberate exception is the backlog enrichment in 4.4, where extraction is run on the messy historic set precisely in order to clean it. The data core and the quick wins therefore proceed in parallel, not in sequence.

5To-be workflows for the priority workstreams

The workstreams below are the priority cluster from the gap report's value-against-risk matrix. For each, the current state is the gap report's finding, the target is the design, and the closure paths are tagged in the same scheme. Sizing and sequencing are Deliverable 3.

5.1 Onboarding and KYC CIN

Today. Onboarding is run largely outside systems. It is the heaviest manual load in the Group and the gateway to all revenue, which is why it sat at the top of both axes of the matrix. A single fund can bring twenty or more underlying parties, so the work fans out per entity, and the file cannot progress, and the client cannot be billed, until compliance clears it.

Target. Intake comes in through the KYC360 portal and screening, the ingestion layer extracts and validates the documents and writes the result once into the owned record, with the entity fan-out resolved in the core rather than re-keyed per party. The file note is drafted by AI for a reviewer to complete. This is the flagship because it is where owning the record and automating capture pay back hardest, and it proves the whole design.

Client intakeKYC360 portal + screening Ingestionextract · validateno re-keying Owned recordwrite once ·entity fan-out resolved File noteAI draft, then review Complianceclear, then bill Capture becomes a system function. The data is entered once and never re-keyed.
Onboarding, to-be. The ingestion layer turns intake into validated data before it reaches the record, and the entity fan-out is resolved once in the core, the reverse of today's per-party manual re-entry.

5.2 Regulatory compliance and monitoring CN

Today. The compliance calendar is rebuilt manually every year because no system holds its memory, and the monitoring programme runs across well-defined phases by hand.

Target. The calendar and monitoring programme run as workflows off the owned record, so they regenerate and alert rather than being rebuilt. AI drafts the compliance summaries, and the compliance officer's review is retained at every point a regulator examines the output. The team's own process documentation maps the phases, so the workflow lands against a known shape.

5.3 Audit IN

Today. Audit runs in Inflo, but working papers and reports are drafted from templates by hand, and client and entity data is coordinated across systems manually.

Target. Inflo draws client and entity data from the record rather than re-entering it, and the repetitive drafting is produced by the AI layer against the audit templates, freeing time for the judgement work the standards require. Inflo stays as a specialist spoke, and nothing about it is load-bearing.

5.4 Annual accounting and tax CIN

Today. Annual-accounting clients are served manually in Excel: statements posted by hand, trial balances and returns prepared manually, data spread across systems and email. Xero does not cover annual accounting at all.

Target. Two things separate here. Routine outsourced accounting stays on Xero as a specialist spoke, but the design does not lean on Xero's own AI. The Group tested the new AI-enabled version of Xero and the output quality was not good enough to rely on. Instead the ingestion layer prepares and cleanses the data upstream and feeds it in, which lifts quality regardless of the tool and reduces the Group's dependency on Xero's AI to the point where that capability can be turned down to zero, or Xero itself replaced, without disturbing the record. Annual accounting, which Xero cannot do and which is run by hand in Excel today, is a genuine new-capability build: it is produced on the owned record, and it is the second build candidate alongside the core. The tax opinion stays with the professional. The tax lead described the analysis as purely brain, and the design respects that line: AI accelerates the preparation into the opinion, it does not form it.

5.5 Master data and reporting DI

Today. Cross-entity reporting is the biggest finance time sink, most of it spent reconciling ViewPoint and Xero before any number is produced.

Target. With the golden record owned and the spokes integrated, reporting draws from a single reconciled source directly. Bounded, well-defined reports are a natural fit for the internal systems team to own, given its existing SQL capability. The design notes this as an internal-build boundary rather than assuming it.

5.6 Corporate secretarial and renewals CN

Today. Four to five hundred clients carry annual board minutes and renewal filings. Renewals roll forward on reminder logic maintained by duplicating files, and board minutes follow templates but are produced by hand.

