There’s an irritating sort of consensus‍—‌particularly among early-stage investors‍—‌that the only way to make serious money as a new bank or payment service provider (PSP) is to start with a very high risk appetite.

There are kernels of wisdom in this belief:

• Clients with high-risk attributes are, as a rule, underbanked‍—‌and sufficiently so that they’re often willing to sign up with another bank or PSP just to mitigate the risk of losing an existing one.
• They’re often willing to pay more to obtain banking and payment services as a result.

Add the two together and it can look like high-risk customers are an easy win: they’re comparatively easy to acquire, and they have a high willingness to pay. But, if high-risk customers are genuinely such an attractive opportunity, why isn't every new entrant rushing to serve them? And why do the incumbents seem so bureaucratic and heavy-handed in their approach?

Who actually services high-risk sectors?

There are basically two types of providers to high-risk sectors:

• Sophisticated, well-established providers who know what they’re doing. They’ve invested in their risk infrastructure over a long period of time and have the data, experience, and people needed to run their business while keeping risk under control. As a client, it might feel invasive to work with them, but their questions aren’t stupid and they know what to look for.

• You, the new entrant trying to speed-run your first 1-10M in revenue.

It has been my experience that most high-risk clients will be indifferent as to which of these you are. You might think they prefer the latter (after all, you’re lighter-touch from their perspective), but if they’ve been around the block a few times they’ll know that your lighter touch comes with a different risk‍—‌regulatory debt.

Technical debt vs regulatory debt

Before we get into what regulatory debt is, let’s talk about technical debt.

Technical debt refers to additional work created in the future as a direct consequence of choosing a more expedient near-term solution over a more robust long-term one. Technical debt is often described in pejorative terms, but early startups are allowed (encouraged, even!) to accrue a certain level of technical debt because the first and hardest problem they need to solve is product-market fit, not scalability. A lack of scalability is a disease that only afflicts survivors.

Regulatory debt is, similarly, a conscious business decision to take on more risk than you are able to manage in compliance with law and regulation, with the hope that you’ll be able to catch up before you get into trouble.

Having been in the fintech ecosystem for a while, one thing I've noticed is that most businesses that take on regulatory debt don't make that decision with complete information:

1. They don't calibrate risk appetite at all, beyond rejecting the most blatant instances outside of appetite (particularly fraud, since it comes back to bite them quickly).
2. They pay lip service to the potential impact of legal or regulatory action without actually understanding what the cost of running a poorly-managed risk and compliance environment will be.

Because they choose to under-invest in compliance and risk management infrastructure, they not only take on more risk but also tend to operate without visibility into the level of risk they have actually assumed.

At this point I should draw a clear line between regulatory debt as a conscious decision and the accidental overshooting of risk appetite, because it’s hard to tell from the outside.

When one looks at many of Europe's most successful challenger banks and payment companies, almost all have been hit with some level of fine or censure for risk and compliance failures‍—‌but only some wound up there as a result of actively choosing to take on regulatory debt, while others ended up there by accident.

Frustratingly, this often leads companies that have chosen to take on regulatory debt to believe that “everyone does it”, which is definitely not the case.

Regulatory debt is a losing strategy

The reason debt is a handy metaphor here is that it has to get repaid. And very few companies that choose to take it on also pay that debt off in a proactive fashion.

When regulatory debt comes due, the consequences are swift and severe: frozen operations, substantial fines, and sanctions against leadership.

Add the above together and the net effect is that many companies that actively choose to take on regulatory debt end up with it either (a) killing the company outright or (b) freezing its growth for a time period that is measured in years.

Why does a losing strategy persist?

I suppose it persists for the same reason that venture-backed companies exist in general‍—‌even knowing the odds are stacked against you, there is the (in this case, misguided) belief that if you are one of the winners it will have been a factor in how you won.

The difference here is that taking VC money doesn’t increase the likelihood that your business fails (contrarians will want to disagree on this, but realistically taking VC money dramatically increases odds of survival/success)‍—‌whereas choosing to take on regulatory debt significantly increases the likelihood that this choice comes back to kill you later.

In conclusion...

This post in one form or another has been sitting in the back of my mind for about a year.

One of the things we've always chosen to do at Griffin has been to make sure we're really conscious about the risks we choose to take on, and regulatory debt was one of the risks we knew from day one that we weren't interested in taking on. Over the years we've seen lots of players‍—‌including direct competitors‍—‌choose otherwise; and in the large, that choice led either to demise or irrelevance. We care a lot about the success of the fintech sector as a whole, and it's painful to watch founders and teams invest years of their lives in a strategy that will not end well for them.

My hope is that this post goes some small way to encouraging people who are at the decision point to think really carefully about whether it's worth it, and hopefully to decide to pursue the same strategy we have of really investing in risk management and compliance from day one. That doesn't have to be expensive‍—‌and although it might mean you move a little more slowly, the benefit of avoiding landmines that kill your business later is well worth it.