FinTech CEO Guide to FastTrack Compliance

Success in FinTech Compliance today does not depend on knowledge, budgets or team size. 100% perfect compliance does not exist and pursuing this goal will likely result in wasted resources and too many cooks in the kitchen.

The majority of FinTech CEOs or founders overspend on compliance and agree to hire too many people and purchase too many tools because they have been led to view compliance as a static exhaustive checklist of requirements and things to-do. They take all requirements as granted.

When I introduce the concept of the “just in time” as opposed to the traditional “just in case” compliance, they are excited because they understand that it's possible to do less and achieve better compliance. 

But here is the catch: since there is no long checklist of 100% compliance, there is also no short list of "minimum viable compliance".

The core principle of building the Just in Time compliance is similar to riding a bike – it is a balancing act. The Just in Time Compliance is indeed a balancing act of 3 key components: 

  • risk-taking
  • operational processes and tools
  • documentation and policies

I will share with you how these components interact and how to mix them in order to build and maintain the most efficient compliance at the lowest possible costs.

Let's address the first elephant in the room: many founders still believe that there must be some minimal level of acceptable compliance that can be implemented in one week and will allow them to survive for a while.

Minimal checklist compliance is not the same as the “just in time” compliance. In fact – it’s totally the opposite because when you talk about minimum checklist compliance, your time horizon is limited to closing one specific partnership or completing one audit. You are preparing yourself to throw away all these efforts and re-do your compliance completely when the next fire hits. In many cases, you will be firefighting to pass the next audit or to satisfy the demands of your next banking partner without any strategy or long-term planning. It will cost you more and take longer because you are trying to find your way out of a labyrinth without the map or compass.

The biggest problem with this approach of externally-forced compliance is that you won’t be able to re-use it because it is driven by external demands. You are just building something with the sole purpose of “not getting caught” today. Your next partner, next auditor, or next regulator can come in and kill everything you did thus far, and you will be back at compliance “square one” and face the necessity to invest into compliance again.

The difference between this firefighting and the “just in time” compliance is that the “just in time” compliance structure and requirements come from your internal risk assessment where you use the legal guidance to justify why you need or don't need certain processes or tools or controls or people.

The Just in Time Compliance is a way to pragmatically accept risks and use regulatory framework to support your decisions. Since this process is internally-referenced to your specific risks and your business model, it can withstand almost any external inspections.

Now you can probably realize why the “just in time compliance” is much more efficient than firefighting and implementing something a random 3rd party told you to build because you are risking that your next partner, next auditor, or next regulator can come in and kill everything you did before.

Let’s still address the second big elephant in the room.

You may be thinking: “But my auditors told me to implement these processes” or “BIG4 advisors reviewed our plan and told us what to do” or “we would not be accepted by this bank, unless we agreed to implement everything they told us.

Yes, it’s true. There are always a lot of people who think they know what you should do. Including your and my grandmothers.

But...

I hear it over and over again from my clients during their audits and regulatory inspections: “Last year, we did exactly the same process, the auditors told us to do XYZ, and we followed their recommendation. Why suddenly this year this is no longer sufficient or compliant?”

I am sure you can relate because the problem with relying on any authority figure (including our grandmothers) is that they are forgetful, inconsistent, and can change their mind any time, and your business is not really their problem so they don’t actually fully understand it. But you are the one paying for costly mistakes, unnecessary processes, and lost opportunities.

If you don’t know why you did something last year or whether or not you should do the same thing this year because you have not yet built your own “just in time” pragmatic risk acceptance framework, you are wasting your time and money. Big time.

We all know the unfortunate statistics. Very few FinTech startups keep growing, secure licenses and partnerships they want, are loved and praised by their customers… while most other startups struggle and run out of money.

Revolut, Binance, Crypto.com got away with murder countless times… They are subject to the same regulations, as many other FinTechs, they face the same competition...

What is it that those successful few FinTechs have figured out to get away with murder?

