Sign in Subscribe
Thought Pieces

My Compliance Conundrums

My Compliance Conundrums

Where This Started

Before I was a VC, I spent three and a half years at Promontory Financial Group, a risk and compliance consulting firm that advised many of the largest financial institutions in the world. It was a great business, particularly in the wake of the 2008 crisis. It was basically regulators from the SEC, OCC, and FINRA going private and then getting paid by banks to advise on how to comply with the rules they themselves wrote. 

We were the cleanup crew. The people who got called in after a consent order, after a regulatory exam went sideways, after the OCC or CFPB decided your BSA/AML program was insufficient. I worked on a project where we were brought in to clean up the biggest money laundering scandal in the history of financial services - over €200B in suspicious activity through a bank branch in Estonia over eight years.

The work was mission critical and high stakes. It was also incredibly manual. Many of our projects were rooted in spending hundreds of hours reviewing transaction monitoring alerts, sampling customer files, and building remediation frameworks in Excel. Almost everything we did could have been done more efficiently. The pattern recognition was mechanical, the document review was repetitive, and the exception categorization followed clear rules.

But the tooling didn't exist, and frankly, the consulting model didn't incentivize building it. Promontory billed by the hour (and having priced engagements, let me tell you we made a killing). Like many services firms, the inefficiency was baked into the business model. I left with a feeling that this work is a perfect target for technology, and eventually someone will build the right product to transform it. The irony is that IBM acquired Promontory for the explicit purpose of accelerating the development of AI-driven compliance solutions using Watson. Spoiler alert: that never happened.

After Promontory, my first year at Affirm was focused on partnerships related to trust and safety, which included credit, compliance, identity, risk, and fraud. If anything, it crystallized many of the things I learned at Promontory with front-row access to what it's actually like to be a buyer of these tools.

Why AI for Compliance Is Obvious

When I joined BTV and started investing full-time in fintech, compliance was one of the first areas I wanted to go deep on. And with all of the advancements in AI and LLMs over the last few years, I'm largely convinced that AI for compliance is one of the most compelling use cases in all of fintech. It's also one of the most obvious (which is part of the problem as a VC).

The market is huge - global financial crime compliance alone represents $200B+ annual spend and regulatory fines run into the billions every year. The work is absurdly manual and repetitive. Think about what a compliance review actually entails: you're reading thousands of pages of regulation, then cross-referencing them against a company's entire library of policies, procedures, and controls to determine whether what's on paper actually maps to what the regulation requires. It's painstaking, document-by-document work. The opportunity is about making processes that are fundamentally manual ten times faster and better. And not just that - when you layer technology onto compliance workflows, you quickly discover that a lot of what's written in policy doesn't hold up when it meets the real world. Teams twist their processes into knots to satisfy requirements that don't make practical sense. AI doesn’t just accelerate the work, it can actually surface the gaps and improve outcomes.

Furthermore, compliance teams can only scale linearly with headcount. Regulators expect headcount to grow proportionally as a bank grows, but more bodies don't necessarily solve the underlying problems. Throwing resources at compliance isn't the same as fixing it. One sponsor bank I spoke with recently described anticipating tough questions at their next safety and soundness exam about how to justify growth without adding to the compliance team. These teams are perpetually on fire, under constant regulatory pressure with zero bandwidth. The answer can't just be more people.

So Why is This So Hard?

I've been at BTV for just over four years. In that time, I think I've probably been pitched by over 100 compliance startups. I feel like the bull case is obvious but investing here requires navigating real structural challenges.

Compliance spending is deeply cyclical. If a bank just got hit with a fine, an MRA, or a consent order, compliance becomes a red-hot priority. Budgets open up, urgency is real, and decisions get made quickly. But if that hasn't happened, which is most of the time, compliance is much, much lower on the procurement list. The dynamic is even worse with fintech companies: they don't prioritize compliance until they get bit (the logic goes: it doesn't matter if you're compliant if you have no customers). Yes, there is always real maintenance spend on people, tools, training, and audits, but the discretionary budget for new tooling tracks the regulatory cycle more than actual need. You're either selling into panic or selling into apathy, and the window between those two states is narrow.

Reading prescriptive rules is easy but interpretation of grey areas is much more valuable. There's a huge gap between a regulation as written and the way a bank actually implements it. AI can digest every regulation and make literal recommendations. But banks can do that too. What they really want to know is: how are other banks complying with this? What's the grey area? What will an examiner say in 18 months? That information lives in the heads of experienced compliance officers, in exam findings that aren't public, in unwritten norms between institutions and their regulators. Obligation inventories are useful, but they don't solve this core problem.