Target. Renewal and reminder logic runs as workflow off the owned record, so files are not duplicated to hold a reminder. Board minutes and the standard corporate-secretarial documents are drafted by the AI layer from their templates for review. This is high-volume, predictable, template-bound work, the profile that suits workflow plus drafting best.

5.7 Invoicing and finance operations CI

Today. M/HQ invoices in ViewPoint, Rethink and RAA in Xero, and any Group view of cash requires the two to be merged by hand.

Target. Invoicing runs off the record and Xero, with the integration layer giving a single Group cash view. This closes entirely through configuration and integration, with no new capability, which is why it is a strong early move.

The pattern across all seven

Every workstream resolves to the same shape: capture is fixed at the ingestion boundary, the record is owned and single, the specialists are configured and integrated, and AI drafts on top. The only genuinely new capability is the core and its ingestion, plus annual accounting, which no specialist tool covers. Everything else is configuration, integration and data.

6AI tools integration plan: Co-pilot and Claude

This section is the AI tooling integration plan the RFP and the Deliverable 2 acceptance criteria call for: where the tools are deployed, how teams are trained, how the work is governed, and how it is secured. The framing is the one the ops team asked for: systems and data first, AI as the layer.

6.1 Where each tool is deployed

ToolBest fitWhy
ClaudeExtraction and validation at the ingestion boundary, long-document reasoning, and structured drafting from templates, including onboarding file notes, audit working papers, compliance summaries and structuring proposals.The heavy extraction and drafting, and anything reasoning over a long or complex document, is where its strength sits, and the ingestion layer is exactly that.
Microsoft Co-pilotDrafting and summarising inside Word, Excel, Outlook and Teams, inbox and reporting assistance, and extending existing Copilot Studio use.It lands where the teams already work in M365, and the systems team already runs a Copilot Studio tool, so the ground is familiar.

Both are deployed first against the document-heavy drafting work that recurred in every function, and Claude additionally at the ingestion boundary. That is the deliberate starting point: high consistency, contained risk, and time given back quickly, and it does not wait on the data core being complete.

6.2 Training and adoption

The gap report flagged adoption as a real risk: teams are satisfied with the current ViewPoint and may resist disruption, and it recommended treating adoption as a workstream, not an afterthought. The plan follows that, with role-based training tied to the specific work each function hands to the tools, led with the quick wins that give time back so the first experience is a helpful one. This is the buy-in the Group's leadership asked for in naming AI training and cross-group involvement as a goal of the strategy phase. The adoption sequence and the capability shift are in Section 8.

6.3 Governance

  • Human review is retained wherever an external party examines the output. AI drafts, a professional reviews and signs. The compliance officer's review stays in the loop for regulated outputs, as the monitoring-programme documentation already assumes.
  • Validation at the ingestion boundary. Extracted data is validated before it reaches the record, so the AI never silently writes to the source of truth. The golden record is protected by design.
  • Templates and prompts are owned centrally, and tool and model selection is a governed decision made by the technology forum in Section 9, not ad hoc per team.

6.4 Security

  • Sensitive data is handled with care by design. The document review flagged live payroll with names, salaries and IBANs, client financial workings, and UBO and source-of-wealth data. Access to AI tooling over that data is controlled, and the regulated context, DIFC and ADGM, sets the bar.
  • Client data is not used to train models, and tenant isolation and data-residency considerations are confirmed at tool selection.
  • Access follows role, consistent with the access controls on the owned record.

7The four paths: our recommendation

The proposal set out four paths for closing any gap that needs new capability, and committed to documenting the alternatives for every recommendation. The recommendation here is a data-centric architecture built on an owned core, and it uses all four paths in their proper places.

