Podcast Episode 1: Compliance 101
Matt Janiga: All right. Reggie, are you ready?
Reggie Young: I'm ready. Let's do it.
Matt Janiga: Going to kick us off. Compliance, banks tell you to have it. Lawyers scare you about it. Companies like Unit21 start in an hour and try to sell it. But what is it really?
Reggie Young: I'm Reggie Young. I'm a product lawyer at Lithic and run FinTech Law at TL;DR newsletter, where I explain FinTech regulatory news for non-lawyers.
Matt Janiga: And I'm Matt Janiga, general counsel and compliance officer at Lithic. I used to help teams build products and compliance programs at Square, Stripe and BlueVine.
Reggie Young: On our first podcast, we're going to do what we do best, nerd out and break down how FinTech should think about compliance. But first a word from our sponsor. Okay. It's really more where we work, but you get the idea.
Matt Janiga: Lithic helps companies issue cards.
Reggie Young: But is it fast?
Matt Janiga: Oh, it's so fast.
Reggie Young: How fast?
Matt Janiga: It's insanely fast card issuing that makes it simple for companies of all sizes to start issuing cards. You can start building in minutes and launch in less than weeks. All you need to do [inaudible 00:03:31] .com and sign up.
Reggie Young: Well, glad I asked.
Matt Janiga: Now we know you're busy, so we wanted to give you a quick overview of what we'll cover today.
Reggie Young: First, we'll talk about what compliance is and specifically what most FinTechs need to do. Next, we'll talk about how to build your team, including when you want to give away fancy titles.
Matt Janiga: Third, we'll talk about ways you might leverage technology to keep your headcount needs lower in the compliance space. And last, we'll respond to some audience questions, thanks to the wonderful folks on twitter.com.
Reggie Young: So Matt, what is compliance? What does a compliance team do in FinTech?
Matt Janiga: Reggie, I'm glad you asked. I like to think about companies as having three lines of teams. And this is the general industry practice.
Reggie Young: Like layers cake, layers to the cake, one might say?
Matt Janiga: Layers to the cake, absolutely. Layers to the cake. The industry nomenclature to zoom it back to that is normally called the three lines. So if you talk to compliance consultants or seasoned compliance folks, especially folks coming from big companies or banks and, if you are a founder, you will want to know this terminology. First line teams, these are customer facing. They build products. They're revenue producing. They're sales, customer support, other things of that ilk.
Second line teams, these folks set policies, procedures, and processes to ensure compliance with law or industry rules. You can think of them as compliance, legal, risk, parts of your finance team.
The third line and this is important. If you're really lucky and get big enough where you're producing enough revenue and especially if you can be an independent company and go public, your third line is going to be audit. They're going to come in and they're going to check that compliance, that risk, that these other business functions are running properly. And they're also going to help out with some things, again, if you're publicly traded, around Sarbanes–Oxley compliance and some other helpful things in that space.
Compliance again sits in that second line. So it's really critical to make compliance independent from the business units and also give them agency to correct their errors and issues.
Reggie Young: FinTech compliance teams feel anti-money laundering or AML, sanctions and regulated conduct.
Matt Janiga: Wow. Reggie, Reggie, that's way too much legalese. Can you unpack some of those for our listeners who may be first-time founders?
Reggie Young: Sure, Matt. But I'm a little worried my general counsel can't handle legalese, but sure. So AML refers to legal obligations that help the government fight crime. These typically include things like having to verify the identity of bank account applicants before they can open accounts. Sanction refers to checking certain government lists that include, for example, people US banks are prohibited from businxess with.
And lastly, regulated conduct refers to various regulations that require certain types of businesses to do or not do certain things. For example, Lithic, we have to deal with card-specific laws and regulations that say what sort of conduct card companies can and can't do.
Matt Janiga: Reggie, one of the questions that I know you must get all the time from FinTech founders and other readers of your newsletter, which is fantastic by the way, for those of you that don't know about it, is how is compliance different from legal? Can you help step listeners through that?
Reggie Young: Sure. This is a very squishy area, so happy to dive into it a bit.
Matt Janiga: I want squishy. This is great.
Reggie Young: Legal typically helps to navigate gray areas to figure out what a company needs to do. And then compliance focuses on implementing and running the day-to-day operations. So this is things like confirming your customers aren't on sanction watch lists or they’ve provided all C-elements. That's kind of stuff that would fall on compliance. Whereas legal would kind of help them set the high-level requirements of what's needed to be done there. Legal also often helps with things like contract negotiations or employment issues. And there's often overlap. So good compliance folks help get some of the legal lift done and vice versa, especially at early-stage companies.
Matt, what is a day in the life of a compliance team look like?
Matt Janiga: This is a great question. And it's something that there's no right answer to. A lot of it is going to be driven by what your product type is, what your industry type is and also what your team is. Your partners as well play a key part in this. There's a lot of times you're not fully regulated and that's [inaudible 00:07:51] through bank partners. Your partners are going to kind of stir the drink and tell you [inaudible 00:07:58] for other site and compliance purposes.
With that, let's break it down. And I view this based upon what I've seen and you've seen as well from Square, Stripe, BlueVine and [inaudible 00:08:08] Lithic, where we're building a world-class compliance program, and our team does great work everyday. I think there's a couple of key areas folks want to think about when thinking about [inaudible 00:08:19]. One is governance. You need to have a set of policies and procedures to set the rules of the road for what your team focuses on and how it's going to operate. Documents [inaudible 00:08:31] important skill and not everyone has it. So you want to keep that in mind as you build your compliance functions staff routines. You want to maximize spikes and strengths.
One of the other key areas to focus on is building and running operations to honor those paper policies [inaudible 00:08:46] digital policies and procedures these days that your team is setting out. So these are things, as Reggie mentioned, like [inaudible 00:08:52] escalations, sanctions hits and SAR and UAR filings, which is a fancy way of anything unusual. You're going to want to tell your bank partner or tell the US government.
Now in a FinTech, there's a third area that pops up a fair amount, and this is externally driven requests. This is sometimes driven when a bank wants more information to help with their compliance files or to check controls. For example, more established FinTech sponsors are going to have monthly, quarterly and annual oversight needs. They're going to ask you for reports and spreadsheets and files, and you're going to do a lot of exchange with them. You're going to want someone to block and tackle on this, but it doesn't always have to be someone [inaudible 00:09:33] you are small, and we'll touch on that more in just a few minutes.
