The Compliance Iceberg: How it works in big banks

Plus; Trump's Fintech, X and Visa partnership announced & Robinhood wants Tokenization

Welcome to Fintech Brainfood, the weekly deep dive into Fintech news, events, and analysis. You can subscribe by hitting the button below, and you can get in touch by hitting reply to the email (or subscribing then replying)

Hey Fintech Nerds 👋

I have had no less than four CPOs or Head of Product at a Neobank ask me how they get started with Stablecoins in the past week.

Meanwhile, X finally announced their wallet (in partnership with Visa), and not to be outdone, Trump is launching a Fintech company, Truth.Fi.

This week, Europe’s 5th largest bank suddenly stopped working. On a payday with a tax deadline. It’s now on day 3.

Robinhood's CEO is pushing for Tokenization of private markets so customers can buy stocks like Space X, and just launched their futures product.

And AI just got 93% cheaper.

The future is wallets, AI and tokens.

(If this isn't the top, we're near it. But we also crossed a rubicon in which the financialization of everything overtakes ads as the dominant business model)

Remember, when all of this comes crashing down, there's fundamental value in AI and Stablecoins—not because of the hype but because of the ROI.

Banks spend billions on compliance and business continuity, but it can still go wrong. It’s not the staff. It’s the machine. It’s log-jammed. If you want to understand the machine, today’s Rant is a critical read.

I don't read books as a rule (I know, I should). I'm an information snacker. However, I made an exception for David Silverman's "Stop Harming Customers." It made me laugh out loud several times and shed light on the hidden world of compliance. It inspired this week's Rant. 📣

Maybe Gen AI creates a Jevon’s paradox for compliance documents?

PS. This week, Rex Salisbury and I talk about DeepSeek impacts Fintech on our weekly YouTube series RSTF.

Here's this week's Brainfood in Summary

📣 Rant: The Compliance Iceberg: How big banks really work.

💸 4 Fintech Companies:

  1. Easy - A new kind of payments processor

  2. Rail - Stablecoin Money Movement API

  3. Paygrid - Visa for Stablecoins.

  4. Blindpay - Stablecoin API for international payments

👀 Things to Know:

If your email client clips some of this newsletter click below to see the rest

Weekly Rant 📣

The Compliance Iceberg: How big banks really work.

Most bank CEOs don't know how their bank really works.

Most people in banks don't know how it works either.

Sam Altman says:

In banks, you can't just do things.

If you've ever worked with a bank, you've probably taken a mind-numbing hour-long training course on BSA/AML with a 10-minute quiz at the end.

That's just the tip of the iceberg.

Making compliance memes is my kind of fun.

The Visible Bank (Above Water)

The visible part of compliance by itself is enormous.

For every regulation you can name, there are hundreds you’ve never heard of:

  • Rules about interest rate calculations

  • Laws about when funds become "available"

  • Regulations about mandatory vacation (yes, really)

  • Requirements about what makes a signature valid

  • Laws about what happens to abandoned accounts

Take just one tiny slice of US federal banking law. It's 700+ pages. And that's about 1% of US federal regulations alone. Now multiply that by:

  • 50 US states

  • Every major financial center (UK, Singapore, Hong Kong)

  • Every country you operate in

  • Every product you offer

  • Every way a customer could possibly interact with you

That's what everyone sees, and it's what we think of when we think of "compliance."

But actually actively complying (staff doing a compliance process or procedure) makes up about half of the overall headcount in compliance.

The back office is the other half.

  • The compliance front office: Teams who specialize directly in operational tasks to comply, like reviewing sanctions alerts or marketing materials. (This section)

  • The compliance back office: Teams that set the “risk appetite” of the bank and creates all of the policies, procedures and controls to comply with the law. (The rest of this piece)

There are three main types of risk that compliance teams aim to address.

  1. Market Risk: When the Market Goes Against You (SVB, is that you?). Market risk as what happens when your bank is heavily invested in a type of stock or bond that tanks. They might have enough assets (e.g. houses), but they can’t sell them, so they’re illiquid. US Regulators often bucket this as “safety and soundness”

  2. Credit Risk: Will They Pay? Credit risk is beautifully simple: will someone pay you back? This is the domain of underwriting departments who spend their days trying to figure out if you can and will pay your debts on time. 