PathDefinitionWhere it fits
ACommercial softwareThe specialist spokes: Xero (finance), KYC360 (screening and intake), Inflo (audit), a commodity AEOI provider. Chosen on API-openness and swappability.
BAI tools integrationClaude and Co-pilot, extraction at the ingestion boundary and drafting on top. Woven through the architecture, not a system in it.
CCrossVal-built and operatedThe core: the owned source-of-truth data layer, the ingestion layer, and the integration fabric. Plus annual accounting, which no specialist tool covers. Disclosed transparently, with alternatives documented below.
DInternal buildBounded reporting and configuration on the owned record, which the systems team can own given its SQL capacity.

7.1 The core we recommend building

PATH COwned data core + ingestion layer

The Group's root problem is how data gets in and how it moves, and its single source of truth. Neither is closeable by configuring or integrating an existing tool, because the answer is the Group's own data and the automation that feeds it, not another application. This is the one place we recommend CrossVal builds and operates the capability, and it is the spine the rest of the architecture hangs off. Onboarding is its first proof, and the same core then serves compliance, audit, corporate secretarial and reporting. Annual accounting is a second, bounded build on top of the same core, because no specialist tool covers it.

Alternatives, documented. A platform migration, Quantios as system of record, was the starting assumption and is the main alternative. It was set aside for three reasons: it places the Group's operations inside one vendor's delivery timeline against a hard Q4 2026 deadline, and a same-profile reference customer on the same ViewPoint starting point reported that implementation had not begun months after sign-off, with manual entry still undermining the integration; it does not solve the capture problem, which is the Group's largest source of manual work; and its strongest capability, regulatory reporting, proved jurisdiction-gated on ADGM and DIFC, the two regimes the Group most needs. Internal build of the core (Path D) was set aside because a source-of-truth data layer against this deadline exceeds the internal team's bandwidth and would deepen the key-person dependency the gap report flagged. The specialist spokes remain Path A, and the Group retains full discretion.

Honest note on delivery risk

Building the core does not remove delivery risk, it changes its shape. The reason a platform migration was set aside was delivery risk against Q4 2026, and a bespoke core carries its own. The difference is control: a build can be phased, descoped and stood up in pieces, and the ingestion layer and drafting quick wins deliver value independently of the full core going live. That is a real advantage over a single vendor's go-live, but it is not the same as risk removed, and Deliverable 3 sizes it directly.

7.2 The recommendation, by workstream

WorkstreamRecommended pathAlternatives considered
The record and ingestionC (build and operate)Platform migration (A) set aside on delivery, capture and jurisdiction grounds; internal build (D) exceeds bandwidth for a source of truth.
Onboarding and KYCC core + A (KYC360) + BKYC360 alone leaves fan-out and write-once unsolved; pure B cannot run a regulated intake.
Reg. compliance and monitoringWorkflow off record + BScreening tools already in place; no new platform needed.
AuditB, on Inflo (A, existing)Build unnecessary while drafting closes the gap; D not suited to standards-bound output.
Annual accounting and taxA (Xero) + B; C for annual accountingXero's own AI tested below the quality needed, so preparation moves to the ingestion layer; annual accounting is not a Xero capability, so it is built on the record; the opinion stays with the professional.
Master data and reportingD + the owned recordPath C core provides the data; the internal team owns the bounded reporting on top.
Corp secretarial and renewalsWorkflow off record + BNo new platform where workflow off the record and drafting suffice.
Statutory filingTemplates off record + A (AEOI)A CSP platform's filing engine was jurisdiction-gated on ADGM/DIFC; AEOI is a commodity spoke or a schema build.

We state the Path C framing plainly: CrossVal is a technology firm with build capability, not a vendor-neutral advisor, and the recommendation to build and operate the core is disclosed as such, with the platform and internal-build alternatives documented so the Group can validate. The Group retains full discretion on every path.

8Capability evolution framework

This is the human side of the design. Its framing is capability shift and capacity unlock, not headcount reduction. The Group's roughly two hundred people are redeployed against higher-value work as ingestion, integration and workflow absorb the routine, and the operating question is how the Group grows revenue per professional rather than headcount as it scales.