You're ideally going to do this manually out of the gate and then over time look for ways to automate as you scale [inaudible 00:09:44]. You get an opportunity to think about the efficiency of your operations. At Lithic, we also have our team pick up [inaudible 00:09:51] from partners, but ours are coming from multi-parties. A big one is B-BBEE compliance. Another other is [inaudible 00:09:56]. And we're really grateful to have a wonderful compliance operations team. That's a stack with jacks of all trades.
Finally, there are certain things because we know not all of you are in cards and payments that are listening. They're going to [inaudible 00:10:10] based upon your product and regulatory type. These are things like consumer [inaudible 00:10:14] out of real high-touch consumer products. So maybe things that are more fee-driven and slightly more expensive and therefore may drive some more UDAP risks or where we’ll have more technical compliance risks. Number one, if you're in the security space, investment [inaudible 00:10:31], you're going to have your own set of governance and QA responsibilities that are driven by those regulators, self-regulatory bodies and also industry practices. And that's going to fall outside of the typical AML sanctions pieces that we're generally going to talk about today on the podcast.
Reggie Young: Well, great. Now that we know what a compliance team does, let's talk a little bit about building a compliance team. How would you do it?
Matt Janiga: All right. So a key guiding concept for founders is to make sure or your compliance program is commensurate with the risks and resources of your company. A lot of consultants or compliance folks coming out of banks are going to encourage you to go straight to kind of the battleship, full-blown compliance programs. And a lot of times that's not practical. And in some cases, it's not necessary for your FinTech. So let's break this down by funding rounds. I'll kick us off. But Reggie, I'm going to need your help to jump in and help me out a little bit. Is that okay?
Reggie Young: Sounds great.
Matt Janiga: Wonderful. All right. So I'll kick us off with the first thing. Before you have product market fit and I'm working with a couple of really fantastic founders right now in this space. It's maybe two, three folks, technical focused. They have some seed money, but they don't quite know what the product looks like. They don't have a partner suite yet, and they don't necessarily have the revenue to support a more full-focused team. If you're someone like this or if your company is at this stage, generally, we would advise you to lean into your bank partners because they can help you out.
For example, the bank partners that we've worked with across our time at the various companies we've been at and today at Lithic have a general policy for our product type. In our case, prepaid cards. Our bank will send us the updated policy once a year, and we'll review it to see what they expect from us. This is going to be where the bank will tell you what reports you need to give them, on what cadence, and what special things they might ask you to do as your role as a program manager. Now what you can do here, because you're small, is you can tap a business person to read the policy and make sure that your product blocks and tackles on these key needs from your bank partner. You can also ask your partner, especially if you know your way around the industry or if you have a good consultant or advisor, how much of it can be pushed back or delayed because a lot of times the partners will negotiate, again, because compliance program should be commensurate with the risk and resources of your program. And if you're really small and if you're pre-product, you're not going to need a full-throated compliance program and neither will your bank need full-throated oversight.
Finally, on this piece, if you're pre-product or if you're orderly, if you get stuck, there are a bunch of really fantastic consultants that can help you identify what the policy requirements are and help you design processes and operations to drive compliance forward. If you really get stuck, you can tweet at me and Reggie because we've got a couple of great folks we can send your way.
Now with all that said, Reggie, could you help us talk through what you've seen when FinTechs who are small finally find product market fit and they're ready to start scaling?
Reggie Young: Definitely. So once you’ve got that initial product market fit, you've got a good customer base and you're scaling and raising a little money, then you want to start building out your compliance team. And this is where BlueVine was at when I joined. There's a great compliance officer, Pooja, who really knew her stuff on AML and sanctions and also had that really great business judgment to suss out what real risks were.
Matt Janiga: Yeah. And this is where we were at Lithic when I joined. We had a great compliance director, had set up some absolutely fantastic policies and processes, good relationships with our partner banks and really gotten the Privacy.com side of the house up and running.
Reggie Young: So when you're at the initial product market fit stage, who are your first compliance hires?
Matt Janiga: Ah, it’s a really good question. And I'd say it depends upon who your existing team is. One other important tip for founders or anyone trying to staff your compliance function at FinTech is you need to be honest with your hires based upon their capability. Now I'll break this down a little bit further. If you have seasoned founders or an in-house attorney who really understands compliance needs, you can use your budget to bring in somebody who's more operationally savvy, maybe has more management skills. Somebody on that mid-level management type of run, who can help you -- who can take direction from those folks who can kind of set the table. They can build processes, and they can manage analysts as you scale.
Now your more senior non-compliance person in this case can help that other person balance commercial and compliance needs and also start to build alignment with your C-suite, which is really important. We'll talk more about that in just a few minutes. Ideally, your first hire in the door for compliance, a fully dedicated compliance person, is growth oriented and is up for the challenge of trying to grow and scale as your company grows. There's some great folks that have done this throughout time at some really great FinTechs. Reggie and I know a bunch of them. And people who come in, they may come in with that lower level title or they come in a smaller capacity role are able to grow and ultimately become your compliance officer. And because your company, you as founders, and this hire are growing together, there's really great synergies and really great deep understanding of how to work together and how to keep everything safe.
Finally, if you get stuck and you can't find a good candidate to be your manager or director level hire, Reggie and I would generally recommend that you get a really great analyst who can block and tackle. They might need a little more direction in coaching, but they'll give you fantastic lift. Again, the trick is being honest and here's why. A lot of folks will mistake being first in their function with being the senior title in their industry. So if you as a founder are not clear when you’re hiring the first compliance person, they may expect, think that they are the actual compliance officer, when you have hired them into actually do a lesser role or don't expect them to scale to that level.
Don't lead any ambiguity between your hires as it will cause you internal [inaudible 00:16:24] but not your end compliance officer, make sure you're clear with them upfront about the potential ceiling that's in their way or about the development milestones they need to hit for you to feel comfortable giving away that title. Again, you don't want them upset later and leaving, especially if you're at a critical scaling point and they walk out the door with all your key knowledge.
Now Reggie, I know you've got some other questions. What else is top of mind for you on this?
Reggie Young: Sure. I was wondering, are there particular compliance skills you look for? Or is it one size fits all when you're hiring?
