Discover and Google Lessons, and Recent Compliance Trends with Zarik Khan

Show Notes

In this episode of Fintech Layer Cake, host Reggie Young speaks with Zarik Khan, Head of Compliance Testing at Flex, about the critical role of compliance in fintech companies and how it impacts long-term sustainability and growth.

Zarik shares his unique insights gained from his extensive career at major organizations like Discover and Google, and now a compliance leader at Flex. They delve into effective compliance strategies, the evolving fintech landscape, and the potential implications of major industry deals like the Discover and Capital One merger.

This conversation is packed with practical advice and thought-provoking insights for fintech leaders and compliance professionals.

Transcript

Reggie Young:

Welcome back to Fintech Layer Cake, where we uncover secret recipes and practical insights from fintech leaders and experts. I'm your host, Reggie Young, Chief of Staff at Lithic. On today's episode, I chat with Zarik Khan from Flex.

In case you haven't encountered them yet, Flex is a fintech that's aimed at making rent payments more flexible. Zarik has fascinated payments compliance experience beyond Flex, though. He spent nearly nine years at Discover, has worked as part of Google's marketing and payments internal audit function, and much more.

Zarik is also the publisher of the newsletter Fintech Compliance Chronicles, which is read by thousands. I've been a reader since it started in early 2023 and find it to be a great way to get a pulse on key practical fintech compliance happenings. I love his thoughts on the potential Capital One Discover deal and all the practical considerations that I haven't really heard other folks talk about, as well as his general lessons from his time at both Discover and Google.

If you're going to Money 20/20 in Vegas this year, I'll be there along with a handful of Lithic colleagues. If you're interested in connecting while you're there, feel free to reach out to me or fill out a contact form at lithic.com/contact.

Fintech Layer Cake is powered by the card-issuing platform Lithic. We provide payments infrastructure that enables companies to offer their own card programs. Nothing in this podcast should be construed as legal or financial advice.

Zarik, welcome to Fintech Layer Cake. I want to talk a lot about effective compliance functions and testing and all the brass tacks of how to run compliance things well, and how that can definitely be an asset for a fintech company if it's done well. We'll get there, but as someone who works at a card-issuing processor, I feel like I just have to start talking about Discover and cards and card networks. You spent nearly nine years at Discover in compliance roles. What were some of your top takeaways and insights from that time?

Zarik Khan:

My actual area that I worked in was internal audit, but very much with heavy compliance focus as part of what I covered. I think the amazing thing about internal audit, which is kind of why I've done it for a good chunk of my career, you actually get to see a bird's-eye view of any company you're looking at. In my case, I ended up being responsible for the entire card-issuing business. Discover has also the network side of business that they also have some ownership over, but my responsibility was for the card issuer, the issuing bank as it were.

One of the takeaways, I think the biggest takeaway I got working at Discover for close to nine years, was the importance of essentially understanding how a product and a business really work. When you come back to the bird's-eye view, you're basically looking at something completely end-to-end. One of the things I was able to do was rebuild the entire coverage model for internal audit to actually look at this product, because, ultimately, it's through the end-to-end functioning of that product that you're going to have these various compliance regulatory risk touchpoints arise. This is a consumer-facing product. The regulatory applicability, especially from a lot of [relations] is very significant, so whether you're talking about underwriting, marketing, collections, customer service, fraud, risk management, you name it, I think a lot of different touchpoints that emerge.

I would say one of the most exciting parts was getting the opportunity to work regularly with a lot of folks in C-suite. Had an opportunity to work with our CEO a couple of times, the company's president, SVPs. For somebody who had not had any banking experience prior to that, was still close to maybe five, six years out of college, this was an amazing growth and development opportunity. I'm very grateful to have had those experiences.

On the other side, which for me was also a valuable learning experience, some people may not necessarily see it as exciting as what I said earlier, but I got to work with regulators, so getting to connect with folks from the FDIC, CFPB, and the Fed on a very regular basis. A couple of these agencies actually had an office on our premises at Discover. It was very much absolutely not, oh, there's a boogeyman of the regulator, but they're there. We had conversations. We'd run things by them. There'd be regular calls. There'd be exams where requests would be made. We'd share information, etc. I think, all in all, building good working relationships is really the main takeaway, whether you're working with regulators, whether you're working with people actually in the business.

I think the other thing is don't forget who these products are being built for. There's a difference between having and creating products, especially as sometimes fintechs tend to get in the trap of, oh, this seems really cool. You could argue that's one of the things that has been a challenge for the crypto world and blockchain and Web 3, is, oh, this just seems very cool. It's very interesting and awesome to build, exciting. But is it really useful for the average person who's just trying to consume products, maybe doesn't have a lot of the technical expertise?

