Having worked with so many FinTech founders, I’d like to tell you about two common and costly mistakes they make about compliance strategy.

But before we do that, let’s address the elephant in the room – how do founders, CEOs, and many business leaders REALLY view compliance and talk about compliance (when nobody is listening)?

I don’t really trust my compliance team, I understand compliance better than any of them. They are just too rigid.
Nobody can tell me what a complete set of requirements is and what is sufficient to get compliant, everyone has a different opinion, and I always end up making final decisions. Why do I need to pay them at all?
No matter how much I invest into compliance, it’s never enough. It’s like a hydra where auditors, partners, and regulators come up with new requirements every day.
Compliance constantly hurts my marketing – it seems I cannot give any interview or write a blog post without someone telling me that I said something illegal or anti-competitive.

The examples above are not yet mistakes, but they are symptoms that often lead to bad decisions and lost resources. The reason I start with it is to illustrate the cause and effect of what happens in many FinTech organizations.

Now, let’s move to mistakes:

Example: I am in Europe and want to launch my product in Australia, can you please give me a complete list of everything I need to know about Australian regulations, AML rules, licensing, privacy, and all details I need to know to make the decision how to launch in Australia?

Why is this a mistake? This list will take a long time to create and in some cases, you may even have to pay hefty external fees for this. At the same time, I have never seen a founder who got such a list and felt relieved and happy. Most of the time they feel annoyed, suspicious, and overwhelmed. Such a “complete list” rarely provides clarity.

What is a better question to ask and a better strategy? At this point, you don’t know if you are going to have 3, 300 or 3000 customers in Australia, and the product requirements, risks, and action points will look very different, depending on whether or not you need to support 3, 300 or 3000 customers, right?

Which is why your question to your compliance team should be: I want to test an Australian market with 300 beta-testers in the next 3 months without getting into trouble and before we decide if we go there permanently and apply for any licenses. How I can organize this testing in a safe way with the resources we already have?

Why is this approach better?

• You don’t overinvest in Australia before you know there is a market for you there.
• You will learn quickly whether you can get those 300 customers, how much they spend with you, and how much they cost you.
• The worst thing that can happen is that you will be told by a regulator or a bank that you need to stop serving those 300 people or get a license, and then you will be making much more informed decisions about what you are prepared to invest into this Australian opportunity.

Mistake 2: Founders decide that they can do their compliance strategy better than the team, take the driver’s seat in all compliance decisions, lead all discussions with auditors and regulators, and dictate which policies, documents, or reports need to be prepared. 

It can happen because founders may feel they cannot afford to hire, or maybe they have been disappointed in the past by whom they hired and the lack of support they got.

Example: Founders decide to lead their own compliance function, read all the public documents and disclosures of all the competitors, research who has which license, register for all competitor’s services so that they can benchmark customer communications and user experience elements of everyone in the industry. They assume that since all these bigger companies have more customers and have been around longer, you can just copy their compliance or at least challenge your team why we are not doing this or that. This is a very common question many inexperienced founders ask, “Why is this company doing or saying XYZ and why we don’t have that?”.

Why is this a problem? 

• First, you are not growing your business and ignoring your job as a CEO. Other tasks such as fundraising, exploring business opportunities, closing partnerships, hiring the right team, or taking care of the company culture are neglected.
• Second, if you already have a compliance team and they are competent, you overruling their authority is disrespectful micromanagement, and you will likely lose them very quickly because they are already looking for new jobs. If they are not competent or just complacent and don’t care, you should fire them anyway and find better people instead of wasting your time doing their job.
• Third, micromanaging and copying random 3rd party practices will create internal conflicts and resentment in your organization. Founders feel that this is their only option to move things faster because nobody else seems to want to take responsibility. At the same time, everyone else in the company sees that the founding team is just panicking, insecure and unhappy, and does not trust anyone, so instead of managing and leading and empowering their own team, they are assuming that all these other external teams are better and know more.
• Lastly, as in any profession, when someone inexperienced starts doing things they don’t know, they make mistakes, make incorrect promises and representations, produce inconsistent documents and project a picture of the organization that’s disorganized and does not have clear roles and responsibilities in place. It never looks good in the eye of regulators and auditors.

Let’s say you would like to get a favorable audit opinion in the shortest amount of time possible. After receiving some initial questions and reviewing draft answers prepared by your team, you feel like the audit process is not going to go well, everything looks disturbing and you have an uncontrollable urge to jump in and start driving the conversation and educating everyone about where they should focus or how the answers should look like.

What’s a better strategy?

=> Let your compliance person lead the conversation and be a single point of contact for all audit communications. Regardless of what you think of them, most likely they have completed more audits in their professional lives comparing to you, and have a better understanding of how satisfactory answers look like.

=> Ask your compliance team about the typical audit process and its various milestones, understand the role and the purpose of the engagement letter and the audit scope, the difference between findings and recommendations, how the exchange of information will look like, and what needs to be prepared in advance.

=> You can assist your team by managing down the cost (or ask your CFO to get involved) – and this is how you can make a difference:

• Get a clear understanding of who is going to be involved in the audit team and how many hours they plan to spend. If you see that a senior manager is going to spend 50 hours doing fieldwork analysis, ask to assign a more junior person to do these tasks (because it costs less).
• Ask for a breakdown of the fees based on the activities performed and the seniority of the person who performs the activity. For example, understand how many hours a person expects to spend reviewing one sample case, how many hours they expect to write a report or review your policies.
• As soon as you get those estimates, you will be able to understand where your auditors plan to spend the majority of their time, how long things may take, and what are the sample sizes they are planning to review – it would give you ample material to challenge the underlying pricing assumptions in a much more constructive way, with data and logic. This way, you can potentially reduce your costs by 10-15-20% down.

 => When your audit reaches the phase of discussing the initial findings, you can also help your team to push back and understand whether the auditors’ requests are really well-grounded. You can do it by playing the dumbest person in the room and asking “naïve” questions and making innocent comments, such as “Is it really required? None of our competitors does it.” or ask “Why do you think this is required? It makes no sense.”… By doing so, you will protect the professional standing of your team but at the same time, this could be a very effective way of challenging the auditors without making them defensive. Since you are not a compliance professional, you are “just” being curious and asking questions for your personal education only, which is non-threatening for the auditors.

=> Agree with your compliance team in advance what would be the mistakes and omissions that you will let auditors find quickly. You absolutely need to let them find small and easy mistakes (such as some policies not being updated or some dates missing), or they will keep digging.

Many startups are dreading external audit experience, and if you’d like to learn how to prepare for the external FinTech audit, how to reduce the cost of it and make sure you know what to answer, what’s the right level of details, and how to prepare and provide the data, you are welcome to join my 2-hour Workshop on How to Prepare for Audits on December 8th and 9th.

Check out the agenda HERE!

Yana Afanasieva

CEO Competitive Compliance