Matt Janiga: Ah, this is really good. And as you know, I'm wearing a hiring manager hat these days. And I've seen a lot of fantastic hiring managers at Square, Stripe, and I've got friends that have done this role at Airbnb, Coinbase, et cetera. So I've gotten the chance to observe a lot of really great leaders in this function. And I just want to say thank you to all of them because I'm trying to do a pale imitation of you here at Lithic.
Unicorn hires will have both substantive knowledge and key operational experience. And we're going to break that down a little bit. Our second compliance hire at Lithic, for example, Rob, who leads our ops team, is a really great example. He's got a law degree. He's done compliance in large bank settings, so he's seen it at scale, both good and bad. He's seen good processes work out and he knows when processes can be too onerous [inaudible 00:17:41] for staff and hard to operate. And he's also exhibited really good judgment in balancing. He did this [inaudible 00:17:49] and with something that he's continued to exhibit and does a fantastic job [inaudible 00:17:53] today at Lithic on his day-to-day as he manages his team and really catches some of the most complex work for us.
Now if you don't have a background in compliance, there's a few main buckets to try and look for. Reggie, is it helpful for me to break them down?
Reggie Young: That would be super helpful.
Matt Janiga: All right, let's do this. So I know you know a couple of these already, but we're going to break them down for the founders that are listening that may not necessarily have the same background you or I do. AML is really one of your big ones. That stands for anti-money laundering. And it's going to be focused on how you look for stuff that's transaction monitoring that might be unusual on your platform or how you conduct KYC or know your customer screening. If you can find someone who's got a background in AML as your first hire, you're going to get a lot of mileage out of them when you're trying to staff and build your compliance function at your FinTech. Generally, folks who have experience in one of these areas, either KYC or transaction monitoring, can stretch and grow to help you staff and cover and build in both.
Now finding people who can do their own documentation and tidying up to make sure documentation matches the processes and vice versa is also key. People who are good at running the engine or running operations, very important, but not all of them can do documentation well. And so if that's something you're missing internally, if you, your co-founder, any in-house counsel you have, or any other operational folks are not good about process building, getting things into notion, putting them into Google Docs, you're going to want to make sure you hire this person in for compliance because they will pay off in the long run.
Our KYC lead at Lithic is really fantastic about this and is obsessed with driving to document things in her space. It's a huge lift for our team, and we're beyond fortunate to have her at the company. And I can't tell you how immensely helpful it is if someone who's managing both compliance and legal to have someone that I can just trust is going about and doing their job to help us up level constantly at the company.
Reggie Young: I second that. We're fortunate to work with some pretty awesome compliance folks here at Lithic. So how does a compliance team grow once the company scales up from that product market fit to the next phase? Like if a company's growing, like reaching towards IPO, where do you start to look for compliance expansion?
Matt Janiga: Ah, yeah. When I joined Square, they were already kind of past this point. Obviously, the company still scaled and grew beyond that or was growing beyond that. But really where I saw this play out was at Stripe.
Reggie Young: And we're fortunate to be living through this at Lithic right now as well.
Matt Janiga: Yeah, that's right. I think the key things to think about here are you want to have your functional lines broken down. One of the things we identified at Lithic was hyper growth was coming and we're living through it again, as Reggie mentioned right now. So we went out at the end of last year and reorganized our internal team to focus on KYC and sanctions or how do we get customers onboard to both the Privacy.com and our Lithic platforms and do it safely. Our middle line is focused on transaction monitoring, how do we find things that we're supposed to be looking for vis-a-vis what our risk assessment says and also what our partners expect of this. And there's an added element here that if you do this right, you're also going to find fraud on your platform. You're going to be able to snuff it out before it hits your bottom line, and you're going to make your business more efficient from a financial perspective.
Finally, there's a third line that we set up, which is our operations line. And the key job here is to help our API customers at Lithic, make sure that they're doing the right things they need to do to keep themselves, Lithic and our bank sponsors safe, and also help manage requests. Because there's a lot of ad hoc things that come in from our many bank partners that we have, both on the Privacy.com side and the Lithic side of our business. I think that's about it, Reggie.
Reggie Young: That's a solid round-up Matt. But aren't you forgetting something?
Matt Janiga: Oh, crap. Is it my wife's birthday again already? No, that's May. That's May.
Reggie Young: No, no. We need to talk about when to give away titles. You already hinted this but just a little bit, but I think we should dig in for listeners.
Matt Janiga: I know. That's right. And that will be super helpful. This ties a little bit into the conversation of being honest with folks. And sometimes the honest answer is a hire you make is not ready for a bigger title. What should we really cover on this topic, Reggie, because I know there's a lot of different ways we could take this.
Reggie Young: Sure. I think a great starting point is that you're in an interesting spot as both a general counsel and a compliance officer title. Why don't we talk about that? What's the story there?
Matt Janiga: Ah, so I'm an accidental compliance officer, and there's quite a few of us out there in the industry. Our first compliance hire, Scott, was really fantastic. Again, he helped us document a lot of great policies and procedures but came from a consulting background. Scott had done a full tour of duty with our company, as founders know will often happen, especially as you're grinding towards product market fit if it takes you a little bit of time to get there. And with Privacy, we've had a long run. We've been around for about eight years now.
As Scott was kind of hitting key milestones with the company, he got the bug, as a lot of listeners themselves may have, to go back to crypto and really gravitate towards Web 3 and all of things that were happening there. Around this time, we were left with basically a hole. The person that we had trusted and had gotten us really far was going to be leaving the company. And we kind of looked around and said, hey, we want someone else who is calibrated well [inaudible 00:23:29] kind of balance commercial and other decisions and also has the trust of other members of [inaudible 00:23:32]. And everybody kind of took a step back. I wasn't paying attention [inaudible 00:23:37]. I ended up as our compliance officer.
Now I do have, for listeners, if I’m being a little modest, a background in this. [inaudible 00:23:45] advised compliance teams at Square and at Stripe, helping [inaudible 00:23:49] functions at both those companies and also working closely, particularly on SEC filings and ensuring Dodd-Frank compliance during my time as in-house counsel at Capital One. [inaudible 00:23:59] background here to lean on. And when you look at some of the key elements you'd want in your compliance officer, I can help check all those boxes. But again, I'd say I'm the accidental compliance officer because I didn't join Lithic with the intention of wearing both hats. And I wasn't hired with the intention of having me wear both hats either.
Reggie Young: Interesting. That's helpful. I've seen that with a few FinTechs where the GC is also CCO. Is that fairly common? Do you think it's normal?
