The Visible and Hidden Layers of Compliance

February 17, 2023

Compliance management is an essential part of the fintech industry, but have you ever considered the extensive and often unseen work that goes into ensuring your Fintech remains compliant with regulations,industry best practices, and internal operational standards? A running joke here at AskDegree is, if you can see it, it’s an iceberg; they’re all icebergs as far as the eye can see. Meaning there are always hidden layers to each compliance task.

Compliance is a critical aspect of the fintech industry, a compliance management system  ensures that companies operate ethically, companies you partner with operate compliantly,  and the interest of customers and investors remain protected.. There are visible (e.g. policies and procedures) and many hidden layers (e.g. data retention practices) of compliance management that companies in the fintech industry must navigate to achieve and maintain a healthy risk management posture. 

In this article, we will explore the iceberg concept giving examples of the layers easy to spot, to those that are historically hidden. As we near the midway point of Q1 2023, our hope is this information could be used to help strengthen your compliance management strategy for this year and beyond.

Navigating the Complex Regulatory Landscape

The most visible layer of compliance responsibility in the fintech industry is navigating the complex regulatory landscape. At face value, this may seem like an easy area to keep in check; if there is a regulation simply create a policy relating to how the company will manage their responsibilities as it relates to the regulation and you’re done..Right? Wrong! Regulations change, especially in hot button areas such as AML, Data Security, Privacy, and Third Party Risk Management (e.g. supply chain risk management). , Remaining abreast of changes can be difficult, companies often fail to keep up with new and evolving requirements for two simple reasons (1) they don’t know where to look and (2)  they do not have a built in mechanism to spot, analyze, and integrate new regulatory information into the organization. 

For instance many fintechs that we have worked with have not even considered that the DOJ is an agency of importance to monitor for guidance. If you have not read the DOJ’s Guidance on the Evaluation of Corporate Compliance Program, we have linked it here for your convenience

Moreover, requirements can differ from state-to-state, country to country, product-to-product, and target customer-to-target customer. Not to mention the third-party requirements that may come into play if you are leveraging financial infrastructure service providers. 

Complexity in operations will directly influence complexity in management of your regulatory obligations. Companies operating in multiple jurisdictions, or those offering multiple products (e.g. lending product and securities products),or fintechs that target both consumer and commercial customers will find management of the regulatory landscape exponentially more challenging. 

Establishing a mechanism to continuously monitor regulatory movement is paramount to keeping a handle on this area. This requires significant resources and expertise to ensure that the company is meeting its obligations.

Managing Internal Policies and Procedures

Policy and procedure management often have hidden layers. As inferred in the previous section, policies are not documents to be created once and placed on the proverbial shelf. Policies should be reviewed at least annually and are subject to changes based upon regulatory updates, feedback from audits, and newly introduced requirements of integrated third-party partners -- NOTE - this is not an exhaustive list. 

Procedures often require changes several times per year, especially in rapidly scaling and evolving organizations. The introduction of new systems, automation of once manual processes, and segregation of roles are all operational improvements that will likely create a need to update the operational procedure. Why are timely procedure updates important, and what hidden layers could exist in this area? 

Beyond the obvious reasons, of standardizing practices and having a uniformed way to share intelligence within an organization; proper procedure management is important for hidden compliance concerns such as audit management,internal disciplinary efforts, and remediation strategies.

Audits & Remediation

Mapping procedure versions to clear cut points in time helps to narrow scopes for both audits and systematic errors.Being able to easily identify when certain practices occurred in relation to operational activity is invaluable in high transaction volume environments. Narrowing the  scope of an issue from 10,000 files to 300 can be the difference between a few days of work and a few weeks of work, or the difference between notifying a handful of customers, or thousands of customers of an unpleasant error.   

Disciplinary Efforts

If you talk to most HR professionals they will tell you, if you want to discipline an employee or contractor for violating a procedure, the procedure better be written down and you should have a documented acknowledgement from the party in question of reviewing the procedure. Procedures that are only shared verbally or worse yet, written procedures that do not mirror actual practices are difficult to enforce in disciplinary situations. 

Instilling the habit of updating the procedure when making changes has a positive impact on several areas of the organization, additional areas not stated above including hiring/onboarding, mergers, and company acquisition.

Other Hidden Layers Impacting Compliance 

There are other hidden layers of compliance in the fintech industry that are equally important but less visible. These include:

  • Third-Party Risk Management - Outsourcing Operational Tasks:
    Fintech companies must conduct regular risk assessments against third-party vendors to identify potential areas of non-compliance and implement measures to mitigate them. A key point to remember is  you can outsource the work, but you cannot outsource the compliance responsibility.
  • Record-keeping:
    Fintech companies must maintain accurate records of all transactions to ensure that they can provide the full record when required. Having the “data'' in the “system” is the tip of the iceberg. Retrieval of the complete record is usually the hidden requirement. Complete records  include data such as decisions and offers generated by decision engines, complete copies of marketing emails, and application communications - including declination notices and reasons. 

As we have seen in simply discussing policies and procedures, the visible layers of compliance are just the tip of the iceberg. There are numerous hidden layers of work that go into achieving and maintaining compliance in the fintech industry. However, a robust compliance management system can help navigate this complex landscape and ensure that your company is meeting regulatory requirements.

A robust compliance management system serves as a framework for compliance and provides a comprehensive approach to managing compliance obligations. It involves identifying the specific regulations and standards that apply to your company's operations and developing tailored policies and procedures to meet these obligations.

The hidden layers of compliance work, such as navigating the complex regulatory landscape and managing internal policies and procedures, can be time-consuming and challenging. However, a robust compliance management system can help ensure that your company is meeting regulatory requirements and can provide a roadmap for compliance work.

We will explore the key components of a robust compliance management system and how it can help fintech companies stay ahead of regulatory changes.

The Crucial Role of a Strong Compliance Management System in Fintech

It is essential for fintech companies to appreciate and understand the hidden layers of compliance work to better allocate their resources and ensure compliance in a complex regulatory landscape. A robust compliance management system managed by a seasoned compliance team will ensure that a company is proactively meeting regulatory requirements.

Ultimately, companies that prioritize compliance management and invest in compliance resources are more likely to succeed in the long term. By doing so, they will not only maintain surface level compliance but also optimize their operations and minimize the risk of operational waste, leading to a positive reputation and long-term success in the fintech industry.