Tips for hiring Risk and Compliance in Fintech - the real unicorn 🦄
Sooner or later most Fintechs will need to hire a person or team to manage Risk and Compliance. For Digital Banks, Payment Service Providers or companies using Open Banking this will likely be to help meet regulatory requirements, but even non-regulated companies who need to sell or partner with regulated companies will need some expertise in this area.
While it may seem like Risk and Compliance is a generic area which anyone with some prior experience can cover, in my experience getting this person wrong can cause big problems for tech companies needing to release trustworthy products fast.
Why is the role so important?
In an early stage business, risk taking is key. The early activities someone from risk and compliance will lead on — setting a risk framework, policies etc. — will define how the whole company makes decisions about what risks are most important and which to take. If this is done wrong or someone copies exactly what they did at their previous company, this can set your company up for months of bad decision making.
Another watch out relates to the friction and waste which Risk and Compliance processes can add to your product production processes if done wrong. This is a particular risk if your hire doesn’t understand the fundamentals of how you produce a product, for example agile software delivery. I have seen (multiple) examples of delivery teams being asked to produce long Word based documents or PowerPoints for each technology release. Given that modern technology companies do multiple releases per day this is not a workable model for a Fintech. This kind of thing can slow you down, create friction internally and often ends up with teams circumnavigating the processes blocking them. Ultimately this makes your Risk and Compliance activities detached from what is actually happening in the company and consequently of little value.
Why is it hard to find the right person?
There are two main reasons I believe it is hard to find good people for Risk and Compliance in Fintech.
- There are few people who have a good grasp of agile, technology and risk. All three of these are needed to design customer centric approaches to risk and compliance which integrate into a digital business.
- Compliance is based on following tried and tested approaches, most of which have been developed for non-digital organisations. It’s rare to find people who can use first principle thinking to differentiate between what is done through habit and what the regulation really requires.
For companies looking to expand internationally, there are additional challenges as the regulatory requirements can differ a lot between countries, particularly outside of Europe. When hiring someone with experience from a larger organisation, there will normally be a trade-off between someone who has worked hands on in one country or someone who has worked at a strategic level across multiple countries.
What to look for when hiring Risk and Compliance in Fintech
Based on my experience, these are the four things I would prioritise when hiring Risk and Compliance in Fintech.
- Understands agile software development. If you are at heart a technology company this is the production process for your business. It is very important that your production line is not disrupted by teams outside of this. If the agile manifesto is at the heart of your software team’s approach to work, other teams such as Risk and Compliance should also subscribe to this and develop their processes in a way which takes this into account.
- Understands technology. As fintech company, a lot of your risks and controls will be technology based. If someone doesn’t have a basic understanding of the technologies you are using, it will be hard for them to make sense of the materiality of different security and resilience risks against other operational risks. Beware of generalist risk and compliance people who claim it’s not necessary to understand the technology to assess the risks — I’ve never seen this to be the case.
- Continuously learns and experiments. When someone joins your company they will be designing ways of doing risk and compliance based on what they have seen done previously. Most of the approaches currently used for risk and compliance have not been designed with technology companies in mind so need some critical review and redesign. While this is a tricky task, hiring someone who at least appreciates that current methods need changing and wants to explore new approaches is a good start. Beware of anyone who comes armed with policies or processes from a previous company — this may sound like a time saver but is more likely to be a case of trying to fit a square peg into a round hole.
- Does not misuse PowerPoint and Word. Hours of time are wasted everyday in risk and compliance teams creating slides in PowerPoint full of information which likely not be read and will immediately be out of date. Someone who is open to ditching PowerPoint in favour of collaboration and data driven tools will help create a lean, forward looking team.