Matt Janiga: Ah, so here's where it gets interesting. It kind of depends on who you ask. I think historically a lot of lawyers will take the view that your general counsel or another lawyer should be your compliance officer, and then you can staff managers underneath them to run the operations. But this view is not one size fits all and can actually get companies into trouble.
Reggie Young: Oh, do tell.
Matt Janiga: All right. So I'll go into it. Let's say you're in a regulated space, like you have money transmission licenses. Some states like New York will actually say that your compliance officer has to have five years of experience with the Bank Secrecy Act in order to be the official [inaudible 00:25:11] of your money transmission registered entity.
Reggie Young: And some in-house GCs at FinTechs tend to be generalists or rotating to FinTech for the first time. So they don't necessarily have that.
Matt Janiga: That's right. They're really smart folks. They have really good judgment, but they don't have the reps to satisfy certain key needs, whether it's coming from a partner or from a regulator. And that's something that can cause some issues for the company.
Reggie Young: Okay. So given this whole GC, CCO title debate, what should founders do?
Matt Janiga: Ah, this is a good call. And I get this question a fair amount from folks who are special scaling, usually seed round and later in the FinTech space. What I regularly advise founders is to decide based upon whether their general counsel has compliance officer experience. And if not, whether they have someone in-house that they trust, and that's key, who does. This is for the good of your or company and it shouldn't be a vanity or a popularity contest. And your GC of all hires, because they're supposed to be your seasoned hand, should understand these things and be willing to go with the flow and do what's best for your company.
The other thing I advise folks on, and we touched on this earlier, this was the intro to this topic, don't give big titles away too soon. And for example, I mentioned at the start of our podcast, I am the compliance officer. I am not the chief compliance officer. I am not the global compliance officer. I am the compliance officer, and that is purposely by design because it leaves space to either bring someone in over me. It leaves space for me to step out and give that smaller title away or I could go up and give that title away, which is my intention, to someone already on our team because we have a lot of really great managers that are close to being ready to be really fantastic compliance officers, whether it's here at Lithic or elsewhere.
Reggie Young: Okay. So let's say you and I are starting a FinTech. Let's hypothetical say it's a neobank for frozen banana stand owners.
Matt Janiga: Ah, hold on, Reggie. Are we using Lithic's amazing API platform to issue cards here for this banana stand company?
Reggie Young: Of course, we are. It's a default option for FinTech start-ups.
Matt Janiga: All right. I was just checking because I know there's always money inside of a banana stand. But if you're not [inaudible 00:27:29] I know you can't always get out. We're going to be building the best technology. Just take it away, keep going with your hypothetical.
Reggie Young: Okay. So again, we're building a FinTech and neobank for frozen banana stand owners, and we have a GC without compliance experience and another great team member who worked at a fast-scaling FinTech in the past working with AML. Do you think the right thing to do is to make the non-lawyer your compliance officer, right?
Matt Janiga: Ah, yes. But because I'm a lawyer, can I add a caveat?
Reggie Young: Well, it depends what it is.
Matt Janiga: [inaudible 00:28:04] in-house compliance person is missing the judgment piece, be commercial enough to enable your business. Here's the caveat. [inaudible 00:28:13] think about whether another candidate, maybe your GC has that judgment and commercial balancing.
Reggie Young: That makes sense to me. I mean, one of the great things I've seen from good compliance leads is they can spot when a policy isn't driven by actual legal requirements or other factors like risk. So they know when to go have conversations with the bank partner about updating policies, for example. But Matt, what if your in-house lawyer and your non-lawyer compliance person are both good at this?
Matt Janiga: Ah, that's a really [inaudible 00:28:42]. Since I'm your manager, I'm going to turn it back at you, Reggie. You've worked in-house. What's your take on this? How exactly would you split this?
Reggie Young: I think it depends on whether you think the non-lawyer compliance person is ready to be CCO. And by ready, I mean, do they have substantive compliance experience and that demonstrated commercial savviness like that business judgment. If they're not ready and your GC has good compliance knowledge and some like good business judgment, then I'd say keep the GC as that compliance officer. But if your compliance lead is ready, I'd say hand the compliance reins to them and split legal and compliance a bit. Because I think having two departments owned by different leads just generally lets a scaling start-up move a lot faster since a single person doing both, as I'm sure you can attest, can get spread pretty thin pretty fast between the two teams. So I think at this point, we should probably give…
Matt Janiga: I would say that's absolutely [inaudible 00:29:49] why I'm able to wear both hats is because we do have a fairly well staff, legal and compliance. So it's not something I recommend everyone taking [inaudible 00:29:57] inside start-ups unless there's a business reason for it. Again, one hire has both skills. Or from a revenue perspective, it's what you need because you're trying to keep both to keep the lights on.
Reggie Young: So I'm thinking at this point, we should give listeners a TL;DR.
Matt Janiga: Ooh, that's really good. But that's kind of your thing. Do you want to take the TL;DR on this Reggie or at least kick us off?
Reggie Young: Sure. I can kick us off. So I'd say the TL;DR on building your compliance -- building a hire in your compliance team is don't overhire or hire too early. Compliance professionals are highly skilled and expensive. So you probably want to use tools and consultants before you hit product market fit.
Matt Janiga: I think that makes sense. And once you found product market fit, I think one of the things Reggie and I would both say you should keep in mind is go make your first compliance hire so they can focus on it full time. That will let you get back to founder activities, like fundraising, hiring and, most importantly, product market.
Reggie Young: Next, when you need to give a title away, start small. Most bank partners want a BSA officer or a compliance officer, but you can save that chief or global title for -- if the person really performs or if you need to bring in an external hire to help scale
Matt Janiga: That's right. And don't just give your compliance officer title to your in-house counsel. You’re going to want to make sure that they have the experience and judgment to help balance compliance and business opportunities. Some lawyers can do this really well. But other times, your best bet is going to be a really seasoned compliance professional who knows the quirks in the laws and how your product can ride on top of them.
Reggie Young: So switching gears to think more about the tech aspect of compliance. Compliance isn't often considered tech, but there's a ton of exciting tech out there that they can use it, especially at start-ups.
Matt Janiga: That's right. And some companies, like if you go back historically on this and I'm FinTech old. I'm so old, they used to call it mobile payments. Some companies like Square and PayPal have spent millions building internal systems. But the amazing thing is founders today can buy this same functionality from new companies that are specializing. These are companies like Alloy, Hummingbird and Persona. Persona, for example, offers KYC and other tools that compliance teams can lean on. And this helps decrease the need for headcount in your compliance organization. Reggie, do you want to know a secret?