  • If you are a FinTech startup struggling to allocate limited resources between marketing, regulatory consultants, or hiring more engineers…
  • If you are unable to focus on growing your business because you are constantly blocked by partners, regulators, auditors, bankers, and other stakeholders who every single day threaten to shut you down or cut you off unless you produce immediately tons of useless documents or deploy redundant costly processes and hire  unnecessary people “to check the box”… and don’t know how anyone would ever be able to satisfy them…
  • If your compliance is getting more expensive and slower day by day, your tools produce too many false alerts, and you simply cannot afford to hire more people to do some admin work you seriously doubt needs to be done…

…then join the club of other struggling FinTech founders.

What do you think will happen to your business if you keep investing in compliance processes, while customer acquisition costs and the costs of onboarding and maintaining your customers get more expensive day by day?

How much longer can you sustain investing into compliance processes and compliance team expansion and following the old-fashioned advice that you need to be on the “safe side” and be “fully compliant” and  “get ready” for audits and inspections, when you know, that it is not going to be sustainable and that everyone advising you to spend money on better compliance is not really looking at your business costs or competition threats and does not have any financial skin in the game.

So, if you are close to the state of being utterly frustrated because you know there must be a better way of doing things, but all your attempts to invest into better compliance end up producing more delays and more audit issues and more compliance gaps and very little growth in your business, and you are concerned that as a CEO or a founder, you may look bad if you push against compliance recommendations…

Then read on.

By the time you will finish this page, you will have clarity about core success ingredients any growing FinTech needs to massively scale operations in a sustainable way.

“Just in time” or “agile” approach to compliance is the fastest and most efficient way to scale your FinTech, launch innovative products, keep customers happy, while at the same time meeting all relevant regulatory requirements.

What does it actually mean?

Most laws and regulations about compliance are actually open-ended and allow multiple alternatives. It comes down to how to define and mitigate your risks and making a case for how do you want to organize your compliance. You should not try avoiding risk because trying to avoid risks will mean you will find more risks that you need to avoid.

For the longest time, banking industry veterans have been saying that financial companies survive and grow by avoiding risks because from their perspective avoiding risks equals avoiding losses and keeping customers money safe.

However, this might be the worst possible advice in the financial industry. Amazon, PayPal, Revolut, Crypto.com, Monzo, Kraken or Coinbase and the majority of other FinTech unicorns have a common history of early losses, aggressive growth strategies and very selective and creative approach to compliance and regulations.

You have heard the expression “what does not kill you will make you stronger” and this is exactly the risk-management strategy used by many successful fast-growing unicorns: they rarely over-invest into regulatory projects or prepare for unlikely adverse scenarios until such time, when it’s certain that they absolutely need to act and it’s clear what needs to be done.

Can you picture someone like Jeff Bezos or Elon Musk delaying important decisions just because someone tells them that there might be a slight chance that in 3 years a customer can complain or an auditor may find this documentation insufficient?

Still don’t believe me?

Where do you think is the biggest FinTech cost and the time spent? – It’s the cost of customer acquisition and resources spent doing redundant reviews, maintaining inactive accounts, and handling false positive alert. All of this happens because you hired too many compliance people and introduced the “just in case” processes before you actually needed them. You triggered some of the compliance checks for your customers too early in the customer journey or for the wrong categories of customers.

Well, I’m glad we are on the same page now.

By now, you have probably realized that the most efficient way to cut costs and grow your FinTech business is to do the right things at the right time and instead of avoiding risks, all you need to avoid is unnecessary investments of time and money into projects, people, processes, and tools that you don’t yet need.

Now, let me ask you...

Do you really want to view compliance as a never-ending checklist with moving targets and keep doing things “just in case”, knowing all too well that without a proper risk acceptance strategy your current processes may not survive the next audit? Or are you ready to learn more about the “just in time” approach and dive deep into case studies and examples of how I discovered the “just in time” compliance working at PayPal and Amazon and how some other successful FinTech companies implement this approach right now.

Before you jump further...

