Why Minimum Checklist Compliance Doesn’t Scale

Published by Yana on

In the previous article, I’ve traced down how your mission as a FinTech startup founder brings you on a possible collision course with partners, auditors, and regulators because of an inherent difference of vision regarding FinTech compliance, and the role it occupies in your business.

I’ve also warned against pride and prejudice, which can subconsciously influence your decision-making process: You may either end up relying excessively on large consultancies (think Big4) who don’t really care about your business or its specific context, or by trying to improvise your way through partnership due diligence processes and firefight compliance audits. Over the last decade that I have spent in FinTech, I have seen that improvised compliance (or “Minimum Checklist Compliance”, if you will) does not scale for startups in the early-stage / early growth phase. That’s the topic of today’s article.

First, there are 3 key success factors that you need for your compliance to be scalable:

  • Documentation & Policies that meet the required standards, so that you don’t have to re-write them for every new stakeholder 
  • Efficient Processes (onboarding, monitoring, dealing with audits and reporting), in other words, get stuff done
  • Last, and very important: A pragmatic approach to Risk-Taking

You can also look at these deliverables from a skillset, or perhaps an attitude perspective: as a founder, you are probably less risk-averse than a bank employee. You are probably also less well-versed in drafting legal policies, compared to a compliance specialist. Your natural bias for action and the desire to see your business grow makes you open-minded about learning how to structure a performance-oriented compliance pipeline, perhaps with the use of certain external tools – because you really care about growing as fast as you can.

Can you skip any one of the three components? Let’s go through the list and see what happens:

  1. Without documentation and policies, you will experience “undocumented growth” – which is a problem when the time comes to secure important partnerships and regulatory licenses, or maybe even passing due diligence with VCs, for a larger financing round.
  2. Conversely, efficient processes combined with documentation result in top-notch compliance because you do what your policies say you should do. But without risk-taking, you end up being conservative, rigid, old-fashioned market actors (like a traditional bank, God-forbid).
  3. Finally, risk-taking combined with great documentation will create a great public image, on paper. However, if you don’t actually follow your own policies, you will get caught: by auditors, by VC or partner due diligence specialists, and in particularly unlucky (but very real) cases – by government regulators. Never do window-dressing – you’re giving yourself and everyone else in the industry a bad image.

When you are in the middle of due diligence or an audit and have a million things on your plate at the same time (hiring, landing new clients, fundraising, managing your tech and marketing teams…), it is extremely tempting to look at the list of requirements through the lens of “what is the minimum effort required here that I can get away with?”. I get that question a lot from FinTech founders seeking advice – and while appealing on the surface, it’s actually terrible for growth, which is your objective as a startup founder. 

When you apply minimum checklist compliance to your business, you apply the same principles as you would in prototyping a tech product: You know that its expected lifetime is extremely limited because your short-term objective is to close just this one specific partnership or complete this one audit. You are mentally ready to throw away all these efforts and re-do your compliance procedures and operations completely when you have more time and resources. Unfortunately, this never materializes. 

In less than half a year (or even next week), you are firefighting again to pass the next audit or to satisfy the demands of your next banking partner. You may feel that you don’t have any strategy or long-term planning. Redoing your compliance over and over ends up costing you more effort, more time, and more money because you are trying to navigate your way in the open ocean except you’re doing it without a map, a compass, and by the way, your fuel (=cash) is running low.

The biggest problem with this approach of externally-induced compliance is that you don’t learn anything. You are just building something with the sole purpose of “not getting caught” today. Your next partner, next auditor, or next regulator can come in and kill everything you did thus far, and you will be back at compliance “square one” and face the necessity to invest in compliance again.

There is an array of additional, very significant problems if your compliance efforts don’t scale: FinTech is an increasingly crowded industry, meaning that talent wars are very real, and you cannot afford to demoralize your team by redoing things from the ground up all the time – it’s frustrating for your engineering and operations team. A competing startup (with an equivalent or maybe even a worse product but a more convincing compliance execution!) could beat you to the market, raise more capital, or use their relative time advantage to put together a more compelling value proposition. Startups become successful when they reach economies of scale, and FinTech is no exception to that rule – and neither is FinTech compliance.

That is how, after several years of working with startups, regulators, and banking partners, and helping founders obtain around 20 regulatory licenses in a dozen jurisdictions around the world, I have come up with the concept of “just-in-time” compliance which I’ll explain in my next article, and which will help you transform your compliance function from a perceived burden, into an additional driving force for your business.

>