Transform compliance into a competitive advantage
Shano Fonseka was the first compliance hire at Plaid. His team plays a critical role in mitigating the risk of fraud and abuse on the platform, as well as driving adoption of best practices across the ecosystem.
The word compliance too often inspires a collective groan among fintechs and other data-driven companies.
It’s viewed as a barrier to growth, an unnecessary point of friction. Many financial services organizations have massive compliance operations, and, in the past, they have insisted that startups need similar overhead-heavy compliance functions in order to do business.
In the fintech era, however, standing up a nimble and efficient compliance operation isn’t just possible; it can be a critical enabler of growth.
The best compliance operations are established to solve specific challenges. That can vary from operationalizing a risk mitigation strategy to meeting payments compliance obligations at a regulatory level. Here’s how to get started:
- Understand your incentives 🔬
- Build a solid foundation of information security 🏗️
- Find the right talent 👪
- Set yourself apart 🌟 (article continues below)
1. Understand your incentives.
Not all Fintechs have the same incentives for establishing a compliance operation.
One may be legally required to meet payments compliance obligations. Another may want to level up their internal risk management functions.
The first step for establishing a nimble and efficient compliance function is to know your incentives. One key distinction is whether your company processes payments or money transfers—or (as it is referred to in the industry) whether you are in the “flow of funds.”
For companies that are not in the flow of funds.
Fintechs that deal exclusively with sensitive data are not in the flow of funds.
Think of personal financial management apps like You Need a Budget (YNAB). At early stages, many of these data-focused companies assume that they are subject to payments compliance, but in most cases they are not. That’s because they’re not actually touching funds that belong to their end-users or initiating payments on their behalf.
For data-focused companies, compliance programs should be focused on actively managing operational risks like information security and ensuring end-user privacy. You should also focus on building and maintaining a framework that allows you to effectively communicate applicable risks to your customers, as well as how those risks are mitigated.
Fintechs that have an effective framework for doing this will have a competitive advantage when they take their products to market. They will also be able to easily navigate friction-heavy vendor intake flows (for B2B companies) and “level up” end-user trust (for B2C companies).
For companies that are in the flow of funds.
The moment a fintech is in the flow of funds, a new set of compliance obligations comes into the picture.
These companies will have many of the same incentives as their data-centric counterparts. But they will also have regulatory incentives to ensure that their payments services are not used in ways that violate money transmission laws. (At this stage, payments compliance becomes a serious regulatory obligation that can actually prevent a fintech from doing business.)
At the federal level in the United States, the Financial Crimes Enforcement Network (FinCEN) regulates money transmitters using a legal framework called the Bank Secrecy Act (BSA). At a high level, this law requires that a money transmitter register with FinCEN and maintain a payments compliance program that is designed to prevent the use of that service for money laundering.
"In the fintech era, standing up a nimble and efficient compliance operation isn’t just possible; it can be a critical enabler of growth."
Companies that are in the flow of funds also need to obtain money transmitter licenses at a state level. Generally speaking, this is a much more challenging exercise than meeting federal requirements.
Thinking about processing money transfers? I strongly recommend that you find reliable regulatory counsel who can help you understand and navigate these obligations—ideally long before you take your product(s) to market.
Not all companies have the same incentives for establishing compliance programs. Understanding the incentives for your business is essential to standing up an effective compliance program—one that enables your business rather than slowing it down. (article continues below)
2. Build a solid foundation of information security.
Whether or not they are in the flow of funds, all companies that deal with sensitive data need to build and maintain an effective information security (infosec) program.
The importance of this point cannot be exaggerated. You should build an infosec controls stack in tandem with your product(s) and supporting infrastructure, integrating it into the design. Thinking about security while you build your product minimizes the likelihood of costly redesigns at a later date, after your customers are already using it.
Here’s one way to think about it: your business is a house. Your mechanisms for ensuring end-user privacy and/or meeting payments compliance obligations are the walls and the roof. But you can only build those components on top of a solid foundation: your infosec program.
"An effective compliance program is a strong signal to customers and partners that you are serious about risk management. Without one, a potential customer may ultimately choose a competitor whom they are more inclined to trust."
There are many standard frameworks for structuring an infosec program. The problem is that many of them try to boil the ocean: they tackle a wide array of risk domains, only a few of which may ultimately be relevant to your business. Many are also out-of-date, which renders them useless for modern application stacks.
