Four tips for getting compliance right in fintech startups
Griffin CCO Anna O'Shaughnessy on how to approach compliance in a fast-paced, high growth environment.
Compliance is one of the most important aspects of any regulated business. But keeping pace with an ever-increasing mountain of laws, regulations, rules, and guidance can feel like pushing a boulder up a hill—especially for early-stage companies who are new to the financial services sector.
If you’re running a lean startup, where’s the best place to put your limited resources as you build out your compliance team? And if you’re a compliance officer operating with a small team (or a team of one, which is often the case), how do you build an effective and scalable approach to compliance that’s going to protect your business and your customers, both now and as you grow?
As the Chief Compliance Officer at a startup seeking authorisation to become a UK bank, I deal with these questions every day. I know that getting it right is going to be critical for Griffin’s success, our customers’ experience, and our reputation. And while there are no hard and fast rules, the four simple tips below are worth keeping in mind if, as a compliance officer, you feel like you’re constantly playing catch-up in a fast-paced environment.
1. Focus on what matters, not what’s urgent
In a high growth company, prioritisation is always a challenge; it can be difficult to find focus when everything is urgent. Because compliance officers need to act as a trusted advisor to every area of a regulated business, it often feels like we’re being pulled in many different directions at once—and in a startup environment, this feeling is intensified. So how do you figure out what deserves your immediate attention and what you can leave until later?
For me, the secret lies in having a clear understanding of the most material compliance risks in the business and the areas where there is the greatest potential to cause harm to customers. This means performing compliance risk and conduct risk assessments and keeping these up-to-date (an annual review is an absolute minimum).
As an aside, these assessments should not be led by the compliance team. The people best placed to assess risk in each area of the business are the people who work in those areas. And so they should lead on compliance and conduct risk assessments, with support and guidance from the compliance and risk teams. This bottom-up approach is not only more effective for identifying the biggest risks facing the company - it also helps embed a culture where everyone feels responsible for compliance and risk management, and for delivering good outcomes to customers.
As a compliance officer swamped with multiple requests for advice and input, these risk assessments are a key tool for helping you understand where your focus needs to be. When you feel overwhelmed, it’s worth stopping and asking:
- Is this going to help manage material compliance risks and conduct risks? Or is it going to help deliver good customer outcomes?
- If not, does it need to be a priority at this time?
- If yes, should the role of the compliance team be to lead or to support?
2. Standardise, delegate, educate, repeat
The lean nature of startups means there is often only one person looking after compliance, and so everyone consults them on almost everything. This is a lot of responsibility, but it can be even harder to let go of that role as the company scales. As a compliance officer, you want to be available and involved and to add value. But it’s also important to give people the tools they need to make good decisions without your direct input.
Lay the groundwork early; start standardising and delegating decision-making within the compliance team before the company hits a high growth phase, otherwise you can inadvertently become a bottleneck. The same goes for empowering other areas of the business with the right knowledge and training to decide on the right approach to compliance for themselves.
Investing time upfront on training and on developing useful tools and guidance on how to comply can really help embed compliance into the heart of the company’s culture. This is easier said than done if you’re a tiny team with an epic to-do list, but it’s also not optional if your company is planning to grow big fast. (See point 1 on focusing on what matters.)
A simple rule of thumb: if you have been asked a question about compliance more than three times by three different people in the business, the answer needs to be on a FAQ page, in the next training session, in an existing policy or procedure, or otherwise cascaded throughout the business in a clear and accessible way. Writing things down in plain language is also very important; jargon and waffle make it difficult for people to quickly understand exactly what is required of them. Normally everyone in the business dreads another checklist from the compliance team, but it doesn't have to be that way!
3. Hire for broadly applicable skills over narrow expertise
When it comes to building and scaling a compliance team, recruitment in high growth organisations is often behind the curve; it usually only gets budget once the compliance team is so flat out that they are about to reach a breaking point. This increases the risk of compliance failures and potential harm to customers. For Griffin, allowing things to get to that point would be in direct opposition to our core values.
Compliance teams tend to be last on the list for additional headcount and are often forced to be reactive in how they work. But firms increasingly recognise the importance of a proactive approach and we are seeing more investment in compliance across the industry. When that budget is there, compliance officers should aim to recruit new team members at least six months ahead of when they think they need to—this is the first step in switching the team’s default mode from reactive to proactive. Plus, as compliance professionals, many of us have a hero-like tendency to work long hours trying to “fix” everything - so proactive hiring is also key to making sure your team members don’t burn out.
Fintech startups evolve over time, so it’s important to think carefully about the future capabilities you will need in your team. You don't necessarily know the territories you're going to end up operating in or which products you might end up building, and so hiring experts with a focus that is too deep or too narrow can actually hamper your team’s ability to adapt as the company grows and explores new opportunities.
At least half the compliance team should include people whose key skills are flexibility and sound professional judgement. Whatever the challenge, they need to be able to take a step back to identify and analyse the applicable compliance requirements. Once the requirements are clear, they need to be able to translate that analysis into actionable steps the business must take to comply.
Many people don’t appreciate that there are grey areas in compliance; black-and-white thinking won’t always cut it and your team members need to be able to focus on the intention of requirements, as opposed to just the literal interpretation. Hiring for these skills is key to building a balanced team with a pragmatic, adaptable, and outcome-focused approach to compliance.
4. Prioritise long-term partnerships over shiny new tech
The regulatory technology space is growing rapidly, and technology platforms can certainly help reduce your level of compliance risk and the work burden on your team early on. As a compliance officer, you should try to anticipate where your team will be spending most of their time (perhaps by examining where your previous team spent most of their time) and look for technology that could make things more efficient. Annual policy attestations are a good example of an important requirement that can create a lot of unnecessarily time-consuming admin. Automating a process like this frees up the team to focus on more important work.
But don’t just jump at the shiny new technology; you also need a provider with a good understanding of your business requirements and the regulatory environment you operate in. Otherwise, implementing the new system will be a much more painful (and higher risk) experience. Take the time to sit down with potential providers; tell them about the compliance outcomes your company needs and ask them to explain how their technology will deliver these. This is a better use of your time than buying their product and spending excessive time tailoring it to your needs (noting that some configuration is always needed).
It’s also important to work with partners who understand that you are a small startup with changing needs. At Griffin, our partners understand that we might be small now but we have high growth ambitions. Having this understanding on both sides means we can start small with major technology players who will still be a great fit for us when we are a large organisation.
For many high growth organisations, compliance can be synonymous with constraints—a set of hurdles that need to be overcome before you can innovate and grow. But I believe the opposite is true; getting your compliance strategy and programme right early on will strengthen every area of your business in the long run. Getting compliance right means that fast growth can also be safe and sustainable growth, which will boost your company’s reputation, improve customer experience and outcomes, and drive future successes.
I recently teamed up with regulatory technology specialists, Clausematch, for a webinar on building effective compliance programmes for companies in high growth markets. The panel brought together leading compliance experts across the industry to explore the common challenges and enablers to success. You can check out the full webinar here.