  3. Operational Risk: Everything Else That Can Go Wrong. Your bank gets hacked (Cybersecurity), your supplier goes bankrupt (er, Synapse?), fraudsters steal from your customers (Fraud), criminal gangs use your bank to move money (Money Laundering or AML).

Operational risk is a broad bucket, so to break that down a little further.

  • External Fraud. Someone steals your customers' accounts (Account Takeover), Your customers claim they never got that iPhone when they definitely did (First-party fraud), etc.

  • Internal Fraud: There's a reason banks make people in sensitive positions take two weeks off at a time. While you're sipping cocktails on the beach, someone else is handling your work - and might just discover that secret scheme you've been running.

  • AML (Anti-Money Laundering): This gets its own special category because it's everywhere. Everything from drug cartels moving billions, to a local drug dealer trying to get a credit card, to giant criminal networks operating scam networks and much more.

And because criminals keep inventing new ways to commit crime, the compliance work keeps multiplying. It's like playing whack-a-mole, but every mole has a law degree and access to cryptocurrency.

This is why banks seem paranoid. When your bank asks you twenty questions about why you're sending money to your grandmother, this is why. They're trying to avoid being the next headline about accidentally banking a drug cartel.

Risk Appetite (The waterline)

All of these regulations get their authority from laws passed by State or Federal legislators. Regulators can make rules within those laws and issue guidance. Compliance departments then have to figure out how to implement the law and the rules/guidance from regulators. 

The process of defining “how” to comply is called setting a risk appetite.

Risk appetite is defined in policy documents. (what we will do).

  • Policies inlcude: Data protection, information retention, Anti-Money Laundering, Tax reporting, cross border transactions, Reg E policy, Reg Z policy, UDAAP policy, 

Every policy has supporting procedures. (the way to do each thing).

  • Procedures include: Suspicious Activity Reporting Procedure, Personal Identifiable Information Procedure, Information Security Incident Response Procedure etc. 

And every procedure has a specific set of controls (things you have to do).

  • Controls include: KYC (Know Your Customer) onboarding, Suspicious Activity Reports, Transaction monitoring, That AML training you have to retake every year

The act of following these controls, procedures and policies can be complex in practice. There’s simply so many. They multiply like tribbles from Star Trek.

The historic model is the “three lines of defense” 

Three Lines of Defense - Or Why Banks are So Slow

Banks split their control functions into three "lines of defense." Think of it like a medieval castle, but instead of protecting gold, they're protecting against regulatory findings.

First Line: The Business

  • The people actually doing stuff: Product managers, engineers, sales teams

  • They're supposed to "own the risk" (which mostly means filling out forms)

  • Every process needs first-line controls (form filling)

  • That endless New Product Approval process? That's first line for product.

Second Line: Risk & Compliance

  • The people who write all those policies and procedures

  • They "oversee" the first line. They run committees. They say "no" a lot

  • Think AML, Sanctions, fraud, market risk, operational risk teams (information security, business continuity etc). 

Third Line: Internal Audit

  • The people who check if the first two lines are doing their jobs

  • They're supposed to be totally independent. They report to the audit committee. They find problems the first two lines missed

  • Then everyone scrambles to fix them before External Audit or regulators show up

Here's where it gets fun: Each line has their own:

  • Policies

  • Procedures

  • Controls

  • SharePoint sites

  • GRC system access

  • Version of the truth

Lets give this a practical example. 

Deep Ice: Policy, Procedure and Process Hell

When policies meet real life, things get ugly.

Have you ever tried to get a product live in a bank? This is just one tiny example of how compliance shows up in daily life.

Delivering something as simple as a new mobile app feature can take a year of prep work and planning. The process looks something like this.

  • Perform a technology impact assessment (IA). This requires allocating the team, via their sharepoint page. It might identify 12 other technology teams impacted, and 6 other existing projects or programs. 

  • Build initial design and screens. Ensure you have a design that meets all of your marketing, brand and accessibility policies.

  • Create a high level design (HDL), then low level design (LLD). This then assesses every cybersecurity, data, and other technology related risk, interaction and constraint.