Yes, some compliance work is binary and deterministic: did you send the right disclosure, did you file by the deadline, etc. and AI can largely solve that. But the harder questions are probabilistic: is this transaction suspicious enough to file a SAR, does this copy cross the UDAAP line, etc.. It’s not so much are you right or wrong bur rather does your approach hold up under scrutiny. Most AI tools are built to give definitive answers in a domain where definitive answers don't always exist.

Platform vs. point solution is an unsolved dilemma. Part of what makes this so hard is that "compliance" is dozens of fundamentally different activities that share an overarching label. Think about it. Making sure customers are real? Compliance. Making sure fake customers don't defraud real ones? Compliance. Reporting suspicious activity to a regulator? Compliance. Ensuring your underwriting model doesn't introduce bias to credit decisions? Compliance. Testing your controls periodically? Also compliance. So is complaint review, quality assurance, marketing review, brand monitoring, and vendor onboarding. These activities all work in fundamentally different ways, rely on different data feeds, have different stakeholders, and require different domain expertise. I am very skeptical that one tool can do them all. And even within a single compliance activity, as I mentioned earlier, there's a gap between what a bank's policies and procedures say they'll do and what they actually do day to day. That disconnect is itself a compliance risk!

That's what makes the platform vs. point solution dilemma so acute in this category. Every bank wants a platform which is one reason why they gravitate toward larger players. But those platforms simply can't do everything well across such varied activities, so banks bolt on point solutions. Clearly point solutions that pick one vertical can win - Vanta proved that with SOC 2 - but SOC 2 is maybe 2% of a bank's total compliance obligations. AML broadly is probably 20%. The question then becomes: which slices of compliance are large enough and self-contained enough to support a venture-scale business? And is there a better rubric for categorizing compliance - not by regulation, but by workflow type, buyer, or data dependency - that reveals which clusters are actually addressable with one product? There is a critical choice early in every compliance company's journey: go narrow and risk being a feature or not pursuing a venture-size market, or go broad and compete with well-funded incumbents across wildly different workflows. Both are very hard.

The CYA effect is real. This is the same dynamic I wrote about in Services Won't Become Software. Banks pay a premium for established firms like Promontory (pour one out), FS Vector, Klaros, or Maquette Partners - not just because the work is good, but because regulators know their work and are comfortable with it. There's a CYA component: nobody gets fired for hiring [insert highly regarded firm]. The same cannot be said for a seed-stage startup. Even if your product is better and faster and cheaper, a compliance officer may still choose the established firm because it carries less career risk. 

When I was at Affirm, we opted to work with one compliance offering over another, even though it was a far worse product, because we knew the regulators would be comfortable with it. A meaningful share of compliance spend has nothing to do with outout - it's about liability transfer, political cover, and credentialing. The portion that's truly about output quality is addressable by AI. The portion that's about CYA may be more durable than it looks.

Regulators tend to be more focused on headcount than efficacy. When a bank grows, examiners expect compliance headcount to grow proportionally. If a regulator saw a compliance team of 10 people with great tools producing the output of a team of 50 with bad tools, they wouldn't be impressed - they'd be concerned the department is too small. Investing in AI tooling doesn't necessarily "count" in the regulator's eyes. Until attitudes evolve, this dampens the buyer's incentive to augment people with software.

And unlike other industries facing acute labor shortages (like accounting), compliance doesn't have a structural forcing function to adopt AI for efficiency. The labor market is tight, but it's not broken. The primary emotion around AI adoption in compliance is fear, both fear of replacement and fear of unproven technology getting something this important this wrong. A missed SAR, a botched OFAC screen, a hallucinated policy interpretation that ends up in an exam workpaper would be career-ending (or at least severely hampering) mistakes for a compliance officer. The exception is at banks where compliance is being pulled into revenue conversations, but that's still the minority case.

The space got very crowded very fast. In the last few years, the number of startups building AI for compliance has exploded and it has become genuinely hard to see what's unique about any given product or approach. From an early stage investor perspective, when a category gets this crowded this fast, it makes it really hard to see how any single company can build enough differentiation or execute relentlessly enough to win. And the competitive set now includes the foundation model companies themselves. Anthropic just launched a suite of agent templates for financial services that includes a KYC screener built to assemble entity files and package escalations for compliance review.

