How to Build and Scale a Compliance Team

In this guide, we provide guidance on how to build a compliance team from scratch, covering everything from staffing to responsibilities.

It also contains tips on how to scale your compliance organization across each company stage and tackles a few topics like the difference between compliance and legal, whether or not to give your general counsel the chief compliance officer title, and how to use technology to cut down headcount.

For a deeper dive into compliance, check out some other resources:

Founder TL;DR

  • Fintech compliance teams tend to focus on anti-money laundering (AML), sanctions, and conduct. This means helping detect and report suspicious financial activity, avoiding business relationships with prohibited people and entities, and ensuring business and customers are compliant with various regulations.
  • Your compliance program should be commensurate with your company’s risks and resources. Many consultants and compliance professionals want to go straight to the battleship of compliance functions, but that’s not practical or necessary for most fintechs.
  • Don’t over-hire or hire too early. Compliance professionals are highly skilled and expensive, so you probably want to use tools and consultants before you hit product-market fit.
  • At scale, your compliance organization will typically be structured around four key areas: compliance, risk, financial partnerships, and vendor management.
  • Documentation is a skill, and not everyone has it. Keep that in mind as you build your compliance function and staff your teams.
  • Square, PayPal, Stripe, and others spent millions building internal systems and staffing teams. Today you can build a similar setup using technology from Alloy, Hummingbird, and Persona.

Compliance in a nutshell

Compliance is a broad term that encompasses second-line teams in a company’s control function. It’s really critical to make them independent from the business units, and also give them the agency to correct errors and issues.

In fintech, compliance tends to focus on anti-money laundering (AML), sanctions, and conduct.

Legal helps interpret guidance and navigate gray areas to figure out what the company needs to do. It also helps with contract negotiations, employment issues, and others.

Compliance focuses on implementing and running the day-to-day operations. This can include confirming customers aren’t on sanction watchlists or that they’ve provided the right KYC elements.

But there’s often overlap. Good compliance professionals often help do some of the legal work, especially at early companies.

The role of compliance in your organization

So what does a day-in-the-life look like for a compliance team? I’ve been on high-performing teams at Square, Stripe, BlueVine, and Capital One (and now we’re building one at Lithic). Here’s how I think about the day-to-day role of compliance.

  • Governance: setting the rules for what you focus on and how you operate. This includes documenting and updating the policies, procedures, and playbooks.
  • Operations: building and running operations to honor the policies and procedures. This includes running queues for AML tasks like KYC escalations, sanction hits, transaction monitoring, and SAR/UAR filing.
  • External Requests: sometimes driven when the bank wants more information to help fill in their compliance files or to check controls. More established fintech sponsors will also have monthly, quarterly, and annual oversight requests. You’ll need someone staffed to block and tackle these when you’re smaller and automate reporting over time to keep your headcount low.

This list of responsibilities can also expand based on your product and regulatory type.

  • If you’re big into consumer products, you might need or want a consumer compliance division.
  • If you’re in the securities space (investment advisor or a broker-dealer), you’re going to have your own governance and QA responsibilities that fall outside of a typical card program.
For guidance on how to build an AML customer verification function, check out our KYC/KYB Operations Guide.

The four pillars of a compliance function

At scale, your compliance organization will typically be structured around four key areas: compliance, risk, financial partnerships, and vendor management.

How to structure your compliance function by stage

A key guiding concept for founders is to make sure your compliance program is commensurate with your company’s risks and resources.

Many consultants and compliance professionals coming from banks want to go straight to the battleship of compliance functions, but that’s not practical or necessary for most fintechs.

Let’s break down what compliance should look like at each stage.

Before product-market fit

At this stage, I probably wouldn’t over-invest in an in-house compliance function.

Your bank or infrastructure partners will often have a policy. Our bank sends us their updated policy once a year and we review it to see if we’re meeting their expectations.

Instead, tap a business person to read the policy and make sure your product blocks and tackles key requirements. If you get stuck, there are a bunch of great consultants that can help you identify policy requirements and design processes and operations to drive compliance forward.

Series A - B

After you find product-market fit, you should consider investing in compliance if you’ve built a good customer base, you’re scaling, and have raised a healthy round of financing. Your first compliance hires should depend on your existing team’s capabilities.

If you have seasoned founders or an in-house attorney who understands compliance needs, you can use your budget to bring in a mid-level manager who can take direction, manage analysts and help you scale.

Your more senior, non-compliance person can help them balance commercial and compliance needs, and also start to build alignment with your C-suite. Ideally, this person is growth-oriented and can keep growing up as you need a more senior hire.

If you get stuck and can’t find a good candidate to be a manager or director level, I’d recommend getting a great analyst who can help you block and tackle. They might need more direction and coaching, but they’ll give you a good lift.

Series C or later

One of the key things for this stage is to have your functional lines broken down. I lived through this at Stripe and now we’re in the middle of this at Lithic.

In 2021, we identified that we were entering a stage of hyper-growth so we re-organized our internal teams to focus on three areas:

  • KYC and Sanctions: to help us safely onboard customers to both Privacy.com and Lithic
  • Transaction Monitoring: to help us effectively identify suspicious activity and fraud
  • Operations: to help our API customers take the right things to keep themselves, Lithic, and our bank sponsor safe; and also to help manage requests from our many bank partners.
For guidance on how to build a compliance program, check out our Compliance Program Guide or Compliance 101 podcast.

