CardsFTW #52: Cranky Payments Guy Reminds Everyone About Fintech Compliance

Plus, back in my day, we just called it payments!

Happy New Year! I’d like to start the year with a note of appreciation for you, my readers. Issue 52 represents a year’s worth of weekly newsletters, although it took me well over a year to get here (more than two!) I am honored to have more than 1,100 people subscribing to CardsFTW. I wish each of you the best in 2023!

Compliance, Compliance, Compliance

With the full recognition that this week’s edition is going to be equivalent to me standing on my porch yelling “get off my lawn” at the neighborhood kids (which I actually did once), I’d like to spend some time writing about the importance and challenges of compliance in startup card businesses (and in fintech at large).

The Simpsons gif. Grandpa Simpson from the Simpsons shakes his hand in a fist, holding a piece of paper, out the window of a building and yells into the sky at a cloud, shouting angrily.
Old Man Yells at Cloud

Cards are a part of the payment and banking system, which is among the most heavily-regulated parts of the economy. When you move money, you create substantial amounts of risk: fraud-related risks, privacy risks, issuing risks, and legal risks, to name a few. A long list of tasks is required to create accounts and move money, such as verifying a user’s identity, checking if the user is on a sanctions list or operating in a sanctioned country, etc. You must store data appropriately and for an appropriate amount of time. You have to respond to complaints and disputes timely, and so much more.

When I think about what compliance means, it is not just the rote memorization of legal terms and following them, but truly following the spirit and the letter of the law. Compliance includes protecting your users from fraud, protecting your company from attacks, and ensuring your reputation is strong.

Compliance isn’t only that obnoxious training you must take; it’s everything you need to protect and steward your customer’s funds.

Compliance is very expensive. In the past ten years, conventional wisdom has been that starting a company is cheaper than ever. Pay-by-the-minute compute power at Amazon Web Services is cheaper than building and racking your own hardware server. The proliferation of easily available software tools has meant you could easily plug in a low-cost API to do some task where previously you needed to build something.

We even have companies promoting compliance-as-a-service. I don’t think you can outsource a compliance-oriented culture.

The reality is that while there was a period where less expensive startup costs existed, it has largely passed us by and generally doesn’t apply to fintech or card startups.

The number one reason it doesn’t apply is that people are expensive, especially experienced and qualified people. The second part is that compliance is expensive and tends to involve… a lot of people.

If I were building a debit card program from scratch, I would want to start with great fintech attorneys to help me craft proper deals with my bank, network, and users. I would want to ensure that my development team builds my systems with appropriate monitoring, zero-trust security frameworks, and complete disaster recovery. I would want an onboarding process that verifies a user’s identity, scores them for fraud risk, and ensures that they are who they say they are.

All of this is expensive and antithetical to what we commonly think of as lean startup methodology or building a minimum viable product. When companies fail, we founders often talk about how we built for scale too early or didn’t iterate enough to find product-market fit. I am sure those reasons are part of it, but it is far too late if you wait to add security, risk management, and compliance until you have scaled. You will have likely lost large amounts of money, some user trust, and some of your reputation.

It’s becoming increasingly hard to build a fintech product on the cheap. You can use platform providers to help you bring down the cost and complexity (and they will), but you cannot outsource a culture of compliance, and you cannot cut corners without paying a price.

As an industry, we will spend a fair amount of time debating what went wrong in crypto in 2022 and what went wrong with card programs with flagrant compliance violations (I’m looking at you, Zelf). If we want to take on the big banks and card issuers, and have customers truly trust us with their money, we have to repeat the mantra: compliance, compliance, compliance.

One more thing: stay off my lawn.


Thanks for reading CardsFTW, an occasional newsletter about debit and credit. It is written and curated by Matthew Goldman, President at Apto Payments. If you enjoy it, please share!

Subscribe to CardsFTW

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]