Reggie Young: Ooh, I love secrets. Don't worry, I'll keep it between us. No one else will know.
Matt Janiga: All right, good. We're not taping this, are we? Let's see. So this is one of the most amazing things. The teams at places like Hummingbird and Persona are the same folks who built the in-house tooling for Square when I was there. So you basically can buy the same software that a large publicly traded, market-leading and really fantastic compliance organization, Square, uses to run their world-class compliance program, if you pair companies like that together.
Reggie Young: Love it. Your secret is safe with me.
Matt Janiga: Good. Don't tell anybody else. All right, Reggie. So with all these great tools, how do you think start-ups should think about buy versus build?
Reggie Young: That's a great question, and it's when I get a lot from newsletter readers. So you likely want to own your KYC or fraud system. You could go with a vendor like Cognito or Persona, but you want to control the settings so you can tailor a fuzzy matching and other things that are special for your customer base. That control factor means you'll probably need to stitch together a few vendors to get the best conversion rates. And once you do that, then the build versus buy debate comes into play most for the AML monitoring and case aspects.
Matt Janiga: Now that makes sense. And I'm glad you mentioned Cognito. We use them at Privacy and I, especially with my compliance officer hat on, absolutely love that product. And I'm thrilled that Plaid purchased them because I can't think of a better pairing. I'm really excited to see what they do with the extra resourcing.
All right. Enough with love fest for Zach and the folks at Plaid and also the really great Cognito folks. Talk to me more about that, buy versus build debate around AML monitoring and case management. Like I know you're working with our product folks and our compliance teams on this. So talk to me about like what you've seen Lithic and also other teams wrestle with.
Reggie Young: Sure. And I think I’ll -- let's zoom out a little bit and first explain what AML monitoring and case management are so folks who don't live and breathe compliance and nerd out and break down legal stuff like us, can have a better understanding. And so I think AML monitoring or transaction monitoring as it sometimes referred to generally means flagging and reviewing transactions that are unusual. The background here is there's a law that says you need a system for flagging funky accounts and transactions and reporting this FinCEN so they can help connect the dots on financial crimes. These are generally called SARs, which Matt referred to you earlier, suspicious activity reports. The other aspect is case management, which generally for us is the same process, flagging and tracking how you review these unusual cases. So transaction monitoring helps you figure out the weird cases and case management helps you kind of handle how they get escalated and resolved
Matt Janiga: No, that's super helpful for listeners, Reggie. I think now that we've gotten kind of the base thing down, especially for first-time founders who are new to the FinTech space. What are the factors that you think they should think about for buy versus build, especially when you're focusing on AML monitoring and case management?
Reggie Young: Yeah, great question. So I think there's a handful of things founders and operators need to weigh when building transaction monitoring and they apply to the AML and risk space. So first, I'd say, how easy is it to integrate with a vendor? Six to 12 months is a bit too long. Ideally you want something that takes a few weeks.
Second, I'd say, how do the vendors features fit your business needs? Like do they have the ability to close and reopen cases? That's like table stakes for transaction monitoring and case management stuff. Another example is bulk closures. Like if you add a new transaction monitoring rule and it turns out to be a bad rule and you need to close a bunch of false positive cases, can you easily do that in bulk? That's another important aspect.
Third, probably scale. We've seen some vendors that break under the scale that Lithic and Privacy.com have. So web-based portals, in particular, can slow down or break if your data sets are too big. As a rule of thumb, your vendor should be able to cover your next 24 to 36 months of operations. So that way you don't have to constantly be ripping them out and placing them.
Matt Janiga: What about costs, Reggie?
Reggie Young: That’s an important one. Yeah, I think cost is a good call-out too. Vendors are all over the map on costs and some are charging as much as a compliance officer salary. Founders should definitely compare vendors in the space to get a best sense of what's reasonable, especially because, well, transaction monitoring really isn't like a business differentiator. It's not something that's going to make your company stand out.
Matt Janiga: No, I think that cost call-out is really good. Like I know, for example, some companies are starting to even leapfrog or bypass some of the compliance vendors in this space and they're looking at more modular solutions to build cheaper in-house versions. It's going to be really fascinating to see how that space plays out. Because obviously, if you need a catalog system, you go to somebody really fantastic in the space who’s been doing this for a long time. I know I love Hummingbird. But if you're looking to kind of get by or do kind of bare bones on it, you might be able to knit together some of these other vendors and see where things go.
Reggie Young: Yeah. It's going to be something to watch. I think either way, it's a great time to be a builder in FinTech because you can use it tools to get to market so much faster than historically you could.
Matt Janiga: No, that's absolutely right. All right, Reggie. I know one of the things that folks were interested when we threw out on Twitter the idea that you and I might do a podcast was they were really interested in hearing more about pitfalls. So building a compliance team isn't all daffodils, sunshine and rainbows, right? What are some of the common pitfalls you see compliance teams dealing with? Obviously, I've got my own set of things, but really curious to get your take here.
Reggie Young: Yeah, totally. So I think the big one that comes to mind for me is compliance often becomes a dumping ground for other functions. The top ones that come to mind are vendor management, risk and fraud work and partnerships work. And here for partnerships, I mean partner in banks or other critical third parties. So like for Lithic, this means like card networks. But for each FinTech business model, it's different. Matt, how about you? Are there any pitfalls that come to mind for you?
Matt Janiga: Yeah. I think one of the ones that I've seen create tension regardless of kind of the stage of company that you're in is what your compliance reporting lines look like. And I can break this down a little bit. Is that helpful?
Reggie Young: Yeah. That's super helpful.
Matt Janiga: All right, great. So I think the key thing is, right, let's harken back to the start of our pod here, where we talked about the three lines, right? Your business sits inside the first line, sales, marketing, all those other folks, making decisions around who you potentially sell to, what your pricing is, other things like that. And their real incentive, right, is to bring revenue in. One of the things I've seen sometimes is there will be folks who often want to combine a functional leader from the first line of your business and have them absorb compliance. And now ultimately, at the end of the day, right, if everybody rolls with their CEO, you're going to have a little bit of conflict here on it. That's why for really good housekeeping, your compliance officer should have a dotted line to your Board, really your audit committee. And if you're too small to have an audit committee, I would say that you don't need to about the Board function.