Hiring tips as you build your compliance team

Here are a few particular skills and considerations for you to think about as you’re hiring a compliance team.

First compliance hire

Your first compliance team member should be a policy person who can drive the “what” and “how” on AML, sanctions, and any other regulations you need.

  • This person should have a good balance between enabling the business and keeping the organization safe. Ideally, this means having sufficient sales skills to get your partners comfortable with your program.
  • They should also know not to sweat the small stuff. Early on, there will be a lot of missing parts and/or areas that need fixing so it’s important they don’t get concerned over every little thing.
  • Most compliance professionals will either be AML or product-specific focused. They will likely only be subject matter experts in one area, so try to find someone with growth potential and a love of learning. If you have the budget, try to find two subject matter experts.

Operations leader

Unicorn hires will have both substantive knowledge and key operational experience.

  • This person has put together systems and teams to deal with KYC queues, sanctions queues, AML monitoring, and SAR filing. If someone has built or run one of these functions, then they can probably do the others.
  • AML monitoring and SAR filing are the most complex due to regulatory timelines and judgment calls around when something flips from being “unusual” to “suspicious”.
  • This person should be capable of being a people manager. Depending on the volume and your internal tooling, you may need two to five heads at scale to manage this work.

Finding people who can do their own documentation and tidying up to make sure documentation matches processes and vice versa is also key. Our KYC lead at Lithic is really fantastic about this and is obsessively driven to document things in her space. It’s a huge lift for our team and we’re beyond fortunate to have her at the company.

Compliance team members

  • Banks will want you to share data and sample various queues and process results to prove your system is working. A junior person can be trained to manage these lower-level tasks.
  • Your junior folks will also need to review KYC and sanctions queues, and eventually do AML monitoring for suspicious transactions and SAR filings.
  • SAR filings are like mini mystery novels. You need to draft a narrative of the facts, and plug in your supporting evidence. Then they go to FinCEN.
  • An internal hire from customer service or risk could be a good move.

General Counsel vs. Chief Compliance Officer (or both)

Some companies will make the General Counsel the Chief Compliance Officer. Others don’t.

Your north star should be whether your General Counsel has experience with high-quality compliance organizations and strong AML/sanctions expertise. Your top compliance hire should be an expert. Choosing someone with inadequate expertise can chafe them and eventually cause them to leave, leaving you without the right experts to run a critical part of your organization.

If your General Counsel and top compliance staffer have equal experience, then consider promoting the latter. Keeping that hire happy and engaged with pay off in the long term.

Other good considerations:

  • Reporting lines and how many direct reports go to your CEO/COO
  • Whether your General Counsel can be a good mentor/manager for the CCO

Sample org chat for your compliance function

Using technology to cut down headcount

Square, PayPal, Stripe, and others spent millions building internal systems and staffing teams. You can build a similar setup using technology from Alloy, Hummingbird, and Persona.

There’s a handful of things you should weigh when considering a technology vendor:

  • How easy is it to integrate with the vendor? Six to twelve months is too long. Ideally, you’re looking for someone you can integrate with within a few weeks.
  • How do the vendor’s features fit your business needs? You need the ability to close and re-open cases. That’s table stakes for case management. Another example is bulk closures. If you deploy a bad transaction monitoring rule, can you easily close all the cases it triggers in bulk?
  • Can they scale? We’ve seen some vendors break under the scale that Lithic and Privacy.com have. Web-based portals in particular can slow down or break if your datasets are too big. As a rule of thumb, your vendor should be able to cover your next 24 to 36 months of operations. That way you don’t have to constantly be ripping them out.
  • How much do they cost? Vendors are all over the map on costs and some are charging as much as a compliance officer’s salary. Founders should definitely compare vendors in this space to get the best price, especially because things like transaction monitoring are not generally a differentiator for your business.
For recommendations on various tools, check out our compliance program guide.

Tips for founders and compliance leaders

  • Don’t let compliance be a dumping ground for things that don’t have a home. Avoid dumping odd jobs into compliance or you’ll risk shortchanging key functions. Keep lines clean to drive accountability and ensure you’re not underinvesting in a key function.
  • Don’t over-hire or hire too early. Compliance professionals are highly skilled and expensive, so you probably want to use tools and consultants before you hit product-market fit.
  • When you need to give away a title, start small. Most bank partners want a BSA officer or a compliance officer. You can save the Chief or Global title for if the person performs, or if you need to bring in an external hire to help scale.
  • Don’t just give your compliance officer title to your in-house counsel. Make sure they have the experience and judgment to help balance compliance and business opportunities. Some lawyers can do this well, but other times your best bet will be a seasoned compliance professional who knows the quirks in the laws and how your product can ride on top of them.
  • Compliance is rule-abiding, blocking, and tackling. If you already have someone who fits that mold, find a business enabler to pair with them. This could be your in-house attorney (e.g., product counsel) or a policy-focused hire (i.e., written policy, not DC policy).
  • Make sure you have someone who can explain why what you’re doing is okay to your bank partners. This could be your compliance policy hire, attorney or a financial partnerships hire.
  • Documentation is a skill, and not everyone has it. Keep that in mind as you build your compliance function and staff your teams.

Contact us if you need help with card issuing or have questions about building a compliance function for your fintech.