8.1 Three horizons

HorizonWhat changesWhat the teams feel
Quick wins
early
AI drafting goes live against board minutes, working papers, compliance summaries and proposals, and ingestion pilots start on onboarding. Runs on today's data.Time given back on the most repetitive work, with review retained. The first experience of the tools is a helpful one.
Owned data core live
middle
The source of truth, the single identifier and the integration to the spokes are in place. The Excel glue is retired.Data entered once. Reconciliation and re-keying fall away. The Group view stops being a manual assembly.
Steady state
ongoing
The operating model in Section 9 runs the architecture, and capability keeps evolving against new work rather than catching up on old.Roles have shifted toward review, exception-handling and advisory. Growth is absorbed by the architecture, not by hiring linearly.

8.2 How roles evolve

  • Onboarding officers move from keying and chasing toward reviewing extracted data and handling the exceptions the ingestion layer surfaces, the judgement in a file, not the assembly.
  • Accountants and audit staff move from repetitive drafting toward review and the professional judgement the standards require, with the first pass produced for them.
  • Compliance moves from rebuilding calendars and re-running defined phases toward monitoring, escalation and the decisions that need a person.
  • The systems team moves toward owning the bounded reporting and configuration on the owned record, a more central role than today, with the key-person dependency the gap report flagged designed out.

None of this is a reduction case. It is the redeployment case the proposal described: the same people, against higher-value work, as the routine is absorbed.

9Operating model and steady state

This section sets out how the architecture is built, run and evolved once Stage 2 is complete. It maps to the RFP's steady state of ongoing improvements with the vendor or with internal teams. It lays out the options, and the choice, and its cost, are the Group's to make with Deliverable 3.

9.1 Three steady-state options

ModelShapeBest when
CrossVal-operated coreCrossVal builds and operates the owned data core, ingestion and integration, and the Group owns the data throughout.The Group wants to move fastest and keep the build context with the partner who built it.
InternalThe Group's systems team runs the core in steady state, potentially expanded with hires made during Stage 2.The Group wants the capability fully in-house and will build the team to hold it.
HybridCrossVal operates the core, ingestion and AI layer, the internal team owns bounded reporting and configuration, and the specialist spokes are vendor-managed.The Group wants both leverage and ownership, the most likely fit given the internal team's capacity.

On current evidence the hybrid model is the natural fit, and the architecture makes it safer than a platform would: because the source of truth is data the Group owns, the operating partner can change without the record moving. That is a materially lower lock-in than housing the record inside a vendor's platform. We present hybrid as the recommended option, not the only one, and Deliverable 3 sizes each.

9.2 Governance for steady state

  • A standing technology governance forum, Systems-led and sponsored at Group-CFO level, owns tool and model selection, the prompt and template library, and the sequencing of changes.
  • Data governance sits at the centre, not the edge. Because the Group owns the record, maintaining the single identifier and the golden record is the core steady-state practice, the thing that keeps the architecture from drifting back to the current state.
  • Security governance owns the access, residency and review controls from Sections 6 and 10 rather than assuming them.

10Infrastructure, hosting and security

The architecture in this report is data-centric and cloud-oriented, so the infrastructure question is not how to enlarge the server room but where the owned record is hosted and how it is secured. This section sets the hosting direction, grounds it in the DIFC and ADGM data protection regimes that govern the Group's data, and sets out the estate refresh that is warranted regardless.

10.1 The current estate

MHQ's system of record, ViewPoint, is an on-premise 2019 version, reported in discovery as slow, especially for finance, and carrying a twice-daily backup routine the systems team runs by hand. Files sit across an on-premise NAS and a controlled document room, IT is delivered by a third-party vendor under the operations team, and the IT asset register is kept in Excel. Security today rests on a firewall, Bitdefender and Microsoft tooling, and the team reported four to five targeted phishing incidents last year that had to be notified to the relevant authorities. The estate is aging, on-premise, and thin on in-house engineering, with a six-person systems team alongside the outsourced vendor. The direction of travel is to retire and migrate it, not to invest further into it, which matches the Group's own stated strong preference for a cloud-based model over the current on-premise one.