Back to what to do with in-house. I think where I've seen some pitfalls occur is where you have a manager, it could be [inaudible 00:39:25] or it could be your revenue officer. And you have compliance ultimately report into those functions. Because what happens sometimes is they may tiebreak too often and they could do it in the wrong way, right? They may be ignoring key legal or partner needs, right? That you need to really make sure that you happen to be complying with. Or there's another human element to this here, which is if the ties are constantly being broken in a way where your first line wins, your compliance team is going to be really demoralized. And you need to make sure you bring people along and make sure they understand the rationale, if that's what needs to be happening. If it's happening for a good reason, there's going to be some underlying root cause. Maybe people are escalating the wrong things or they're escalating too often. But this is one of the pitfalls I see.
And so if you're a founder and you're small, obviously, you've got to have a smaller team. You're probably going to have a flatter org. Hopefully, you don't have too many of these issue user. If you're tiebreaking, it's at that founder, CEO, CTO type of level. When you get bigger, I think one of the key things to think about is don't let your first line leaders eat your compliance function unless that's absolutely the right move and really the only decision for your company. And I'll say here, there's no hidden subjects. I'm so grateful that between Bo and folks like Charlie Kroll, our chief revenue officer, or Suchit Patel, our chief operating officer, and others at Lithic, that this has never been an issue for us.
But I know I have seen it [inaudible 00:40:48] and I know it does have negative impacts upon the compliance team and really does kind of distract them from doing their day-to-day job. And in some cases, it keeps the org from being as safe as it needs to be.
Reggie Young: Fascinating. That all makes sense. Let's turn to some listener questions. First up, what do you call a debit card that has the wrong bank numbers on it?
Matt Janiga: I don't know, Reggie. What do you call a debit card that has the wrong bank numbers on it?
Reggie Young: A garbage bin. Okay, that wasn't actually a listener question. Onto the actual ones. Matt, I'll hand it over to you.
Matt Janiga: All right, all right. I'm happy to take the first one. And thank you to all the folks on Twitter. Again, when we said we're going to do a podcast about this, you came up with some really great questions. I don't think we'll get to all of them today, but we do want to thank you all for it. And if you have complaints, you can talk to my manager, Reggie.
All right, here's our first one. Reggie, this one's for you. How can compliance ensure old and boring regulations and controls -- again, this comes from our listeners so there’s good air quotes around old and boring, old and boring regulations and controls remain relevant, unhated and unforgotten once they've been around for a few years.
Reggie Young: Yeah. So it's a great question. I mean, it's something, as lawyers, we also struggle with. This like how do you position yourself as a value ad. I think a big thing I've experienced or seen is that if you can turn knowledge into resources that other teams can use to kind of self-serve and come up with solutions, it tends to change other teams' mindsets of legal and compliance. And so I'm thinking, for example, a compliance team could create some internal resources around like here are the contours of what we need to do. Because oftentimes, how things work in practice can gloss over that you don't actually need to do certain aspects of a process. And so your product, for example, may end up requiring certain things that you could not necessarily require or structure in different ways that makes it a little more user friendly.
And I think I've seen that creating resources, for example, that you could hand off to a product team, that product team is going to self-serve and they're going to start poking holes. And they're going to come up with all these creative product ideas. And as long as there's eventual oversight to make sure you're staying compliant, I think that's a really good way to make other teams be interested in things that regulations otherwise could be old and boring.
Matt Janiga: And Reggie, I've seen you do a really great job with this here at Lithic and obviously over at BlueVine, where we both worked together before this. What are some of your favorite kind of frameworks and ways to help educate business partners or give them the tooling to kind of go back and do their own thought processes on this, and they come back with some great product ideas?
Reggie Young: Sure. I think we've fallen into a good rhythm of building like Notion pages or Google Docs or Sheets or something that you can share with others. Kind of sending out to the key groups as an email, key groups in the business, and also setting up office hours so that, okay, folks can review and then come and show up and ask questions. And I feel like inevitably, every single time there's someone from product or other teams that responds almost immediately with some idea they have of like some way they could unlock value in an existing product or feature. But yeah, I think we find that like sending around to the right groups and then setting up some sort of like office hours and open question time works really well.
Matt Janiga: Nice.
Reggie Young: So here's another good one we got from Twitter. What makes a good CCO?
Matt Janiga: All right. I'm happy to take this. So I think there's a couple of key elements. The first one in mind, find someone who's got a good compass on what the actual legal needs are and how to operationalize them. If your compliance officer has a firm understanding of the law or they have a lawyer that they trust to lean on to help them get there, because I know I've been that person for some really great compliance officers, they have a really good and I would say the right starting point.
I think the next element that founders want to look for is the ability to balance legal requirements versus risk versus the business opportunity. So I'll say that one more time. It's a three way balancing act. What are the legal needs? What is the statute? What does the reg, what does FinCEN tell you have to do? What's the risk? As in if you don't do the thing, are you going to be in trouble because are the bad things actually going to show up? Or are you building controls for something that isn't present in your business?
And the third piece is, what's your business opportunity? And this is sometimes where I've seen product teams ask really good questions around you're giving us advice that says this, but we see PayPal or we see Square or we see others doing this thing that undercuts your advice. What's up with that? And I think you need a compliance officer who can give good advice from the outset and understand and recognize the market or be nimble enough to intake that information and help get your teams to a good spot. I think sanctions is a really good example. Reggie, do you think it's helpful if I unpack it?
Reggie Young: I think that'd be super helpful.
Matt Janiga: All right. So sanctions, for those of you that haven't dealt with it before, is really black and white at the 30,000-foot level. Basically, the U.S. government and other governments around the world say, “Don't do business with bad people or a certain set of things that we think are attached to bad people, like Cuban cigars, Persian rugs or Russian oil.” Now again, super clear at the 30,000-foot level. Some compliance folks will get in and some lawyers as well and take this to real extremes and say, “Okay, since the U.S. says don't do business with bad people, we need to know [inaudible 00:46:42] time in real-time.” And sure, that's one way you can get there. But that's a super strict view, and it also could strangle your business. Or you could be out of whack with what competitors are doing with their products, allowing them to build market share faster than you are.
So here's where a great compliance officer comes in. A great compliance officer can identify the risk related to that requirement. So for example, Lithic. You told me we can't do business with people who are selling Russian oil. That's pretty easy because people who want to sell Russian oil aren't coming to us for card products, and our compliance team below me understands and gets that really well. So we don't have to design overly complicated systems to find people who are doing things with Russian oil because they're not inherently going to show up and use our product.