Securing your own licenses during 2023-2025 will take extremely long:

  • FTX fallout increased regulatory scrutiny around all VASPs
  • Most regulators are already overloaded with VASP applications (some regulators such as Singapore MAS and UK FCA reported around 500-1000 applicants in waiting) and the chances are - they don't want to quickly approve all of them, given what's going on in crypto industry right now
  • Introduction of MICA will flood all European regulators with applicants who would need to be re-certified
  • Many card-issuing FinTech and BNPLs will crumble and collapse similar to VASPs, because their business models cannot survive under current interest rates with higher inflation and consumer credit defaults under horizon. This domino effect among non-crypto FinTechs will slow down the issuance of EMI and PI licenses

It does not mean, you should stop applying. If you want to operate your own business model, it just means you have to plan 24 months instead of 12 to get there.

How I Discovered Just in Time Compliance Working for BigTech

When I first started working for Amazon and then for PayPal, I quickly learned that it’s absolutely possible to run a compliant business at scale, serve millions of customers while spending less than a second of human attention per customer, and not being afraid of millions of complaints and millions of fraudsters. I learned to see risks and their consequences in proportion (statistically and pragmatically), to rely on technology and indirect data when you need to understand and profile customers and monitor what they do. It’s just a fact: within these large and ever-growing companies, it’s impossible to manually confirm everything. There are more customers and more transactions than employees, which is why large BigTech companies cannot survive without pragmatic risk acceptance and selective compliance.

My biggest lesson learned there: you can be compliant and you can justify and illustrate why and how you are compliant without having to look at every customer or manually approve every transaction and without having 100% certainty.

But it did not happen overnight…

…If we can rewind the clock back to 2015-2016, that was me working at PayPal. I felt restricted. I felt I could do a lot more but I was not empowered. My mentor, someone influential within the company who gave me opportunities and supported me, was on their way out.

The same story happened about 2 years ago when I was at Amazon. My boss left the company and as a result I had to change jobs. I hated the fact that every time I wanted to be successful, I needed a great manager, and when they left, I needed a new job.

From my entrepreneur friends, I often hear that being disappointed by their bosses and their companies played a big part in how they’ve decided to start their own businesses.

Does that sound familiar? Has it ever happened to you too?

So, I was looking for a new job and talking to recruiters but I also needed some sense of accomplishment, of feeling productive and creating progress at my current job at PayPal, or wherever I am.

I volunteered for a couple of internal projects to be their compliance point of contact. Since I thought I was leaving the company anyway, it did not matter that I knew nothing about two-factor authentication or fraud management techniques or forex trading or online gambling at the time.

All I had to bring to the table and contribute to those projects was some basic understanding of compliance and my common sense. I had zero support and zero competition from peers because nobody from the compliance team wanted these projects anyway.

I was taking one step at a time, offering common sense feedback and compliance guidance to new stakeholders, who wanted to launch previously untested products and riskier verticals and enable previously forbidden industry segments to get paid through PayPal. At each meeting, I only needed to prepare the bare minimum information so that they could move forward to the next meeting or next response to the regulator. I was never afraid of getting it wrong or making a mistake or missing something because I was sure by the time it gets “real”, I won’t be around and I won’t be responsible to answer to some senior critical authority.

Funnily enough, most of those projects got approved and moved ahead at an unprecedented pace, and were blessed by the regulators and auditors and various risk committees. Long story short, not only I learned a lot about these growing industries and got more accomplishments than ever before, I built connections with FinTech startup founders, industry leaders and regulators, and many of them are currently part of my professional network.

In just a few short months, I had enough of a track record, experience, connections, and confidence that I stopped looking for jobs and decided to start my own business because I realized I can consistently get results and don't need my external environment to be "perfect" or "ready" or “supportive”.

Don’t get me wrong – most external barriers remained the same. Regulators were still conservative and large companies were still slow and there were long waiting times in between. The only thing that change was my approach – I did not need my next suggestion or next proposal or next response to regulators to be perfect or final, I just responded to questions and shared ideas that made common sense and were no brainers, it required very little research or preparation time, and I was never afraid to get it wrong or lose my face.

Here is the biggest lesson: If you want to keep growing and innovating, but at the same time you need approvals from regulators and banks, and partners, the only efficient way to get things done and keep moving forward is to plan for many iterations and expect uncertainty, and not overspend resources and not hire people before you actually need them. This is what I now call the "just in time" compliance.

