1. When about to raise, raise your compliance game
Increasingly, investors are asking about companies' approaches to risk when they are trying to raise funds. This is especially so when they are serving certain countries or using crypto. Many investors are well aware of the issues these can pose. Investors will be thinking about your exposure and your time to market, and they will want to know they are not buying into any risks hidden within existing compliance practices. A company’s approach to risk does have an influence when raising VC.
The days of having a great idea being enough for VCs are gone. Businesses need to demonstrate a proposition that shows excellence and rigour across all fields in their business. This includes an excellent understanding of compliance, and showing that compliance is a core part of your program in-house - or that you have outsourced it to a reliable, external vendor and have a governance framework to manage this.
2. Take responsibility
Whichever approach you take to licensing, the responsibility is on you. If you choose to launch via a Principal firm remember it is a two way relationship. Don’t rely on what the Principal firm is telling you, do the research yourself so you understand the firm you will be working with. As well as this, you need to understand what the general rules of being a regulated entity are so you know what your risks are. Educating yourself is important. If you know your risks, you can vet the Principal as much as they are vetting you. By doing the right due diligence, you will truly understand who you are working with.
3. It’s not one-size-fits-all
Don’t automatically accept the sales spiel of what you are getting from your Principal or outsource provider. For example, a BaaS provider may bundle separate concepts/services into one product as part of their undeniably convenient offer. The decision to build, buy or partner should always be an active and informed one. You need to educate yourself on the pros and cons of different options and how these fit into the over plan for your firm.
4. Remember, bad actors love start ups
With any Fintech start up there is an increased risk that your platform is going to be attacked or misused by bad actors. They will want to see how easily they can get into your platform. They will want to know if they can use you for money laundering. They will tell other bad actors if you are an easy target. You won't see it coming. One of the best things you can do to mitigate this is testing. You can test at the outset and on an ongoing basis once there’s data in there. Testing will inform you about what provisions you need to put in place as you grow and have clients onboarding. Consider that you will need to test the platforms you have implemented. Test the risk-based approach you’ve undertaken. Think about how you use the data you have collated to identify the bad actors and get them out.
There are thousands of ways people can access your systems. That’s why it’s so important to interrogate what sort of person would want to access your account. Sit down and think through what type of crime am I potentially assisting?
“Getting regulated means you have more responsibility, potentially can offer more services, and therefore have more control over the processes and customer experience.” Kanisha Patel, Head of ComplyLaunch, ComplyAdvantage
5. Have a plan
Having both a short-term and long-term plan is essential to ensure you do all the things you need to do to ensure your business is on the right regulatory path. Consider what are you going to do to get to market, understand where your vulnerabilities are, and also what limitations you have around offerings and control of the customer experience, and what’s the plan longer term. Checking your governance, your risk appetite, the need to hire more people during a growth period. Plan ahead, be prepared!
6. Interrogate your underlying risks
We deal with risk every day just crossing the street. It’s just the same in business. To really make compliance work it needs to be a risk-based approach. Especially when it comes to financial crimes controls. So, really understand your typology, really understand what it means to put a risk-based approach in place. Truly understand what the underlying risks are and who your clients will be. That way, you protect yourself, and your consumers by not allowing bad actors in. It’s not just about putting a flashy onboarding tool in place.
7. Compliance is a journey
The compliance journey for Fintechs is like a curve. In early stage startups, policies will always include a policy on anti money laundering (AML). This is expected, because they need to onboard customers - it’s an immediate need. There is also reasonably clear guidance from the regulations on AML, so startups know what to do. The next stage of the curve is around governance and safeguarding. Then, the top of the curve is about conduct and customer behaviours. The expectation now from VCs is that new firms go up the compliance curve very quickly.
8. Show your workings
If you’re a start up you need to quickly transition from having a very nice set of policies and translate them into procedures that actively show how that’s going to work in your procedures, and accurately reflect your risk-based assessment. So for example a startup could say they are going to outsource onboarding, but that they are going to take care of sanctions screening as it’s embedded in their platform. If a third party, either a VC or the FCA, looks at you they will expect the framework to reflect absolutely what you are doing on the ground.
“When you are in the build phase, you tend to tick boxes, and this can trip you up as a new firm.” Will Staples, MLRO, Currencycloud
“Most of the time loads of great compliance processes are happening on a daily basis, but if you can’t evidence these within your documented policy and procedure framework, then you may as well have not done them.” Heather O'Gorman Head of Financial Crime, Thistle Initiatives
9. Keep on top of the sanctions world
When it comes to keeping on top of what’s happening with sanctions, it’s important to have robust systems. Your chosen screening solutions must have the latest sanctions updates, and must flag any new risks on your customers and any risks relating to world politics across the board. If you’re launching in a new country, or a new product, new typologies where you need to add new rules to address new risks, you will need to have a great relationship with your vendors who will help you get the most out of your systems and advise on how to implement some of these changes to mitigate risks.
10. Know what, and when, to outsource
Think about the high impact of getting things wrong. Internal manual processes for sanction screening are prone to error. Save your people for the high worth, high value things. Build relationships with your vendors as they will help you get the most out of your systems. On the flip side, you always want to test your systems. You are responsible for constantly checking and working with your vendors.
“Regulators actively encourage automation. For example, Robinhood got a $30 million fine from the FCA because they were using a manual system to operate their new crypto offering. The regulators said they needed this process automated because of the size of the business and volumes traded.” Kanisha Patel, ComplyAdvantage
“Understand your business and your product , and you will understand your risk. If you have a low-risk product targeted at a low risk domestic market you don’t need all the bells and whistles a compliance vendor will sell you.” Will Staples, MLRO, Currencycloud
11. Ask questions
RegTech is enhancing compliance processes. But it’s only as good as you understanding your risks. Be sure to get advice from your vendors so you aren’t getting systems and not making the most of them. They need to be tailored to your risk and your risk appetite.
12. Meet FCA safeguarding expectations
If you are mis-representing your service to your customers, you are not safeguarding effectively. You must be transparent with your customers. For example, firms shouldn’t tell their customers they are a bank or that their funds are covered by the financial services compensation scheme (it doesn’t cover EMIs). The FCA has a clear line in the sand that they will go after firms that misrepresent themselves. Additionally, if you are a new entrant to the market, you should understand how a principal does their safeguarding, ask if they are meeting their obligations, and see how this will fall back to you, and you have to be responsible for safeguarding. If this isn’t clear this could impact you negatively. If the Principle falls down, what are you on the hook for?
“Speaking to other companies in similar spaces to you is a great way to assess what type of crime you are at risk for. There will be common themes: the types of fraud that are happening are similar across similar Fintechs.” Kanisha Patel, Head of ComplyLaunch, ComplyAdvantage
These are just a taster of what we discussed around compliance. If you’d like to discover more about how we can help ensure you don’t get into hot water with your compliance, talk to one of our team of experts to see how partnering with Currencycloud can help you.