I think there's another good example of this, which is applicable to all FinTechs, which is if your customer needs to use a US bank account to use your product, and this is something like a peer-to-peer transfer network, maybe it's a prepaid wallet, maybe it's an online card or neobank like a Chime. This person is already going to be screened by their primary bank. And so your customer population is inherently going to be less risky. Now it's not perfect. And if the other bank screws up and that's your only control, FinCEN can still sue -- or sorry, OFAC can still sue over those. But it does show you that you've got a little bit more latitude to play with is the amount of risk inherent in your population, especially if you're doing geoblocking, you're doing other controls along those lines to limit the universe. We'll keep it safer. We'll keep it so that way Russian oligarchs or others that maybe on the SDN list aren't showing up in your customer base.
Now most importantly, to get something launched, right, you've got to kind of live in this crazy gray zone. So this is where to give you a real-world example. Your product team might come to you and say, hey, we've got to get a product out the door. Now if your pre-product and your seed round, you're burning money, you need to start revenue. Your compliance officer, if they're wound too tightly or not properly calibrated and can't balance this middle part, what's the risk in your business, might come and say, hey, we're not screening people up front. We got to shut things down or we can't launch.
Now that's going to be the wrong answer for you in a lot of cases if you're pre-product because, especially if you're doing a US-only funded by a US bank account product like cards. Because again, your risk is going to be low and your need to get revenue in the door is going to be high. So that's where you want somebody to balance risk versus commercial opportunity. So it's not enough to know just the needs. It's not enough just to be able to spot the risk. You got to have kind of a balance across all threes.
Now the last element -- Reggie, do we have time for one more element on this?
Reggie Young: I think we do. I think we can fit it in.
Matt Janiga: All right, good. And thank you to everyone who's still listening. We know this has gone on for a while. The last element for finding a really great compliance officer, especially a chief or a global compliance officer, is what I'm going to call a compliance officer and founder or CEO fit. If you're a founder looking for your first compliance officer or a really senior compliance officer, you're going to want to hire somebody that you like and that you can respect. And this is because you're going to have a lot of tough conversations with them and this person. And you’re going -- you and the other executives are going to spend a lot of time with them. And making the wrong hire means you're going to have a lot of friction inside the business. This person isn't going to be able to educate you or help bring you along to where the org needs to go, and you may end up having a falling out.
So it's better to just get ahead of it. I would say focusing on that fit is really important. A fit doesn't mean a yes man or yes woman. But it does mean, again, I think going back to that balancing act, being able to balance what the legal needs are, what the risk is inherent in your business and future business lines and, finally, what your commercial opportunity is and kind of what your need is on that side or in value creation or in value protection mode or you're somewhere kind of in the middle along the way. Now Reggie…
Reggie Young: That's very interesting.
Matt Janiga: Oh no, I think it's absolutely fascinating. And the organizational dynamics of this stuff that you can kind of see it play out in various places, always interesting to watch. Reggie, we've got another question which is, how does compliance ensure they're recognized not just as a cost center but maybe something that at some cases can be revenue generating?
Reggie Young: Sure. I think we already touched on one of the ideas, this kind of like helping create self-serve resources so that other teams can run and kind of innovate. I think another big one that I've seen good compliance folks do is they almost view compliance as an internal product and they look for ways to improve it in efficiencies. So there may be problems where KYC checks aren't fully working as efficiently as they could or like maybe there's duplicateous vendors. Those sorts of things where the compliance team can kind of help identify like, hey, we're letting too many fraudulent accounts on because our compliance standard or KYC standards are too lax. Or hey, we're spending too much money on this function when I think we could build it internally with a light lift. I think that's sort of like internal ownership view and compliance as a product goes a long way.
Matt Janiga: Nice, nice. No, I think that makes a lot of sense. And really grateful that our team at Lithic thinks about those things and executes well along that space.
Reggie Young: I think a last question. Matt, are there any good resources out there for drafting policies and procedures?
Matt Janiga: Reggie, I am so glad you asked this. I think we’ve both seen this. There are lots of law firms, lots of consultants that are out there that will charge you lots of money to get up and running. You still have to tailor things in-house unless you're working with some really great consultants, which we've had the good fortune doing. I think one of the things that I wish there was in the industry were kind of standardized compliance stocks, at least a base template, that if you're in cards, if you're in payments, if you're in lending, people could kind of take and go. And so Reggie, I know we have a really exciting announcement. Do you want to share with folks what the announcement is for all of our compliance-minded founders out there?
Reggie Young: Sure. So we're looking to build out our Lithic docs page to help give founders some kind of foundational policies so that they don't have to go spend gobs of money with law firms and outside consultants if they don't need to. Again, there's stuff that like should be tailored for every company. But we think the foundational ideas in a lot of these policies are pretty similar. So we're going to be rolling that out very shortly. It might actually be out at the time we air this podcast.
Matt Janiga: That's right. And so if you need [inaudible 00:53:09] BSA policy or a sanctions policy, we're going to put up separate documentation for folks. Because when you get to your [inaudible 00:53:17], you're going to want separate docs and kind of have separate reports on those things. We're going to have those up at our Lithic docs page. And we're going to keep things coming. So very happy to take feedback from listeners and from folks on Twitter or you can write into us. And if there's something specific you're looking for or you need for your business, we're happy to help be the starting point for you, regardless of whether you are a Lithic customer. Although, we'd love for you to list Lithic as well.
Reggie Young: Exciting. Well folks, that's it for this episode. Thanks for nerding out with us. We've got some great episodes in the work, so I'm excited to record some more podcasts in the future. Matt, if someone wanted to issue cards and they wanted to do it insanely fast, where can they find out more about Lithic?
Matt Janiga: Reggie, I'm so glad you asked this. If you are a builder, if you are a creative, if you're a dreamer, you can find out more about how to build cards, specifically build cards on the Lithic API platform at lithic.com. And you can write to us or find us by going to lithic.com/contact.
Matt Janiga: Reggie, thanks so much. It was a blast doing this with you today. Hopefully, all our listeners got great value out of this. And I know I'll see you around the virtual office.