Last wrinkle: selling to a fintech and selling to a bank look like the same business but really aren't. Fintechs want APIs, infrastructure they own, things they can integrate themselves. ACVs are smaller, deals close faster, and they'll swap you out if something better shows up. Banks are the opposite. They want a vendor, not a tool. Someone who can sit across the table from an examiner, take on liability, and defend themselves in a third-party risk review. ACVs are much bigger, procurement runs 9 to 18 months, and once they pick you, the bar for switching is very high. A startup has to pick a lane. The product you build, the team you hire, the way you sell, all of it is fundamentally different. The companies that try to do both usually do neither well.

What Needs to Change

After four years of looking at this space (and 5+ of living in it), I think the companies that win will be the ones who that change what compliance even means inside a financial institution.

Right now everyone treats compliance as a cost center. It's the department you fund because you have to. Budget cuts first and headcount grows last. That's what makes selling into compliance so brutal. You're walking into a room where nobody is excited to write a check.

But compliance is actually a revenue enabler. You can't sell financial products without it. Want to offer a deposit account? You need Reg DD, Reg CC, Reg E, and a bunch more. Those aren't obstacles, they're prerequisites. No compliance, no product to sell.

The bigger point: compliance happens at the customer level. Every interaction your product has with an end user has to be compliant. Compliance is inherently embedded in the product. We just treat it like a back-office function that reviews things after the fact. That's a disconnect! Compliance is actually the infrastructure that lets you serve customers and build a business.

This changes how you build and sell in this space. Cost center positioning means you're selling cost reduction to a compliance officer with a budget carved out of risk. Revenue enabler positioning means you're selling growth to the CPO and CRO with a value prop around launching products faster and scaling without getting shut down.

But you can't just talk or pitch your way into being a revenue enabler. The difference has to be architectural. Compliance only becomes a revenue enabler when it's embedded in the operational tools that generate revenue. A loan onboarding platform that handles disclosures, consents, TILA boxes, and APR calculations in the right order isn't a compliance product but rather the system that powers your top line. It just happens to be compliant by design. The reason this hasn't happened more is that the existing operational stack (Fiserv, core banking systems, legacy CRMs) was built for an era when compliance was a separate department. Those tools weren't designed to make compliance a feature of the product. Rebuilding that infrastructure is expensive and hard, which is exactly why the opportunity is so big.

This is also why I don't worry about foundation models eating this category. Foundation models will commoditize reading regulations, mapping controls, and drafting policy responses. That's fine. What they won't commoditize is the layer on top. A compliance officer isn't going to vibe-code their own BSA tool, and no bank is deploying a reference implementation straight into production. Compliance software is more than software, it's a vendor relationship that has to hold up in front of an examiner. A bank's third-party risk team needs SOC 2 reports, SLAs, audit trails, and a real human to call when an exam goes sideways. A foundation model reference implementation has none of that. Neither does an internal tool a compliance officer prompted into existence over a weekend.

The shift compliance needs is from reactive to proactive. From scrambling after the fact to embedding controls that prevent issues before they happen. Vanta is the cleanest example. As I said earlier and everyone knows, Vanta didn't sell compliance, they sold market access. The pitch was: you can't work with enterprise customers without SOC 2, we'll get you there in weeks instead of months.

This is also why, despite all the hesitations above, I have made compliance investments. Two companies in the BTV portfolio are building in ways that reflect this reframing.

Ethos is built on the thesis that risk is strategy. Fundamentally, financial institutions that win take risks others won't and price risk others can't. Most can't, because their risk and compliance data is scattered across spreadsheets, legacy GRC tools, and systems that don't talk to each other. Compliance doesn't know what's shipping, product doesn't know what's getting flagged, while leadership can't see either. Ethos is the data and workflow layer across the whole risk surface, including enterprise risk, operational risk, digital assets, and AI. The goal is to make risk a real-time input to how the business actually runs.

Palm helps small businesses handle their compliance filings for free, and in doing so builds a direct relationship and collects first-party data straight from the source. Every KYB provider today is scraping the same downstream registries with the same gaps and the same staleness. Palm's data is structurally better. Compliance is the wedge. The endgame is a business identity network where Palm is the canonical source of truth for what a small business is, owned and updated by the business itself.

Both companies reflect the same insight: compliance is the mechanism, and the value is what it unlocks.

If you're building with this mindset, I'd love to hear from you.

Shoutout to some folks I jammed with on this who know way more than me about compliance - Trevor Tanifum, Jett Oristaglio, Jeff Silver, and Dmitry Gritskevich

Read next