Carlin McCrory is joined by Matthew Goldman, founder of Totavi, LLC and publisher of CardsFTW, to discuss operational compliance for card issuers.
In this episode of Payments Pros, Carlin McCrory is joined by Matthew Goldman, founder of Totavi, LLC and publisher of CardsFTW, to discuss operational compliance for card issuers. Their conversation highlights essential practices for maintaining compliance, such as tracking transactions and monitoring systems effectively.
Carlin and Matthew examine the complexities of card programs, identifying common pitfalls and exploring strategies to enhance partnerships with banks and customers. They emphasize how compliance can serve as a revenue enabler rather than merely a cost center. Through practical approaches, such as refining marketing collateral approval processes, they discuss ways to streamline operations and support growth effectively.
Matthew shares insights from his extensive fintech experience, offering perspectives into industry expectations and the complexities of card products. Carlin and Matthew's discussion underscores the importance of having the right team and partners to navigate compliance challenges successfully.
Payments Pros – The Payments Law Podcast — Enhancing Card Partnerships and Compliance: A Conversation With Matthew Goldman
Host: Carlin McCrory
Guest: Matthew Goldman
Carlin McCrory:
Welcome to another episode of Payments Pros, a Troutman Pepper Locke Podcast, focusing on the highly regulated and ever-evolving payment processing industry. This podcast features insights from members of our FinTech and payments practice, as well as guest commentary from business leaders and regulatory experts in the payments industry. I'm Carlin McCrory, one of the hosts of the podcast.
Before we jump into today's episode, let me remind you to visit and subscribe to our blog, TroutmanFinancialServices.com. Don't forget to check out our other podcasts on Troutman.com/Podcasts. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services, and more. Make sure to subscribe to hear the latest episodes.
Today, I'm joined by Matthew Goldman to discuss the intricacies of operational compliance for card issuers. We will examine common pitfalls and explore cost-effective strategies along with simple actions that can enhance partnerships with banks and customers. Additionally, we will address FinTech expectations and clarify mis-surrounding card issuing compliance.
Matthew is the Founder and Managing Member of Totavi, LLC, a boutique consulting firm specializing in FinTech, where he leverages extensive operational experience from startup to public company leadership to create innovative FinTech products. Additionally, he publishes CardsFTW, a leading industry newsletter focused on credit cards, debit cards, embedded finance, and all things related to card technology. Matthew, thanks so much for joining me today.
Matthew Goldman:
My pleasure. Thanks for having me here.
Carlin McCrory:
Well, we'll go ahead and jump in and I'll ask you my first question, which is, what does operational compliance actually look like day-to-day for a card issuer?
Matthew Goldman:
I think that every day, there's a lot of little tests that add up to being compliant and passing your end-of-year, or quarterly audits. A big part of it is making sure everything is recorded and tracked. Every transaction, obviously, that should be in your database, but every customer complaint, every piece of feedback. Then, the second part of that is really monitoring the system. I think, especially in FinTech with the software technology mindset, a lot of folks feel like, “Oh, I built this thing. I know how it works and I'm just going to move on.” But a big part of financial services is the monitoring and testing of that.
Making sure that your database is storing these properly. You're not accidentally leaking data into the database. A lot of startups may have trouble with leaking personal information into a log, for example. As well as checking like, did those rewards actually work right that I promised a reward to a consumer, and I said I would give them five points at gas stations? Did I check that my system actually records that properly? Then finally, the fraud and suspicious transaction stuff. I think there's a perception that AML is like, you can just set it and forget it. It's just a monitoring thing on it. But there's always new innovative ways people like to loan their money. And so, you really need to be on the lookout for suspicious patterns and behaviors.
It's really just about that daily practice. Having your compliance and ops team saying like, every day we're going to do these 10 things, we're going to write them down. Then at the end of the month and quartering year, it's really easy to have confidence and say like, we know we did all the things we were supposed to do.
Carlin McCrory:
Right. I'm sure some of that is probably making sure that the policies and procedures stay up to date, and they're actually tracking with what the business is doing, so to speak. I mean, we've seen so many of the consent orders talk about having adequate policies and procedures. I don't know if you have thoughts on that.
Matthew Goldman:
Yeah, absolutely. I think, back to that same idea of said it and forget policies and procedures, I think are thought of that way, but they are not, right? A famous problem is you did something, but you didn't actually follow a procedure that you outlined in your policies and then that gets detected. I think, this idea of operational compliance has a lot to do with bringing in your compliance and policy counterparties inside your company into the operational side.
