ABCs of Regulatory Compliance for Startups

Compliance with U.S. and/or international regulations can prevent costly fines and embarrassment, but it also protects your business from fraud and other illegal or unfair practices. In addition, a proactive approach to establishing compliance protocols and working with regulators strengthens your company’s business model, makes you more attractive to investors and partners, and can greatly mitigate any regulatory actions - if and when a regulatory agency decides to audit or visit your business. Below are some of the “ABCs” or key tips to compliance for startups - in just about any industry:

1. Become familiar with who your regulators are or will likely be. There are countless national, state, local, and foreign regulations which may impact your business now or in the future; whether you are in the financial, medical, agricultural, IT, or other sectors. You may only need to be concerned with one or two regulators, but if you are in financial services, you will likely need to understand the laws and regulations of five or six agencies. Do not fear reaching out to a regulator proactively (directly or through your legal counsel) in order to clarify issues and receive guidance.
2. Apply a risk based approach to compliance. Assess and understand your vulnerabilities and allocate the appropriate time and money to managing those business and regulatory risks - in line with best practices for your sector. Re-evaluate your risk profile as your company changes and grows. Continuously ask yourself questions such as: “How well do I know my customers, partners, vendors, etc? Do my ‘know-your-customer’ procedures adequately tell me who I am dealing with when it comes to new customers and on-going monitoring? Do I need to implement any automation tools to manage my regulatory compliance risks?”
3. Demonstrate that you have put thought and effort into formulating a compliance plan. Written policies and procedures should explain the mechanisms for effective compliance to all your employees and any auditors or regulators. (Note: your compliance controls will change and improve over time.) A Compliance Officer should be designated (required in some cases), however creating a culture of compliance is very important. Training is key to informing all employees about risk and internal controls, and reminding them that they are all in charge of protecting the business.For some types of businesses, you can further reinforce your compliance mindset by noting directly on your website (for example): “Company A complies with regulations XYZ as established by Government Agency B.” Not only will regulators appreciate the transparency, but this will also build trust (and brand reputation) with your customers.
4. Document and maintain key compliance information. Your company should have an appropriate and well-organized record keeping system (whether hard or soft copy). Documentation should include your written policies and protocols (including previous and current versions), reports and communications with authorities, and case files if needed.
5. Prepare for Growth - Scale your Compliance Program. As your business expands to other cities, states, and countries, start reviewing the agencies and regulations that may impact you. Consider legal counsel to navigate potentially complex foreign regulations. A new array of risks accompanies cross-border transactions, whether in the form of money, goods, or information.

In much of the world regulatory compliance is, much like taxes, unavoidable. However, for your company a sound compliance plan can be a competitive advantage relative to other startups and even well established organizations. “Building compliance into the fabric of a company positions it to deal effectively with the regulatory and competitive challenges of growth.” In conclusion, know your risks and the relevant regulations and be able to demonstrate that you do! Being proactive rather than reactive is best when it comes to regulatory oversight of your business. Jean-Paul Duvivier is a mentor in the Envestnet | Yodlee Incubator.

Sample Selection of Regulatory Resources

• Business Oversight
  • California Department of Business Oversight
  • New York Dept of Financial Services
• US Financial Regulators
  • Federal Financial Institutions Examination Council
  • US Financial Crimes Enforcement Network
• International Standards for Financial Organizations
  • Financial Action Task Force
  • Basel Committee on Banking Supervision
• Health & Safety
  • US Dept of Health and Human Services - Laws and Regulations
  • California Health and Safety Laws and Regulations
• Departments of Agriculture
  • US Department of Agriculture - Laws and Regulations
  • California Department of Food and Agriculture
• Data privacy
  • US Data Privacy Laws
  • International Data Privacy Laws
• Risk Assessments
  • Money or Value Transfer Services
  • Conducting a Risk Assessment
  • Sample Bank Risk Assessment
  • Habitat for Humanity Risk Assessment
• Policies and Procedures Templates
  • Anti-Money Laundering Template for Small Firms
  • Sample OFAC Policy
  • Operational Risk Management Policy
  • HIPPA Security Procedures Resource Manual
• Agencies to consult for cross-border business
  • US Department of Commerce - export regulations
  • US Department of Treasury - foreign asset controls / sanctions regulations
  • UK financial regulatory authorities
  • German financial regulatory authorities
  • China Banking Regulatory Commission
  • China Securities Regulatory Commission