It goes without saying that fintech and payment startups have a lot at stake.
Competition is fierce. Differentiation is difficult. One would think it’s a no-brainer that startup entrepreneurs — and their investors — would want to manage one of the biggest risks to their business: compliance.
For startups undergoing investor due diligence before an initial public offering or private sale, compliance risk should be a chief concern. And firms seeking to form joint ventures or other partnerships will come under compliance scrutiny from more established companies that must carefully manage third-party risks.
But many fintech startups have been subject to adverse regulatory action, with firms coming under scrutiny or even formal enforcement for anti-money-laundering and sanctions lapses and other forms of noncompliance. Fintechs that fall into noncompliance tend to make a number of avoidable mistakes. Here are five to steer clear of:
Failure to follow regulation. It may seem obvious, but one of the most common mistakes that fintech startups make is a failure to follow black-letter law around licensing and registration, consumer protection, periodic reporting of financial condition, and ongoing reporting of suspicious activity. The “move fast and break things” culture of some startups is a very risky approach in fintech.
Underinvestment in people. Many startups are reluctant to invest in a compliance officer. Too many put it off until the last round of financing before an exit. But the “C” in Series C round shouldn’t stand for compliance. Many firms that fail to invest in compliance will never get to Series C, let alone an initial public offering or sale to a bigger company. Another common mistake is “double hatting,” where the CEO or other key officer assumes compliance responsibilities. This almost always leads to compliance deficiencies as time-stretched executives often have a natural tendency to prioritize business actions that promise revenue and profitability growth over compliance actions that may not translate in the short term to greater revenue and profitability.
Poor data governance. Many fintech firms and even larger, more traditional financial institutions like banks invest in controls only to find their controls have limited effectiveness because of some deficiency in the data feeding their control systems. For example, there are firms that invested in sanctions-screening systems only to find that the data feeding the system has inadvertently been truncated so that only part of the data was screened. As another example, there are firms that invested in systems to detect suspicious activity only to find that a new product was added to the business applications without being mapped into the control infrastructure; as a result, transactions in the new product were not scrutinized for money laundering. Good data governance could have helped prevent such lapses.
Failure to train. Even the most technology-driven fintech firms have people, and people can introduce risk in the choices they make in selecting business partners, onboarding new customers, and in administering controls. Training people on their roles and responsibilities in managing risk and meeting compliance obligations is critical. Training should be customized to the risks that the company faces and to the job functions the employees perform.
And trainees should be tested for comprehension. In one well-known case, the investigators found that the company had invested in preparing training materials and distributing them to its network of agents. However, when investigators inspected some of the agents, they found the training materials still in their packaging.
Failure to test. Once controls are in place, it is important to test them. The tests should be done by someone other than those whom the controls seek to control. In addition, controls should be tested by someone other than the person who operates the control. For example, firms that have invested in people to review potential sanctions violations should from time to time review a sample of the case files worked. Have false positives been closed for good reasons? Have those reasons been documented?
The standard for sanctions compliance is “strict liability.” Thus, even unintentional violations can lead to penalties. Testing or quality assurance of the work of the people involved in administering controls can help prevent human error from leading to a franchise-ending violation. Another important category of testing entails testing the calibration of sanctions screening and suspicious-activity detection systems.
Fintech startups can add a lot of value by bringing innovation and competition to the financial system. They can also help reach people and businesses that may not have access to other, more traditional, financial services, thereby promoting financial inclusion. But their businesses are inherently risky. They should invest in governance and effective risk management from beta versions onward to support their potential contributions to the global economy.