I'll give you an example. You might have a policy for adjusting your credit underwriting criteria, right? There is the policy of what is the credit criteria and the procedure for actually evaluating that, but you also have a policy for making the change. If you just have the underwriting lead go off and do it, they probably don't do all the steps. But you bring in your policy person and they might say, “Hey, we need to present this to the board, or we need to have this signed off, or we need to document it in this way,” and have someone who's the facilitator of these processes. Maybe not the operator, so to speak, right? The underwriter is saying, “I'm going to change the minimum score from 680 to 685.” Sounds easy. We'll just go plug that in. But you need your policy person to facilitate, okay, you're supposed to present that change, mark the change, do a back test, or whatever you have to do, whatever your policy says, and then implement it.
It can feel, when you say that to people, they're like, “Wow, that's a lot of process. How bureaucratic.” I don't think it has to actually feel that way, but you just want someone making sure you're actually checking those off. Because to your point, where you get in trouble is sometimes not even you did anything wrong, but in terms of you let a bunch of money laundering happen or something, but you didn't follow the procedure on how to manage that. That's where you actually get in trouble with, again, your bank, or your bank in trouble with their regulator.
Carlin McCrory:
We've talked about some of the pitfalls just now, but what are other things that you're seeing that these early stage, or scaling card programs, what goes wrong when it comes to their compliance?
Matthew Goldman:
I think the biggest thing is just really not keeping up as volume grows. There's always this push and pull when it comes to startups in terms of how do you anticipate growth? How do you hire ahead of growth? No one has probably extra money lying around to hire extra people. If you get behind, you get in trouble really fast. I think we all know that hiring great compliance folks is usually hard. There's a limited number of them. It'd be very hard to recruit them, especially into startups. We always joke that if you're a risk manager, you tend to be risk-averse, you tend not to work at a startup, but startups need great risk managers. There's this dichotomy to deal with.
I think people, they just get behind, they get overwhelmed by volume. That's really when you start to see people have trouble is actually, when they're on the upswing and there's some success, which is really disappointing, ultimately, because then if they get hit with some consent order, or pause or something, it can really, really wreck a company. I mean, I've been part of experiences where it's like a bank might say, “Hey, we need to put you on pause for 30 days to review this.” Well, once you turn off all your marketing, it's really hard to turn it back on again. You do want to continually just invest in it.
It feels like a cost center. I think that's one of those challenges is that a lot of people think of compliance as a cost center. But we really counsel people to think about it as part of a revenue enabler. The more that you can stay out of trouble and do things right and avoid fraud and avoid penalties, the more you can focus on growth.
Carlin McCrory:
Then, can you give an example of perhaps a low-cost process that may have a larger impact on staying compliant?
Matthew Goldman:
Absolutely. One of my favorite places to talk about and where people get in a lot of trouble is marketing collateral approval, right? Especially in the era of social media. People want to go out and throw out an Instagram, or TikTok, especially direct to consumer. Even in B2B, marketing, especially your marketing small businesses, and you forget to go through and make sure everything's approved. It's really easy to build a spreadsheet. I mean, I know there's fancy systems for this, but you can build a spreadsheet, and we do this with clients. We build a spreadsheet, we label every asset, like email 52. It's a welcome letter, or whatever, and the date. We make a PDF of that, a screenshot. That's what we send to the bank to get approved.
Then when it comes back, we send a final copy and we store it in the cloud, right in the Dropbox or something. Then, if there is any confusion, you can go back through that trail and figure out where did something go wrong. I had a very funny experience on a program. I did a few years ago, where our bank was getting audited by the FDIC. The FDIC didn't like the disclosure footnote on our emails. The bank was like, “Where is this from?” I'm like, “I'm happy to change it. However, I can prove to you that you approved it on this date in this email and told us to use it all the time.” It wasn't that we didn't have to make the change to be responsive, but it went from the bank saying, “You're in trouble, too.” Okay, we get that. We did approve that. We realized we need to change it. That's not expensive to do. It's not hard. It's just record keeping, essentially, right?
You don't need a fancy system. Email one, email two, email three. Just iterate through them. Storage in the cloud is cheap. Keep all the versions forever. There's no reason to scrimp on it. Because then, inevitably, my approach were like, you will get in trouble. You will eventually mess up and send out an email that wasn't fully approved. If you go to your bank and you say, “Well, we sent 500 emails and we messed up once,” they're likely to say like, “Okay, let's not do that again. But you're not a bad actor. You're trying and we appreciate that.”