  • Define the target operating model. You think you’ve built a feature, but have you thought through how the call center responds if something goes wrong? What’s their script? What happens if a customer complains? How do the terms and conditions need to change? 

With your designs and target operating model you need to get through “New Product Approval” (NPA). 

  • Identify every risk policy area and meet them for feedback. With any luck, everyone in fraud, AML, sanctions, legal, market risk, operational risk, information security, 

  • Sign off any risks to be accepted. Risk leaders may spot a medium impact, high value risk, that “could” cost the organization up to $10m. So your budget holder needs to “sign off’ it would come out of their budget if that event occurred. (This can be highly charged and political).

  • Prepare a New Product Approval pack. Usually submitted into a GRC system or similar, this includes all designs, operating model and risk team feedback.

  • Attend the New Product approval committee. If everything is done right, you present your new feature, some key screens, risks, and the people you consulted and you get approved. Hopefully, it gets approved. There’s a tail risk, someone launches a grenade and derails the whole thing. 

(Did you notice, nowhere in this is there was “test this with customers and iterate”?)

Multiply this by 1000x or 10,000x for every feature being developed.

Now multiply it again for every possible policy, procedure and control. Think, sales, marketing, customer service, IT infrastructure, IT software, travel and expenses. Everything.

Each with a policy, each with a policy owner. All with staff who have no operating system for managing these processes. They just bump into them via email, or being sucked up into the comittees and processes happening around them.

After all of this compliance, policy setting and procedure following you’d think you’re pretty damn compliant right? 

Wrong.

The problem is the law isn't black or white. 

While a compliance team might deem high risk and control high risk based on previous findings, regulators might something completely new in the next examination. A compliance audit might find something seemingly innocuous but deem it high risk.

Examinations: Fix the findings not the problems?

Examinations often feel like an endless cycle of searching for needles in a haystack, and no matter how much you do well, in the end you get dinged for BSA/AML. 

As a result bankers focus on past findings more than problems. And legal teams focus on if they’re going to sue, or if they’re being sued. (Notice how the word customer isn’t in either of those sentences?)

The worst part? You never know what it will be. It could be something super material and a major flaw (which happens far too often). Or it could be something ridiculously silly, like this example from David Silverman:

On March 29, 2016 a one Abigail Strubel sued Capital One Bank over the disclosures in her credit card agreement. She, and her attorneys, Brian Lewis Bromberg, Jonathan Robert Miller, Bromberg Law Office, P.C., and Harley Jay Schnall, Law Office of Harley J. Schnall, alleged that the font size was too small. Specifically, that the "model forms" offered by the CFPB used 10 point Arial, and that Capital One had used 10 point Garamond LC, which, they argued, was not clear and conspicuous.

David Silverman - Stop Harming Customers

(This is a US centric world view, the rest of the world isn’t as litigious. But the risk buckets are broadly similar, as is the compliance setup in a bank).

Policies multiply as they grow to cover every edge case, found in every audit. "May" vs "Must" language turns audits into "interpretive dance." One policy connects to many procedures which connect to many controls.

How the heck are you supposed to keep a map of any of this? 

The answer? A Global Risk and Compliance (GRC) system (more on that shortly).

But first.

Audits: Preparing for the Examination That Never Ends

Banks don't just wait for regulators to examine them. They're constantly auditing themselves. 

Why? Because if you don't find your own problems, the regulators definitely will.

The audit cycle looks like this:

  1. Internal Audit does their review (quarterly or annually).

  2. They find issues

  3. You create action plans

  4. External Audit arrives

  5. They find different issues

  6. You create more action plans

  7. Regulators show up

  8. They find issues Internal and External audit missed

  9. You question your life choices

Remember that example of 50 people digging through 23 systems to answer 20 questions? That's not just for regulators. That's happening every day, for every audit.

The Deep Freeze: Global Risk and Compliance is Broken.

What is a GRC System?

“Global Risk & Compliance.” A name only a consultant could love. The GRC system is the bank's attempt to create a single source of truth for all their policies, procedures, controls, and risks. It's supposed to be the operating system for compliance.

IBM OpenPages, RSA Archer, MetricStream, ServiceNow, Nasdaq BWise, AuditBoard, ZenGRC, OneTrust, and many others range from enormous global behemoth systems that do everything for everyone

David Silverman - Stop Harming Customers

Each promises to be the one system to rule them all. The compliance equivalent of SAP or Salesforce. A system of record for policies, audit findings, risk mapping and everything else. 