A framework that has been useful for Plaid as we structured our infosec program was AICPA’s Trust Service Principles for Security, Availability, and Privacy. This is a well-regarded and widely used framework used for testing the effectiveness of controls that ensure security, availability, and privacy during a SOC 2 audit.
Regardless of the framework you choose, each security measure can be broken down by its objective and deployment layer. In my experience, an effective information security program has controls that are preventative, detective, and corrective. They will be deployed physically, logically, and administratively.
Conceiving of information security in this way is industry-standard. It can help you contextualize risks and mitigations to different audiences effectively.
3. Find the right talent.
In order for a compliance function to enable growth, it must be staffed with the right people.
Be aware that the talent you choose for your compliance program will very much depend on your particular incentives and regulatory obligations.
As an example, someone who has run a compliance program at a larger payments company may not be a good fit for building out a compliance program at a smaller data-focused fintech. However, the same person might be a great fit for a company applying for money transmitter licenses at a state level, as they will need considerable expertise in mitigating money laundering risks.
Other critical qualifications include risk tolerance and depth of knowledge. Let’s oversimplify and separate compliance professionals into two extremes.
- The “no” extreme: At one end, you have people with a very rigid approach to mitigating risk. They may be experienced, but they also tend to be less flexible in their approach, not open to creative problem solving, conceiving of the world as a series of checkboxes.
- The “yes” extreme: At the other end, you have individuals without sufficient experience to understand and navigate risk management. Given a sufficient amount of internal pressure—from a GTM lead or even a CEO—they will agree to anything.
To build a flexible compliance operation that will scale with your company, you should avoid sourcing candidates from either of these extremes. Instead, you should optimize for candidates who have the ability to understand and communicate risks objectively and effectively, regardless of internal or external pressures.
Here’s how to spot a great compliance hire:
- They have or can quickly obtain an excellent understanding of your business.
- They can effectively articulate the relevant risks and how those risks are mitigated.
- They are adept at communicating internally and externally—including with customers, business partners, and regulators.
- They have good judgment and can navigate high-risk decisions with the discernment to escalate issues when necessary.
- They are empathetic to the challenges of a nimble and fast-moving company.
- They can operate efficiently while maintaining diligence and attention to detail.
- They have the ability to build personal relationships and rapport internally in order to gain cross-functional trust.
This type of candidate can be difficult to find because traditionally, compliance functions are concentrated in heavily regulated industries like banking and healthcare. There, compliance operates with a high degree of certainty about what their obligations are.
By their very nature, digital and data-driven companies operate with considerably less certainty in an atmosphere of constantly shifting expectations. The right talent will be able to execute in uncertain circumstances and iterate quickly to a good solution when expectations change.
4. Set yourself apart.
Now you understand your incentives; you’ve built a great foundation; and you’ve hired the right people. Ask yourself: how can compliance help grow the business as you scale?
Put another way: how can this function set your company apart from competitors?
A compliance program can be a strong enabler of growth. It forces young businesses to think critically about—and get a jump on mitigating—the risks they will inevitably encounter as they scale. It also removes barriers that exist for scaling go-to-market efforts and building end-user trust.
"It’s important to strike the right balance between efficiently getting good customers on your platform and diligently keeping bad actors out."
One example is the customer onboarding process. Getting customers in the door and working with your product quickly is a crucial component of the customer experience—but it’s also something that can be exploited by bad actors when the proper controls are not in place.
Whether your business is B2B or B2C, it’s important to strike the right balance between efficiently getting good customers on your platform and diligently keeping bad actors out.
Implementing robust but efficient KYC processes not only prevents legal and reputational harm; it also creates an environment for healthy, sustainable growth in your customer base. The likely result? Your company will be trusted by end-users and regulators alike.
In sum.
An effective compliance program is a strong signal to customers and partners that you are serious about risk management. Without one, a potential customer may ultimately choose a competitor whom they are more inclined to trust.
If you optimize for the key components mentioned here, compliance will become an enabler of growth for your business, rather than a friction-prone, overhead-heavy blocker.
Shano Fonseka was the first compliance hire at Plaid. His team plays a critical role in mitigating the risk of fraud and abuse on the platform, as well as driving adoption of best practices across the ecosystem.