I think the last thing I would say, the insight that I gained at Discover is the compliance is actually good for the bottom line and the sustainability of the company. Unfortunately, one of the challenges Discover is facing right now is they do have a $300 million compliance issue that ultimately, shortly after that, you then heard the news that they were entering an agreement with Capital One to basically be acquired. I don't have the insight into the thinking of the organization. I haven't worked there for about four or five years now, but one almost has to wonder whether that regulatory headwind essentially pushed them to take that step. Again, if that doesn't happen, does Discover even end up in these current circumstances?

Reggie Young:

Yeah. It reminds me actually of something, a framework that I learned from Matt Janiga around is your company in the revenue creation or revenue protection mode? Compliance, legal stuff, super important as you transition to that. I mean, always important, becomes increasingly important as you're in that revenue protection mode because, yeah, you can get hit with some big fines if you're not careful and that can eat away. You can have a great profitable business, but if you're doing it in a non-compliant way, there goes all your revenue.

Zarik Khan:

That is one of my favorite minds in the legal compliance space.

Reggie Young:

I love your point about thinking about who actually uses the product, too. One common theme I've gotten from talking to compliance and legal folks on this podcast is at the heart of all regulations is customer centricity. It's just such a good North Star. It's not just about good customer experience, but it has so many other benefits for your risk functions, for your compliance functions, for your ops functions. Hey, if you're customer centric, you're probably going to get fewer support tickets and need less support ops. It has all these trickle-down effects, so love hearing that bit.

Okay. You wrote a series of articles back in February of this year, 2024, on the Capital One announcement about their desired acquisition, we'll call it, of Discover. Your piece got a lot of attention. What was the gist of those pieces?

Zarik Khan:

Actually, the whole series of pieces that I ended up writing, it actually started off with just a basic LinkedIn post, not even an edition of my newsletter, where, essentially, after hearing the news, I was on a lunch break at another job I was working at, and I basically typed up a media and fintech industry callout for how they were covering this news, really focusing on, oh, this is so cool from a technology perspective, and oh, two longtime heavyweights said, oh, so much interesting things that could happen as a result of this. My callout was you're not talking about the broader implications for the actual consumer, or more near and dear perhaps to me, the 40,000 to 50,000, maybe 60,000 total employees between both companies that are going to, one way or another, be affected through this whole thing.

That post actually ended up being the initial piece that got a lot of attention. I think, to be frank, a lot of it was from folks who are currently or previously at Discover who felt that this was getting their voice out in a way that perhaps no one else was amplifying. There were some folks from Capital One as well who supported and appreciated the post. So then what that led to was this four-part series. At my newsletter, Fintech Compliance Chronicles, we love to do these multi-part series deep dives. This ended up being a whole deep dive.

I think it came down to what does this deal mean from different dimensions? It happened over maybe the course of a week. Normally, these deep dives, they take one per week. So it can end up being like a month as we dig through a topic. Firstly, we focused on what does the deal mean for shareholders, for customers, for people, which is the employees, and even things like the tech stack. Capital One is very well renowned for how they've utilized technology to essentially become a leader in the space, and especially behind the scenes as well.

The second part was focusing on what does this deal mean for the brand? You have two iconic brands. Does Capital One just absorb the Discover brand and we never see the iconic Discover logo anymore? Discover has technically been around about nine years longer than Capital One. And then what does it mean for the products? Because to some degree, yeah, you've got a network that Discover has and Capital One doesn't, but then you also got a lot of businesses that are very common between the two. So do those businesses get merged? Do some of the other businesses get shut down?

The third part was the meat of what we love to talk about, was the regulatory issues that are actually already on the table. Discover has two or three that are actually still in progress. The analysis we did focused on, is Capital One going to now absorb those issues? Is the deal that, hey, we're going to help you get these resolved at a quicker pace than you would have if you hadn't made the deal with us, and that'll be a good point for us to actually then move forward?

And then the last piece focused on, I think what Discover is really well known for in addition to the network is basically pioneering rewards. What is the implications on credit card rewards as a whole coming out of this deal? And then even digging into the 10-K that both companies issued shortly after the announcement, which looked at a lot of the risks that both companies thought about. What if this deal happens? What if this deal doesn't happen? Essentially, it's like four, maybe five parts that we covered.

We also have done occasional follow-ups as news develops on the progress of the deal. For example, we did a full day where we basically covered the public hearing that the regulators did on the deal about a couple months back live. That was a whole fun project.

