A financial services firm selling insurance products and investment tools through a direct-to-consumer eCommerce channel needed something that most platform vendors said was impossible: deep customization flexibility combined with strict regulatory compliance for FINRA, SEC, and state insurance commission requirements. Off-the-shelf platforms could not accommodate the compliance workflows. Fully custom builds would take years and cost millions. The solution was a heavily customized Adobe Commerce implementation that bent the platform to fit regulatory requirements without breaking its upgrade path — and passed three separate regulatory audits in its first year of operation.
The Compliance Problem That Blocked Growth
The company had been selling through a legacy system built on a custom PHP application that was originally created in 2014. The system worked, but it had accumulated so much technical debt that even minor changes — updating a disclosure statement, adding a new product variant, modifying a pricing calculation — required weeks of development and manual QA because the codebase had no automated tests and no clear separation between business logic and presentation.
Regulatory requirements made this worse. Every customer-facing change required compliance review and sign-off. Product descriptions contained legally mandated disclosures that varied by state. Pricing calculations followed formulas specified by regulatory filings that could not be deviated from. Customer communications — order confirmations, account statements, marketing emails — all required specific language approved by the compliance department.
The compliance team's review cycle added two to four weeks to every release. The engineering team was shipping quarterly at best. Meanwhile, competitors on modern platforms were iterating weekly, launching new products, and capturing market share.
The company needed a platform that gave their engineering team the flexibility to build custom compliance workflows while giving their compliance team confidence that regulatory controls could not be accidentally bypassed.
Why Standard eCommerce Platforms Were Not Enough
The evaluation team assessed six platforms across three months. The core challenge: platforms that offered extensive customization (Adobe Commerce, Shopware) required the compliance team to trust that customizations would not introduce regulatory violations. Platforms that offered rigid, controlled experiences (Shopify Plus, BigCommerce) could not accommodate the custom pricing logic, disclosure management, and approval workflows that regulators required.
| Requirement | Standard Platform Capability | What This Company Needed |
|---|---|---|
| Product pricing | Configurable price rules, tiered pricing | Regulatory-filed formulas with state-specific variations, auditable calculation logs |
| Content management | CMS with WYSIWYG editing | Version-controlled content with compliance approval workflows, state-specific disclosure insertion |
| Customer communications | Template-based emails | Legally reviewed templates with dynamic regulatory language, delivery receipts for compliance records |
| User access | Role-based admin access | Segregation of duties with compliance department veto authority over specific content and pricing changes |
| Audit trails | Basic admin action logs | Complete change history for every customer-facing element with timestamps, approvers, and regulatory justification |
| Data retention | Configurable retention policies | Regulatory-mandated retention periods varying by data type, automated purging with retention holds for open investigations |
The evaluation concluded that Adobe Commerce provided the strongest foundation because its modular architecture allowed deep customization without modifying core code, its extension framework supported the kind of workflow customization the compliance team required, and its B2B features provided a foundation for the approval workflows and role-based controls that could be adapted for regulatory purposes.
The Implementation: Bending the Platform Without Breaking It
Bemeir designed the implementation around a principle that the company's CTO described as "compliance as infrastructure" — making regulatory requirements part of the platform's architecture rather than bolting them on as afterthoughts.
Regulatory pricing engine. The standard Magento pricing system was extended with a custom module that implemented the company's regulatory-filed pricing formulas. Each formula was defined as a versioned configuration that referenced the specific regulatory filing it implemented. When the pricing engine calculated a price, it logged the formula version, the input parameters, and the output result — creating an auditable record that regulators could review.
The pricing module supported state-specific overrides. A customer in New York might see different pricing than a customer in California for the same product, based on different regulatory filings in each state. The system determined the applicable pricing rules based on the customer's verified address and applied them automatically.
Critically, pricing formula changes required approval from a user with the compliance role before they could be activated. An engineer could develop and test a new formula in the staging environment, but promoting it to production required a compliance officer to review the formula against the regulatory filing and digitally approve the change. This approval was logged and included in audit reports.