How Banks Actually Use GRC Systems In theory, everything should flow through your GRC:

  • New product approvals

  • Policy updates

  • Risk assessments

  • Audit findings

  • Regulatory exams

Like Salesforce or SAP, they’re often out of date, and buckling under years of poor usage, implementation, and outsourcing. So the banks GRC becomes another layer in the compliance iceberg. As David explains.

In one exam I was part of, the regulator had 20 questions that required more than 50 people to dig through 23 different systems. When the work was done, the PowerPoint got filed away in SharePoint, much like the Holy Grail in Indiana Jones - except instead of a warehouse of crates, it's in SharePoint, which is essentially the same in terms of ever finding it again.

David Silverman

The Real Problem

GRC systems are built around what's already gone wrong. They're fantastic at documenting the last crisis. But banks don't fail because of the last crisis - they fail because of the next one.

You end up with:

  • A perfect system for tracking font size in credit card agreements

  • No way to spot the next SVB-style disaster (even though, that should have been obvious no?)

  • 15 different ways to document BSA/AML training

  • Zero ability to see emerging risks

It's like having the world's most sophisticated rearview mirror while driving blindfolded.

Because most of the first line (most of the bank) doesn’t have access to the GRC system, because it’s likely sold on a per-seat model, every policy gets dual hosted on a Sharepoint or similar internal site. It’s just another system and usually with poor APIs.

Wait. Wasn’t AI supposed to save us?

The Ocean Floor: Where AI Failed

Do you remember IBM Watson? Man what a joke that was. This was the big AI gambit from the once mighty IBM. Their schtick was it won a game of jeopardy once, so you as a bank CEO should get it to automate everything, ever, maybe even that horrible compliance stuff. 

Machine Learning turned out to be really good at:

  • Recognizing patterns in clean data

  • Playing games with clear rules

  • Being the worlds greatest statistician 

Sadly, compliance lacks clear rules (oh the sweet irony).

But absolutely terrible at:

  • Understanding context ("business day" means 15 different things, remember?)

  • Dealing with unstructured, poorly labelled data

  • Finding relevant documents across fragmented systems

  • Actually helping anyone do their job

The fundamental problem? ML systems need clean, structured data. Banks have the opposite: decades of policies written by committees, stored across hundreds of SharePoint sites, with crucial details buried in email threads and meeting minutes.

Machine learning is still the work horse for finding statistical anomalies in transaction patterns, user behavior, device, or sign ups. But it has a new friend. The transformer (robots in disguise indeed).

Banks weren't wrong about needing AI. They were just 15 years too early, with the wrong technology, solving the wrong problem.

Breaking the Ice

Banking compliance isn't getting simpler. The iceberg isn't melting. But there are ways to navigate it (and hey, the arctic passage is passable these days):

  1. Unstructured data is searchable now: The perfect GRC system doesn't exist. Nubank will tell you they don’t have everything right, but they also don’t struggle to find a policy document (search for it on Google Drive). 

  2. Consolidation is work: There’s also a ton of value in consolidating policies. Gen AI is your friend here.

  3. Build for Humans: The best compliance systems aren't the most comprehensive - they're the ones people actually use. If your first line of defense needs a PhD in GRC systems to report an issue, you've already lost.

  4. Gen AI is readymade for this: It can handle the mess. It doesn't need perfectly structured data or clearly defined rules. 

Gen AI needs implementation focus: Most big banks have Co-pilot from Microsoft or Agent Force, but they’re live with one, maybe two actual use cases. Kill the GRC, and make sharepoint searchable, ASAP.

Unlike Watson, GenAI isn't trying to replace your compliance department. Instead, it's like giving every employee their own compliance expert who:

  • Can read and understand policies in context

  • Can find relevant documents across fragmented systems

  • Can explain complex requirements in plain language

  • Actually remembers what happened in last month's committee meeting

What Still Needs Human Judgment Let's be clear: AI isn't going to set your risk appetite or handle your next regulatory exam. You still need humans for:

  • Understanding regulatory intent

  • Managing relationships with regulators

  • Making judgment calls on edge cases

  • Deciding what "risk appetite" really means

  • Explaining why you chose Garamond instead of Arial

  • Guiding the Gen AI to the right outcomes

The Future of Banking Compliance 

The compliance iceberg isn't going away. But maybe, just maybe, we can make it a little more navigable. 

