Sooner or later most Fintechs will need to hire a person or team to manage Risk and Compliance. For Digital Banks, Payment Service Providers or companies using Open Banking this will likely be to help meet regulatory requirements, but even non-regulated companies who need to sell or partner with regulated companies will need some expertise in this area.
While it may seem like Risk and Compliance is a generic area which anyone with some prior experience can cover, in my experience getting this person wrong can cause big problems for tech companies needing to release trustworthy products fast.
Why is the role so important?
In an early stage business, risk taking is key. The early activities someone from risk and compliance will lead on — setting a risk framework, policies etc. — will define how the whole company makes decisions about what risks are most important and which to take. If this is done wrong or someone copies exactly what they did at their previous company, this can set your company up for months of bad decision making.
Another watch out relates to the friction and waste which Risk and Compliance processes can add to your product production processes if done wrong. This is a particular risk if your hire doesn’t understand the fundamentals of how you produce a product, for example agile software delivery. I have seen (multiple) examples of delivery teams being asked to produce long Word based documents or PowerPoints for each technology release. Given that modern technology companies do multiple releases per day this is not a workable model for a Fintech. This kind of thing can slow you down, create friction internally and often ends up with teams circumnavigating the processes blocking them. Ultimately this makes your Risk and Compliance activities detached from what is actually happening in the company and consequently of little value.
Why is it hard to find the right person?
There are two main reasons I believe it is hard to find good people for Risk and Compliance in Fintech.
- There are few people who have a good grasp of agile, technology and risk. All three of these are needed to design customer centric approaches to risk and compliance which integrate into a digital business.
- Compliance is based on following tried and tested approaches, most of which have been developed for non-digital organisations. It’s rare to find people who can use first principle thinking to differentiate between what is done through habit and what the regulation really requires.
For companies looking to expand internationally, there are additional challenges as the regulatory requirements can differ a lot between countries, particularly outside of Europe. When hiring someone with experience from a larger organisation, there will normally be a trade-off between someone who has worked hands on in one country or someone who has worked at a strategic level across multiple countries.