Carlin McCrory:
That makes sense. In that same vein, what do the banks and the bin sponsors really want from their FinTech partners when it comes to oversight and operations?
Matthew Goldman:
I think so much, banks are themselves risk management organizations. I think that's hard for especially FinTech startup people to think about, which is these folks are more focused on managing risk than earning revenue in many ways. I always tell people like, banks are driven by, what is the regular going to ask me and how do I stay out of trouble? What a bank, or a bin sponsor wants to know is you're not going to get me in trouble. That's a primary motivator.
A lot of what they do is centered around like, how do I just stay out of trouble? Because I don't want to have a conversation with my regulator about you, right? Whatever you're doing, I don't want that to be the problem. I think that banks want to know that you're not putting them in that situation. They want to build that trust that you are being very transparent with them. You're following the rules, you're keeping records of things, right? You're not producing these errors, and that you are not trying to sneak things past them, or you're just playing loose too, which also happens again, startups that aren't really paying close attention to what they're doing. Because it is mixing that ethos of famously, the Silicon Valley, move fast and break things with banking. Those don't go together very well. I think, banks want to make money. They want to support you, but they want to stay out of trouble more. It really comes from that risk component.
Carlin McCrory:
Right. I mean, we're always telling our bank clients, “Look, it's your responsibility for all of your FinTech programs. You're on the hook for any non-compliance.” But having a good partnership is a huge piece of that and having those open lines of communication, I think, are critical.
Matthew Goldman:
Absolutely. I think that there is a big opportunity on both sides to just really increase communication levels. I think one of the challenges that happens is banks take this like, “Hey, our SLA is we get 10 days to approve everything, and you just have to wait on us.” The more you make a high-paced company, the more they want to push the limits, right? I encourage banks to think about, “How can I be ultra responsive?” Even if it's just to be like, “I see this. It doesn't look like a problem, but can't approve yet.” Or, “Hey, I noticed this right away.” Because if the FinTech feels like it's being engaged with, then they're less likely to be like, well, we really need to jump on this social trend and the bank is ignoring us. We're just going to go do it ourselves.
I think that that's an opportunity on the bank side, like you said, to build the partnership and deepen it. I think the reality of a lot of startups, if a bank came to them and said, “We'll dedicate a full-time compliance person to you, but you have to pay us quarter million dollars a year,” people would be like, “Okay, great.” Because I would rather pay money to get high-speed returns than sit around and wait.
There is this funny thing, obviously, when you're negotiating your first deal, everyone wants to get the best deal. That's an obvious thing. I would love to see banks be like, “We'll give you a higher-level service. You just have to pay for it.” I think a lot of people would choose that. It would, again, deepen that partnership, help people be more rabid, because that's what most companies want. They just want to adjust their Google ad a little bit, right? They just don't want to wait three weeks for it.
Carlin McCrory:
Right. No, that makes a whole lot of sense. Talking about the cost of compliance, how do you think these companies should think about the total cost of compliance?
Matthew Goldman:
I think companies should think about compliance costs as existentially important. This goes back to that example of, what if a bank puts you on pause over a minor issue? Or what if, heaven forbid, it turns out you're enabling money laundering, or you're not paying attention to IT security and you get hacked? It's really easy to say like, “Well, it's a drag on us, because we have to do all these things.” Unfortunately, I've been involved in multi-million-dollar incidents, where it's like, hey, someone broke in to a system. That could take a small company down. Or if you've got 10 million dollars in the bank and someone hacks you and takes 5 million dollars, you're in big trouble.
Or on the flip side, you get a bank that says, “Hey, we're uncomfortable with your marketing. No onboarding for the next 30 days.” If your company used to be worth 500 million dollars to a venture capitalist, maybe now it's not, because your growth stopped. You have this really complex story to tell. It's funny, because a lot of value for startups is in equity. It's in the share value, and you have to have that upward trajectory and growth trend. I think, everyone to think about is compliance needs to come very much upfront, because without it, I get a zero, right? It doesn't maybe by itself generate revenue, but it can easily turn everything into a zero and make there be no revenue.
Carlin McCrory:
Yeah, or a negative.
Matthew Goldman:
Or a negative.
Carlin McCrory:
Right? I'm thinking data breach, we've got to send out notices. There's a cost associated with that.
