Fintech Guide to Building a Compliance Program
Compliance can feel like a black box to many fintech operators, so the idea of building a compliance program from scratch can seem daunting. But it doesn’t have to be so hard.
In this guide, we explain how to approach building a compliance program.
For a deeper dive on compliance, check out these resources:
If you need access to quality legal templates, visit our Legal Library.
- Partner banks and regulators will require you to maintain a compliance program with appropriate staffing and tooling.
- Anything touching payments will require an AML and sanctions program.
- Each compliance program area (e.g. KYC, transaction monitoring, etc.) can be reduced to policy + operations.
- Quality tooling is better and easier to access than it used to be for fintech, and can help reduce your headcount need in your early days.
Why are compliance programs important for fintech?
Fintech companies build applications and services on top of regulated financial institutions, mainly banks. To access key infrastructure — ACH rails, payment card BINs from Visa and Mastercard, correspondent accounts for cross-border payments — a fintech will need to pass its key partner’s diligence processes and demonstrate it has sufficient controls.
Compliance programs, along with finance and technical controls (often demonstrated via the SOC process), help assuage partner concerns and open the door for fintechs to access key banking services and payment functions.
Compliance program basics
The topic of compliance can be daunting to founders, but experienced business professionals and engineers shouldn’t be discouraged. That’s because compliance on any topic — whether money laundering, sanctions, or consumer compliance — can be reduced to a few key tasks:
- Identifying material risks
- Designing controls
- Documenting the risks and controls
- Operating the controls
- Review and testing of documentation and controls
When broken down into these functional areas, compliance looks similar to launching products with a sound QA and testing function, what security professionals might regularly do to protect your customer data, or even akin to the types of financial controls your CFO or Controller might implement.
Visit our Legal Library for access to standard legal templates, such as an AML and Sanctions Policy.
Identifying and Documenting Compliance Risks
The first step in building your compliance program is to document the key risks you need to control. If you are working with a BaaS provider or banking partner, you should ask if they have a compliance policy or guidance for program managers.
For example, many bank partners (including Lithic’s) have a guide detailing the requirements they expect fintech partners to comply with. You can often use these documents to cover the need to identify compliance risks and also do the next step (design compliance controls).
Third parties, whether law firms, consultants, or founder communities on Slack and Discord, can also be helpful and may have guides or precedents for you to leverage. If you are larger and have some budget, we generally recommend you hire compliance consultants.
Designing Compliance Controls
Your controls should be commensurate with your risks and resources. Smaller companies with nascent products should focus on the basics. See below for a few types of controls.
Diligence at or before account opening
Depending on your product type, this control could be done manually (e.g., employees reviewing applicants’ corporate documents for B2B payments products, verifying photo IDs, running negative news checks). Or if you have some engineering resources or are expecting to scale, you can integrate with a vendor and conduct diligence programmatically.
Verification of customer information
It’s one thing to collect information, but it’s another to verify it. There is a lot of PII available for sale on the dark web, and there are an increasing number of synthetic identities that have been constructed and seasoned just for fraud purposes. Verifying customer information is often a key control, including verifying the customer is age 18 or older and also not deceased (fraudsters love to steal dead people’s social security numbers).
For guidance on how to build an AML customer verification function, check out our KYC/KYB Operations Guide.
Monitoring of customer activity
Reviewing transactions and product activity for fraudulent and unusual activity can help you identify bad actors, and help your financial partners satisfy their financial crimes intelligence obligations.
Re-screening of customers
Customers can periodically turn into bad actors, whether for fraudulent or other purposes like sanctions. Periodically re-screening your customers lets you review for bad actors who have otherwise slipped by your other controls or have turned bad after onboarding.
Monitoring for complaints and negative news
If you are in the B2C space, sometimes one of the best compliance controls is to monitor for what your customers are saying about your company/product (or your customers for B2B contexts) online. As fintech veterans know, customers are quick to reach you on social and email channels when something is wrong with your product.
Documenting Compliance Risks and Controls
Once you have identified your risks and corresponding controls, start documenting your program. Most compliance programs rely on a set of key documents, which can be adapted to the underlying law (e.g., AML compliance, consumer lending compliance, etc.).
Here are a few things we recommend documenting.
A risk assessment is a document that memorializes the risks posed by your products, markets, and customers. It also likely documents a high-level overview of your controls. One example is an AML risk assessment, but more mature companies may have an enterprise-wide risk assessment that covers more topics. Risk assessments identify the risks your company should consider, while the below documents lay out how you’ll deal with them.
Policies are documents that explain a key subject matter area, which internal employees are responsible for maintaining controls, and how the company plans to address risks and requirements on the topic. You can access sample policies and templates in our Lithic Legal Library.
Procedures are where you document repeatable steps and expectations for operational staff to use when combating the various risks identified in your risk assessment. For example, your KYC procedure might speak to how staff are supposed to review mismatching vendor information or verify a photo ID.
Playbooks and Macros
Sometimes operational staff will need further guidance. You might develop short playbooks to document decision trees or create macros and canned responses that staff can quickly copy and paste to respond to routine inquiries and tasks.
One tool we love for this space is Kenchi, a Chrome add-on built by the same folks who developed internal tooling for large fintechs like Stripe.
Operating Compliance Controls
You’ll eventually need staff to operate your compliance program. But if you’re small and pre-product-market-fit, most companies your size start by tasking a business person to manage compliance operations. This will often entail setting up your initial policies and procedures, working with vendors, and annually updating policy and procedure documents to keep up with your operations.
Testing of Compliance Controls
Compliance professionals could make great teachers because they love testing! More seriously, every good program will need to be periodically tested to ensure it's working. Some key aspects of testing may include:
- Simple, ad-hoc testing: perfect for early-stage companies. Have new hires sign up and try to break your compliance controls. I spent hours trying to fool Privacy.com’s fraud controls when I was interviewing, and the company’s strong performance was one of the reasons I was excited to join the team.
- Semi-regular quality assurance (“QA”) testing: another way to ensure controls are working is to periodically sample customer files and confirm vendor results and internal scoring systems are working as expected. You may not need to commit resources to this until you’re larger.
- Partner-driven testing: some banks and BaaS platforms will ask you for monthly, quarterly or annual files and conduct QA and testing to assess the efficacy of your compliance programs. Some banks will also hire consultants to conduct a hybrid independent assessment.
- Independent testing: companies with product-market-fit (and revenue to match) may want (or need!) to hire an independent consultant to review and assess the efficacy of the company’s controls. Large, scaled fintechs will often hire a big-four auditing firm or Accenture, all of which have great compliance consulting groups.
Contact us if you need help with card issuing or have questions about building a compliance program for your fintech.