The key takeaway here is the same: it always is.

Do the boring stuff well to get the great results.

Do it consistently.

Make it a habit.

And maybe, just maybe, we’ll finally be able to find that PowerPoint presentation someone filed away six months ago because the examiner just showed up.

ST.

4 Fintech Companies 💸

1. Easy - A new kind of payments processor

Easy is a programmable payment processor that aims to complete payments for a fraction of the cost of other PSPs. Merchants completely control (custody) their funds and help you automate payment flows. It supports invoicing and accounting and aims to save more than 90% of the cost of a transaction.

🧠 This uses the language of payments, not Stablecoins. The Payment processor framing is really neat. Right up front, the business case is that programmability and self-custody are described more as payment flows and "owning your own money." Over time this kind of self custodial payment processor can be really disruptive to acquiring banks.

2. Rail - Stablecoin Money Movement API

Rail helps businesses move money internationally with Stablecoins. Its infrastructure helps Payments, Neobanks, and Fintech companies build bespoke workflows and use cases. They have 12 partner banks focusing primarily on B2B flows, processing $11bn of annual transactions last year.

🧠 Everything that's a Bridge lookalike is getting attention after the $1.1bn acquisition. The data I'm seeing is that this is backed up with volume. Most interestingly, its not consumer or speculative, it's B2B that's leading the charge. Multiple partner banks and aggregating all of those for liquidity and performance is a difficult path to take but vital for customers moving large volumes like B2B use cases.

3. Paygrid - Visa for Stablecoins.

Paygrid acts like FedNow or Visa, helping a payment reach the right wallet on the right network with a single payment instruction. Through a single API, it supports all networks and doesn't require the developer to integrate or manage bridges. All network fees are abstracted from the user and it supports programmable rules and payments (think, spend management).

🧠 This gives PSPs a new business model and removes the need for banks in many cases. A Payments company could route low-value payments via a cheaper rail and high-value payments via a more expensive, instant rail. They could also potentially monetize the MEV (think like how Robinhood uses Order Flow) to drive new revenue while keeping fees super low. It's ambitious and relies on network effects (which can be a good thing or a bad thing).

4. Blindpay - Stablecoin API for international payments

Blindpay is a Stablecoin PSP that helps developers integrate stablecoins into their existing payment flows. Core use cases are global payroll, payouts, merchant settlement, business invoices, and remittances.

🧠 Catching a theme here? It's literally another one. I must see 10 a week and they just flash across the screen.

Things to know 👀

Elon Musk's X (FKA, Twitter) announced the launch of a digital wallet and peer-to-peer payments services provided by Visa. The X Linda Yaccarino CEO announced in a post that X had struck a deal with Visa, for X Money, powered by Visa Direct.

US X Money Account users can fund a wallet and transfer money in real-time with their debit card, competing with Venmo and Cash App. X Money is launching in Q1 . Deals with more financial partners coming soon.

🧠 Was this the worst-kept secret in Fintech?

  • X has been slowly buying Money Transmitter Licenses (MTLs)

  • X Payments LLC is licensed in 41 states

  • Every Fintech infra company was vying for a piece of this

(Note Sardine* is a provider of anti-fraud and AML solutions too 😁)

🧠 They're starting small, with the US-only user base and Visa direct.

  • That's still significant, with 95m registered users in the US.

  • The first use case is letting creators accept and manage funds for content without 3rd parties

  • If even a quarter are active that makes them a major wallet player (that’s a big if though)

🧠 I can't help but see this in the context of the wallet wars.

  • If X becomes your Everything app, it would move to control money and identity. Musk companies often start with an MVP, but iterate incredibly fast from there.

  • Big tech has constantly let us down in payments. I’m hopeful this finally turns the corner and becomes more than meh.

Barclays customers have been unable to access their mobile, online and telephone banking. Some are complaining of missing or incorrect balances, while others are unable to make rent payments or pay their tax bill.