Now, after 5 years of working with startups and having accomplished over a dozen of successful license approvals and projects completed and gone live, I'm convinced that the "just in time" approach is the only way to go in FinTech.

Now, you maybe asking yourself, what just-in-time compliance actually means in practice and how it works.

You already know that the first and most important paradigm shift you need to embrace is to stop viewing compliance as a fixed and clearly defined checklist of to-do items and to dramatically change the ways how you view, accept and mitigate risks.

In summary, success in FinTech compliance depends on 3 vital components:

  • Pragmatic Risk-Taking
  • Building a set of policies, reports and other necessary documentation
  • Having efficient processes or, simply put, getting stuff done

Why and how these 3 components are so essential?

  • Pragmatic risk acceptance combined with efficient processes create growth and scale.
  • But… without documentation and policies you will experience an “undocumented growth” which is a problem, when it comes to securing important partnerships and licenses.
  • Efficient processes combined with documentation equal compliance, because you do what your policies say, but without risk-taking you end up being  conservative, rigid  old-fashioned bank.
  • Risk-taking combined with great documentation will create a great public image, but if you don’t actually do what your policies say, it is a window-dressing, and you’ll get caught.

Now, once you have seen just how powerful just in time approach to compliance could be, and what it entails, where can you begin? Before we know where you want to go we need to understand where you are right now.

In my experience of seeing dozens of FinTech startups, I see that there are 4 phases of FinTech compliance evolution.  

Here they are:  

  1. Age of Innocence: You assume you are not regulated, too small, unprofitable, and therefore, no rules apply to you. You may be taking some funds from friends and family or experimenting with DeFi or AlgoTrading, and you will worry about compliance later.
  2. Stone age: Your customer files are stored as google docs, your decisions about customers are done via emails or Slack, your transaction monitoring routine is supported by CSV file exports into Google Sheets. Expensive external lawyers have written some of your T&Cs or policy documents, but nobody in the company actually read  them it or knows if it’s still relevant. You just hope it’s ok what they wrote and you proudly mention that this policy or document was created by the Big 4 company. Your customer onboarding may be semi-automated, but after the customer uploads the documents and you get the data, all the following manipulations and decisions about customers are manual. You don’t have good internal admin tools or dashboards, you don’t have any customer tags, and when you do sanctions scanning or blockchain tracing, it’s manual and the results are saved as screenshots. Your next audit or regulatory inspection will turn out badly, this is when you will hire more people and deploy some random tools. This is how you will graduate into firefighting mode.
  3. Firefighting: You have hired a lot more people into risk and compliance, you deploy many tools (that often don’t agree on some of the alerts and results they generate), and you constantly talk about your backlog of issues. Your compliance cost per customer is getting more expensive day by day. You have wasted lots of resources preparing for projects that never went live and you waste even more resources on customers that register but don’t transact. Your customers are complaining about interrupted transactions, account rejections and how long they need to wait while you review them. Your company suffers from internal conflicts between compliance, product, engineering, and customer support, and you have a feeling that everything is slow, despite all the resources you put into compliance.
  4. Leverage: For some products or some services or some partnership channels you managed to find the right balance between compliance and growth, which means that each next customer costs you less to onboard and maintain than the previous customer. You have a few compliance tools and vendors and you consolidated information about them within a single dashboard. You don’t need to hire temporary interns to address and resolve your backlog, your audits and regulatory inspections are clean and you actually get positive feedback. Your compliance team is spending the majority of their time reviewing new projects and new opportunities and future ideas instead of focusing on formalities, audits, and reporting. You found the right balance between what you need to develop in-house in terms of technology and documents versus what you outsource to vendors and external lawyers and consultants. Your financials look healthy and you can raise more funds because of that.

At this point in time, you might have recognized some of the painful symptoms and are to see the benefits of applying agile compliance within your business. You probably have clarity about where you are now and where do you need to go.

Which is why I’d like to invite you for a FREE workshop about the Rise of the Business-Like CCO.

>