Matthew Goldman:
Oh, yeah. Just the distraction factor. I mean, even if you don't have a major breach that costs you a lot of money. To your point, it's like, well, if I have to tell everyone that you need to reset your password and lose that trust, it's really painful. I think there are companies that – one thing someone was saying the other day to me was, I encourage everyone to get a SOC2. To do these, they get a pen test, to go through this process. A lot of folks are like, “Well, if my bank doesn't require it, I'm just not going to do it.” “Okay, but don't you want to know you're not going to have this problem? Isn't that maybe $30,000 or $40,000 upfront worth it, versus the huge cost afterwards?” I think it's very hard, especially for earlier stage companies to make that trade off.
Carlin McCrory:
Right. That makes a whole lot of sense. Then, what do you think some of the biggest myths are about card issuing compliance that you wish more founders, or products teams understood?
Matthew Goldman:
The first thing I think about it is when it comes to fraud and risk and how that's all part of compliance. People, especially those coming in from outside of financial services just don't realize how much fraud you have to deal with on an everyday basis. I see a lot of vacillating between, there should be no fraud and let's just see what happens. Then you get your first $10,000, or $20,000 hit and everyone freaks out a little bit.
I think if you've been in the space, you know there's a cost of doing business and there's ways to manage it, and you know that some friction is necessary. I also think people don't realize that fraud is not just a monetary cost. It's a reputational cost. It's a program cost. If it turns out you're losing a lot of money, that's bad in many ways. That's obvious. Also, if the bank is like, “Hey, you guys have a terrible onboarding process. You need to redo it.” That's a huge cost as well.
It's the cards are funny, because we all use them every day. Probably, everyone listening to this podcast, or everyone, you just walk in the street, has a debit card, or credit card, or both. They're hugely complicated products, especially credit cards, right? They're loans, they revolve, you have to do credit reporting and underwriting and all the transactional stuff and money laundering. What if you have cash out capabilities?
There is complexes, like I don't know, mortgage-backed security, or something. People don't think of that way, because they're familiar with using them. When people come in from the outside, they haven't done this before, I think they're just completely overwhelmed by how complex it is. That myth is really like, it's pretty simple, because I have one in my pocket. It is not simple. It's a very hard thing. I usually like, when people come to me, they say, “Hey, I want to build a credit card.” I'm like, “Do you really, though? It's really hard. Make sure you really want to do this, because you're in for a rough ride, no matter what.”
Carlin McCrory:
Right. Yeah.
Matthew Goldman:
It's counter-intuitive.
Carlin McCrory:
Oh, absolutely. There are just so many pieces to the puzzle there. Then, pieces that are evolving, like fraud and the fraud is always changing, right? Always something you have to keep up with and address. Again, it's not a set it and forget it, like we just said earlier.
Matthew Goldman:
Yeah. One of my favorite examples of fraud that can surprise people is everyone thinks about cash and money laundering via cash, right? That's pretty obvious. But there's a lot of money laundering via Apple products. It's very easy to go steal a card number and buy an iPhone and then sell that iPhone on eBay. They're gold. They're actually very high value per ounce. I think that's funny. People are like, “Oh, it's really cool. I'm selling a lot of products to Apple. People are buying iPhones.” I'm like, are you though? Because that's suspicious to me.
I think there's this mindset you have to get into when you get into payments about what is the possible angle on this? Because sometimes volume growth looks good and is actually masquerading. It's actually fraud growth and you don't realize it right away. Because what you think of as fraud if you watch TV, or whatever, right? It's all very simplistic, versus the way happens and especially with the growth of AI and everything. I mean, fraudsters are smarter than the rest of us, unfortunately, and they're really motivated. They're really hard to keep up with.
Carlin McCrory:
Yes. Any other thoughts or anything else you want to tell our audience today?
Matthew Goldman:
I think for people who are starting a program, the most important thing is getting the right team around you, whether that's working with great counsel, like you all, or finding a bank who really aligns with your vision. I think a lot of people try to push someone to say yes, because they want to build the thing. But then, if it's a struggle, you're probably going to struggle your whole program with that particular issuer, or partner. Really, finding someone who has a philosophical alignment to what you want to do, I think is a really valuable check as you're looking for those initial partners. Because when you get married, effectively to your bank and your processor, it's really hard to move on from them. I mean, people do it, but it's a huge expense and it's very hard. Spending that extra time, taking that beat to really say like, “I have the right crew around me,” is just so important.
Carlin McCrory:
Well, thank you so much for joining us today. Thanks to our audience for listening to today's episode. Don't forget to visit our blog, TroutmanFinancialServices.com, and subscribe so that you can get the latest updates. Please make sure to also subscribe to this podcast via Apple Podcast, Google Play, Stitcher, or whatever platform you use. We look forward to next time.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.