Content compliance workflow. Every piece of customer-facing content — product descriptions, marketing banners, email templates, checkout page language — ran through a custom content workflow built as a Magento module.
Content changes moved through a defined lifecycle: draft, compliance review, approved, published. Only users with the compliance role could move content from "compliance review" to "approved." Only approved content could be published to the live site. The system maintained a complete version history, so auditors could see every version of every piece of content, who approved it, when, and what changed between versions.
State-specific disclosures were managed through a disclosure template system. Rather than requiring content editors to manually insert the correct disclosure language for each state, the system automatically inserted the appropriate disclosures based on the customer's location. Disclosures were managed as separate, compliance-controlled content blocks that could be updated independently of the product content.
Segregation of duties. The role-based access control system was customized to enforce regulatory segregation of duties requirements. Key controls included the separation where the person who develops a pricing change cannot be the same person who approves it, content creators cannot publish their own content without compliance review, and system administrators cannot modify audit logs or bypass approval workflows.
These controls were enforced at the platform level, not through policy documents that depend on people following rules. The system physically prevented unauthorized actions rather than merely logging violations after the fact.
Results After Twelve Months
The platform launched after a seven-month implementation and passed its first regulatory audit six weeks later. The audit specifically examined the pricing calculation audit trails, content approval workflows, and segregation of duties controls — all areas where the custom Magento implementation provided evidence that the legacy system could not.
Release velocity increased from quarterly to biweekly. The compliance workflow, counterintuitively, accelerated releases. Because compliance review was integrated into the development process rather than treated as a separate gate at the end, issues were caught earlier and resolved faster. The compliance team reviewed changes incrementally as they moved through the workflow rather than reviewing an entire quarterly release in a single marathon session.
Compliance review time dropped from two to four weeks to three to five days. The structured workflow, version-controlled content, and automated disclosure insertion eliminated most of the manual checking that had consumed the compliance team's time. They could focus on substantive review of regulatory requirements rather than hunting for missing disclosures or verifying pricing calculations manually.
Three regulatory audits passed with zero findings. The platform's audit trail capabilities provided regulators with exactly the evidence they needed: who changed what, when, why, and who approved it. The Bemeir team built custom audit reports that exported data in the formats each regulator required, further streamlining the audit process.
New product launch time dropped from six months to six weeks. With the compliance infrastructure in place, launching a new product became a matter of configuring the product in the system, defining its pricing formulas, creating its content through the compliance workflow, and publishing — rather than building custom compliance controls for each new product from scratch.
What Made This Work
Three architectural decisions were decisive.
Extending rather than replacing Magento's core systems. The pricing engine extended Magento's native pricing system. The content workflow extended Magento's native CMS. The access controls extended Magento's native admin roles. This meant that Adobe Commerce version upgrades preserved the custom functionality with manageable adaptation effort, rather than requiring a complete rebuild — a critical consideration for a platform expected to operate for ten or more years under evolving regulatory requirements.
Treating compliance controls as product features. The compliance workflow was not a bureaucratic overlay on the development process. It was a product feature that the compliance team used daily, with its own UX design, its own performance requirements, and its own continuous improvement roadmap. Bemeir designed the compliance interfaces with the same care given to customer-facing features, because the compliance team's efficiency directly affected the company's ability to ship.
Investing in audit infrastructure from the start. Building comprehensive audit trails into every custom module from the first sprint was more expensive upfront than adding logging later. But when the first regulatory audit arrived six weeks after launch, the investment paid for itself immediately. Every question the auditors asked could be answered with data pulled directly from the platform, with no manual compilation or spreadsheet assembly required.
For compliance-focused enterprise decision makers evaluating eCommerce platforms, the key takeaway is this: customization flexibility and regulatory compliance are not opposing forces. With the right architecture — and a development partner like Bemeir who understands both the platform and the regulatory context — deep customization becomes the mechanism through which compliance is achieved, not the risk that threatens it.