🧠 This is a timely reminder, that bigger isn’t better. Barclays hasn’t communicated the cause or when it might be fixed. Corporate-style comms isn’t good enough in these moments. We need CEO’s on TV.

🧠 You can bet behind the scenes, staff are scrambling. I have no doubt people are working all weekend to make this right, but that, in itself, is not right. The systems, processes, tech, and governance of the 1990s are not ready for a 24/7 world.

🧠 Barclays was once the leader and the innovator. It was the first UK bank with an ATM, credit card, and P2P payments app. But now it’s closed Rise* its innovation program (I was involved in that in a past life).

🧠 UK banks generally are in a malaise. HSBC closed its Wise competitor, Zing, and is exiting investment banking. Lloyds is investing £1.3bn to make £1.5bn over 3 years (?!), and Natwest is still trying to work off its debt from the financial crisis.

🧠 The big banks aren’t dying they’re eroding. They’re still profitable and big, but they’re sitting ducks. Their margin is everyone else’s opportunity. This week, Revolut announced that they’re getting into commercial real estate. I’m not surprised. Watch them expand products dramatically.

Futures: This is a “mass market moment” for futures contracts that had until now been available only to sophisticated investors. They’ll offer stocks, commodities and crypto. Futures don’t lose value over time like options do and they’re a lot less confusing in language.

Tokenization: Robinhood is pushing hard to tokenize (turn into crypto tokens) private stocks like Space X and Anduril. This would bring consumers into otherwise hard-to-reach private markets and allow them to benefit from growth, says the company.

🧠 Robinhood has always been an innovator. In an age of memecoins, launching futures and private market stocks doesn’t seem that crazy.

🧠 The early UI looks great. This is where Robinhood excels, creating the simple design language for complex financial products.

🧠 With great inclusion comes great risk. “Democratization of growth” also means democratizing massive amounts of risk. I’m curious to see how they stay the right side of that line. They’ve been hurt, and hurt others before in this space. Perhaps lessons learned.

🧠 Robinhood got their policy game face on. With an op-ed in the Wall St Journal and a 2025 policy agenda, it’s clear Robinhood sees an opportunity to reshape the market in an age of deregulation.

🧠 Sophisticated investor rules are stupid and need changing. This is one of the few all-in-podcast talking points I actually agree with. Having a lot of money doesn’t make you sophisticated it makes you privileged. Crypto has created more wealth than owning a home and a 60/40 portfolio ever did for the working class.

🧠 De-regulation cannot mean no regulation. What are the guard rails here? What are the acceptable limits of buyer beware? Because if we remove all the rate limits, this will go horribly wrong. Please, tread carefully.

Good Reads 📚

Eric Newcomer covers the truth behind the accounting platform Bench, whose former founder went viral with a thread about "VCs replacing a founde"." Famous VCs and tech T" itter lined up to offer support, including the Shopify CEO. Fundamentally, this service-intensive business needed to scale without hiring more bookkeepers. Two-thirds of engineering resources were dedicated to becoming a banking business and the company was burning cash. The choices appeared to be to sell, get a new CEO, or pivot.

As Eric writes, "One person involved in "the saga said this was just a case of "everybody trying to do "their best in a tough situation."

🧠 I'll admit I was on the founder-first bandwagon with a Twitter thread many saw (although later issued a correction).

🧠 Social media craves business stories, and simple narratives often win. Complex ones are much harder to sell.

Tweets of the week 🕊

That's all, folks. 👋

If you're enjoying this please do tell all your fintech friends to check it out and hit the subscribe button - and remember, sharing is caring.

(1) All content and views expressed here are the authors' personal opiniauthors'do not reflect the views of any of their employers or employees.

(2) All companies or assets mentioned by the author in which the author has a personal and/or financial interest are denoted with a *. None of the above constitutes investment advice, and you should seek independent advice before making any investment decisions.

(3) Any companies mentioned are top of mind and used for illustrative purposes only.

(4) A team of researchers has not rigorously fact-checked this. Please don't take it as gospeldon'tng opinions weakly held

(5) Citations may be missing, and I've done my best to ciI'vebut I will always aim to update and correct the live version where possible. If I cited you and got the referencing wrong, please reach out