10.2 The hosting decision: cloud, with the record owned

The owned data core is hosted in the cloud, in a selected region, with the Group owning the data throughout. The AI layer, Co-pilot and Claude, is cloud by nature and consumed as a service, and the systems team already runs a Copilot Studio tool, so the ground is familiar. This keeps the infrastructure light and the estate small, and it follows directly from the architecture in Section 3 rather than departing from it.

On on-premise AI

We considered, and set aside, an on-premise AI build, meaning dedicated AI compute or an AI appliance in the Group's own racks. It does not fit here. The AI tools named in the RFP, Co-pilot and Claude, are frontier models consumed as a cloud service, so there is no model to host and no GPU estate to buy or run. A six-person team working with an outsourced IT vendor is not resourced to operate AI infrastructure, and the capital cost would return nothing against the tools actually in use. Recommending it would be the architecture-heavy, hardware-first move the Group asked us to avoid. If a specific client mandate ever requires on-premise processing, it can be revisited as a bounded exception with its cost and staffing stated plainly.

10.3 Data residency and what the law requires

The pressure behind the hosting question is real and observed: clients increasingly ask where the Group's data sits, and the security questionnaires that carry those questions are rising in volume and take around five hours each. The question is a regulatory one, and the two regimes that govern the Group's data answer it clearly.

Under the DIFC Data Protection Law No. 5 of 2020, a transfer of personal data to a recipient outside the DIFC is permitted where the destination is judged to have an "adequate level of protection" (Article 26), or, absent adequacy, where "appropriate safeguards" such as the DIFC's standard contractual clauses or binding corporate rules are in place (Article 27), with the processing notified to the Commissioner. The ADGM Data Protection Regulations 2021 mirror this: transfers outside the ADGM rest on an adequacy decision (Article 41), for which the ADGM has adopted all jurisdictions the European Commission recognises as adequate, or on appropriate safeguards such as the ADGM standard contractual clauses (Article 42). Both regimes follow the GDPR model, and, importantly, neither requires data localisation or residency inside the free zone.

The consequence for hosting is direct. Cloud hosting is compliant provided the region or provider sits in an adequate jurisdiction, or the transfer is covered by standard contractual clauses in the data processing agreement, and the transfer is recorded and notified. On-premise hosting inside the DIFC or ADGM is not a legal requirement. The compliant path is to select an appropriate cloud region, put a data processing agreement with standard contractual clauses in place with the cloud and AI providers, use enterprise terms that keep client data out of model training and hold tenant isolation, and document the arrangement in the DIFC notification and the ADGM record of processing.

10.4 Turning security into a commercial asset

Doing this properly does more than satisfy the regulator. A hosting and security posture on a recognised cloud platform, with documented transfers, a data processing agreement and standard contractual clauses, and clear residency answers, is exactly what the rising client questionnaires ask for. Captured once as a reusable security pack, it shortens the roughly five-hour response each questionnaire now takes and removes a recurring point of friction at client onboarding and renewal. The control the regulation requires becomes something the Group can show clients.

10.5 The estate refresh that is warranted

Independent of the hosting direction, part of the 2019 estate needs refreshing, and this is targeted renewal alongside migration, not a data-centre build. The items that matter:

  • Endpoints and identity. Refresh the aging device fleet and put single sign-on and multi-factor authentication across the Group, given the phishing history and the move to cloud services.
  • Backup and disaster recovery. Replace the manual twice-daily backup routine with managed, cloud-based backup and a tested recovery position, removing both the burden and the risk.
  • Network and security tooling. Uplift the current firewall and endpoint tooling to a posture that matches the incident history and the client-questionnaire bar, coordinated with the outsourced IT vendor the operations team already manages.