This episode of the Fintech Layer Cake podcast features a deep dive on fintech compliance. We cover a lot of areas including:
- How to build a compliance program
- What to look for in your first few compliance hires
- How compliance should look like at each company stage
- Compliance tools that can lighten your workload
- Should your general counsel be your compliance officer
Fintech Layer Cake is presented by Lithic and hosted by Matt Janiga, our general counsel, and Reggie Young, our product counsel and author of the Fintech Law TLDR newsletter.
Highlights from Compliance 101:
What does a fintech compliance team do?
REGGIE: The compliance function at fintechs set the policies, procedures, and processes to ensure the company is compliant with the law. They focus on anti-money laundering (AML), sanctions, and regulated conduct.
- AML refers to legal obligations that help the government fight crime, like having to verify the identity of bank account applicants.
- Sanctions refers to checking certain government lists that include, e..g, people US banks are prohibited from doing business with.
- And regulated conduct refers to various regulations that require certain types of businesses to do – or not do – certain things. For example, at Lithic, we have to deal with card-specific laws and regulations that say what sort of conduct card companies can and can’t do.
How is compliance different from legal?
REGGIE: Legal helps interpret guidance and navigate gray areas to figure out what the company needs to do.
Compliance focuses on implementing and running the day-to-day operations. Things like confirming your customers aren’t on sanction watchlists, or that they’ve provided all the right KYC elements.
Legal also helps with contract negotiations, employment issues, and others.
But there’s often overlap – good compliance folks often help do some of the legal lift, especially at early companies.
Who are your first compliance hires?
MATT: Well it depends on your existing team. If you have seasoned founders or an in-house attorney who understands compliance needs, you can use your budget to bring in a mid-level manager who can take direction, manage analysts and help you scale.
Your more senior, non-compliance person can help them balance commercial and compliance needs, and also start to build alignment with your C-suite.
Ideally, this person is growth oriented and can keep growing up as you need a more senior hire.
If you get stuck and can’t find a good candidate to be a manager or director level, I’d recommend getting a great analyst who can help you block and tackle. They might need more direction and coaching, but they’ll give you good lift.
The trick is being honest. A lot of folks will mistake being first in their function with being the senior title in their industry.
Don’t leave any ambiguity – if you see your hire as an analyst or manager, but not the compliance officer, make sure you’re clear with them so they don’t get upset later and leave.
Should your general counsel be your compliance officer?
MATT: Historically most lawyers take the view that your GC or another lawyer should also be your compliance officer, and there can be managers under them to run the operations. But that can get you into some trouble.
If you’re in a regulated space, like if you have money transmission licenses, states like New York require that your compliance officer have five years of experience with the Bank Secrecy Act and sanctions.
REGGIE: So some in-house general counsels at FinTechs tend to be generalists or are rotating into FinTech for the first time.
MATT: Right – a lot of lawyers a founder might hire won’t qualify to be the compliance officer under state laws.
I regularly advise founders to decide based on whether their GC has compliance officer experience and if not—whether they have someone in-house, that they trust who does.
This is for the good of the company and shouldn’t be a vanity or popularity contest, and your GC of all hires should get that and go with the flow.
The other thing I advise folks on is to not give away too big of a title too soon.
Like most banks only require you to appoint a BSA officer. That lets you give out a “consumer compliance officer” title to someone else if they’re a better fit, or if you need to split titles for retention purposes.
Same thing on giving out the “chief” compliance officer title. Save this for when someone earns it and is ready. Or if you need to hire over your current team, but don’t want them to leave.
What makes a good chief compliance officer?
MATT: I think there’s a few key elements.
The first is a good compass on legal requirements, and how to operationalize them.
If your compliance officer has a firm understanding of the law – or a lawyer they trust and lean on to help them get there – they have the right starting point.
Next is the ability to balance the legal requirements vs. the risk vs. the business opportunity. Sanctions is a good example of this because it’s black and white at the 30,000 foot level, but really gray and fuzzy as you get closer to the work.
US law says don’t do business with people on the SDN list. That’s clear.
Some compliance folks will take this to extremes and say you need to screen everyone 100% and constantly re-screen to ensure compliance.
And sure that’s one way to do it – but a super strict view could also strangle your business. Or be out of whack with what competitors are doing to run their products and build market share.
A great compliance officer can identify the risk related to the requirement. For example, if your customers need a US bank account to use your product, they’ve already been screened somewhere else. So your customer population is less risky.
Off of this, maybe it’s OK to lag your sanctions screening and do it next day or allow the minimum use of your product.
And more importantly – to get something launched, you might need to live in this gray zone because your product and engineering teams can’t deliver the tooling you need to do real-time sanctions screening until after launch.
If you’re in a small startup - you need to get the product out the door to find market fit and also get revenue going. A good compliance officer gets that and is going to help you find the safest and fastest way to launch.
The last key element is compliance officer and founder/CEO fit. If you’re a founder looking for your first compliance officer, hire someone you like and can respect. Because you’re going to have tough conversations with that person and you and the other execs are going to spend a lot of time with them.
What are some common pitfalls for compliance teams?
REGGIE: The big one that comes to mind is compliance can sometimes become a dumping ground for other functions. Especially vendor management, risk and fraud, and partnerships work. Partnerships here mean partnering with banks and other critical third parties.
What about you Matt, are there any pitfalls that come to mind?
MATT: Keeping clean reporting lines to drive accountability can be an issue. In other words, compliance shouldn’t report to other functions.
They should be focused on AML, sanctions, etc. If they report to other functions like, say, partnerships or risk, then scope creep that’s sub optimal for the company becomes a problem.
Reporting to other functions also blurs the first and second line. You want to make sure the business doesn’t have full power to overrule compliance.
If you want a deeper dive on compliance, check out these resources.
- Explainer on fintech AML requirements
- How to build a compliance program
- How to build and scale a compliance team
- How to build your US KYC/KYB operations
For access to quality legal templates, visit our free Legal Library.
If you liked this episode, subscribe to the podcast on your favorite podcast app and give us a review on iTunes.
About Fintech Layer Cake
Fintech compliance. It can be complicated and overwhelming — even if you've been in the industry for a while. But what if there was a podcast that made learning about it a piece of cake? That's what Fintech Layer Cake is about.
It's hosted by two popular fintech lawyers, Matt Janiga and Reggie Young. In each episode, they use their experience from working at companies like Lithic, Stripe, Square, and BlueVine to break down some of the toughest topics in fintech.
Listen on iTunes, Spotify, or your favorite podcast app.