There's a pattern I've watched repeat across fintech startups, scale-ups, and even some established financial institutions: compliance is treated as a feature to be prioritised alongside user experience improvements, performance optimisations, and new integrations. It sits in the backlog. It gets deprioritised when the sprint is full. It becomes "next quarter's problem."

This is a category error that will eventually catch up with every organisation that makes it. Usually at the worst possible moment: during a regulatory examination, a due diligence process, or a public incident.

Compliance is not a feature. It is the foundation on which your product is built. You cannot prioritise it against user stories. You can only decide whether your foundation is solid or not.

Why Teams Treat Compliance as a Feature

The reason is usually incentive misalignment. Product teams are measured on user growth, engagement, and revenue. Compliance work (building audit trails, implementing access controls, creating reconciliation mechanisms) doesn't move any of those metrics. It's invisible work that protects against downside risk rather than creating upside opportunity.

This is compounded by the fact that compliance failures are often slow to manifest. A missing audit trail doesn't cause an incident on the day it's missing. It causes an incident eighteen months later, when an auditor asks a question nobody can answer. By then, the team has moved on and the context is lost.

What "Compliance as Foundation" Looks Like in Practice

At one regulated bank I worked with, compliance wasn't a workstream. It was a design constraint. Every system change went through a compliance impact assessment before it went into the sprint. Every new integration was reviewed against the bank's regulatory obligations before development started. This added friction to delivery. It also meant we never had a regulatory finding that was attributable to a product decision.

The practical mechanics: integrate a compliance review into your definition of ready. A story that touches financial data, access controls, or external reporting isn't ready for development until a compliance SME has reviewed the requirements. This doesn't require a lawyer in every sprint. It requires a documented checklist and a named person accountable for the review.

The Cost of Getting It Wrong

The financial cost of a regulatory finding (fines, remediation, increased scrutiny) is significant but quantifiable. The reputational cost is not. In financial services, trust is the product. A compliance failure doesn't just cost money; it erodes the foundation on which your entire customer relationship is built.

Build compliance into your architecture, your processes, and your team culture. Not because a regulator requires it, though they do. Because it's the only way to build a finance product that deserves the trust your customers place in it.

Anand Venkatraman, PMP®Senior Product Manager – ERP & Finance Platforms · Berlin
Work with me →