None of this is a large capital programme, and Deliverable 3 sizes it directionally alongside the rest of the roadmap.

11Dependencies and delivery risks

The gap report carried the current-state risk register and deferred the forward-looking risks to here and Deliverable 3. This register covers the design and delivery risks that follow from the target state, reviewed in the weekly steering check-in.

11.1 Design dependencies

  • Ratification of the direction change. This deliverable recommends an owned data core rather than a platform migration, which departs from the agreed acceptance criterion. It needs an explicit decision from the sponsor and the Group Systems lead before the roadmap is built on it.
  • Diagram sign-off. The architecture and workflow diagrams are drafts for the Group Systems lead to approve, and the design is provisional until then.
  • Spoke API-openness. Each specialist must expose a proper API and be replaceable. Xero and KYC360 do, and any tool chosen for entity or corporate-secretarial work must meet the same test.

11.2 Delivery risk register

RiskRatingMitigation
Direction change is not ratified, or is ratified late, compressing the roadmapHighPut the decision to the sponsor and Systems lead at the next steering session, and present the platform alternative fairly so the choice is the Group's.
Bespoke core does not deliver within the Q4 2026 windowHighPhase the build, stand up ingestion and quick wins first so value lands independently of the full core, and descope to the priority workstreams.
Data remediation treated as later clean-up rather than a load preconditionHighRemediate into the record at load through the conversion pipeline, and hold the single identifier as a gate on dependent work.
A specialist spoke lacks a usable API or cannot be swappedMedMake API-openness and replaceability a selection gate, and keep no spoke load-bearing.
Reliance on a tool's own AI where quality is unproven, as tested with XeroMedPrepare and validate data in the ingestion layer upstream, do not depend on a spoke's AI, and keep the tool replaceable.
ADGM/DIFC statutory templates or AEOI sourcing underestimatedMedBounded, known form set; build templates off the record and source AEOI as a commodity or build to the OECD schema.
AI adopted for regulated outputs without review disciplineMedHuman review at every point of external scrutiny, validation before write to the record, and central template ownership.
Recommending a CrossVal-built core is self-interestedMedDisclosed transparently, platform and internal-build alternatives documented, the Group owns the data and retains discretion.

AAppendix: assumption log

This log continues the assumption log from the current-state report. The numbering restarts for this deliverable.

#Assumption
1The source of truth is a data layer the Group owns, not a trust-and-corporate-services platform. This revises the engagement's starting assumption and is put to the sponsor and Systems lead for an explicit decision.
2A platform migration (Quantios) was assessed and set aside on delivery-risk, capture, and jurisdiction-coverage grounds. The reasoning is documented in Section 7 for independent validation.
3The priority workstreams in Section 5 are the priority cluster from the gap report's value-against-risk matrix, not a fresh selection.
4The specialist spokes are chosen on API-openness and replaceability, none is load-bearing, and the design assumes each exposes a usable API. Xero's own AI was tested by the Group and found below the quality needed, so the design does not depend on it.
5Existing data is converted into the owned record through the pipeline in Section 4, and the quality uplift is measured against a per-domain baseline rather than asserted.
6Annual accounting is treated as a new-capability build because no specialist tool in the stack covers it, and it is produced on the owned record.
7The design describes the shape of the future state, not its cost or sequence. Sizing, sequencing and investment framing are Deliverable 3.
8Building the core carries delivery risk that is managed by phasing rather than removed, and the ingestion layer and drafting quick wins are assumed to deliver value independently of the full core.
9AI outputs examined by an external party are human-reviewed, and extracted data is validated before it writes to the owned record. The tax opinion and other judgement work are outside the AI layer's scope.

End of Deliverable 2. This report sets the future-state design and the operating model. Deliverable 3 sequences and sources the work and frames the investment and the Stage 2 decision.