Reggie Young:

I'm curious. I remember that happening, but I wasn't able to listen in. What were some of the top two moments or takeaways from it?

Zarik Khan:

My biggest takeaway from that, frankly, for me, is I've never sat through one full public hearing before.

Reggie Young:

They're long.

Zarik Khan:

They’re very long, yes. It's actually a little underwhelming because most of it seemed to be community organizations that Capital One and a little bit of Discover, mostly Capital One, has partnered with in the past. What we talked about in our piece is that from the Capital One side, by bringing them on, the argument was that, oh, you should do this deal because Capital One is a great philanthropic organization. I'd scratch my head because that's not an argument that is necessarily going to be the primary reason a regulator signs off or doesn't sign off.

By contrast, there were only a handful of actual customers who came in. They were not just customers on their own, but usually, they were customers associated with competing advocacy-type organizations that said, this deal is bad for consumers and we've been fighting against predatory financial organizations like these for a long time at highest interest rates, etc. It seemed like just a lot of this side is very entrenched and this side is very entrenched.

I think it was interesting, Maxine Waters came and gave her two-minute, three-minute view on the deal as well. She didn't necessarily say outright she was against it, but she expressed the skepticism that I think has been the posture from her side. It was interesting, but I don't think there were any earth-shattering insights that came out of the deal or out of the hearing. I think the regulators are going to have to do a bit more analysis on their side to decide what they're going to ultimately end up deciding.

Reggie Young:

Yeah, that makes sense. That's been my experience when I listened to those hearings. It's like, oh, this is all what I expected from the typical trade groups and views. To your point, Waters is not going to come out and be staunchly against or for. These are going to be like, no one takes clear positions because it's still being figured out.

To circle back to your initial answer on Discover and Capital One, one of the implications of what you're saying is that this isn't just an acquisition of tech assets, which I think is an important fintech observation. I feel like this is a difference I see between folks who might be new to fintech or who have been in fintech for several years, is this understanding that a product is not just the tech in fintech. There's all the ops. There's all the people. There's all relationships. There's the referral networks or distribution networks that facilitate their product. There's so much more than just a simple, we're buying the code. I think the way you were talking about the Discover-Capital One potential deal really reminded me of that.

That brings us to the million dollar, or I guess $53 billion question, is this deal actually going to happen?

Zarik Khan:

I think the easy answer that I'll give is it depends. The reason for that is we have an election campaign going on and not just at the presidential level, but also I think most notably at the Senate level. I can't really say that we've heard from the political side of things, one side really come out in favor of this deal and one side come out against this deal. But I think the reason for that is this deal and approving it hasn't really struck me as something that I've been hearing is a priority for regulators. As opposed to something like the CFPB's 1033 open banking rule, what I've heard is that the intent is to actually get that rule finalized in October.

So something like this- I think a better answer to that question, is the deal going to actually happen, probably if you ask me in December, I'll be able to give you a bit more straightforward of an answer. I think a lot of that just has to do with, particularly for the CFPB and their say in the matter, who's basically going to be appointing the folks running those agencies. I think that makes a huge difference naturally.

Now, in the past, when 2016 happened and there were some changes to folks in charge, you brought Michael Mulvaney in at the CFPB, to many folks' surprise, there wasn't actually a decline in regulatory activity. If anything, there was a lot more targeted focus on certain types of activities and the sort of- what's the word I'm looking for here? I wouldn't say punishment, but the sort of wrath for instances of perceived wrongdoing by the regulators actually got even harder in a much more targeted lens. I wouldn't necessarily say that, oh, okay, let's say you get a full Republican GOP sweep, that, oh, this means that this deal is a lock it's in. There could still be a surprise here in terms of what actually ends up happening with the deal. But it kind of pushes the odds one way or the other, at least in my mind.

I would say, I think what is to be noted about Discover specifically is- again, this is not from anything I've heard inside but just my observations of what has been happening. This piece has not really gotten a lot of discussion. Discover is now at its fourth CEO in pretty much the last 12 months. They started off with Roger Hochschild back in June, July  2023, who had been the CEO up to that point. And then this $300 million issue gets announced. And shortly afterwards, he steps down.

One of the board members, John Owen, he steps in on an interim basis. Then they bring in Michael Rhodes to be their actual CEO. And then shortly after the deal gets announced, he announces that he's leaving to go run Ally. And then Michael Shepherd comes in as the new interim CEO. Again, he has the interim title. Depending on how long the discussions for the deal go, there could be yet another CEO because Shepherd has made it clear he's the interim. He's not intended to be the permanent CEO. Interim likely, the thought is that, well, the Capital One deal will get done, and then who knows if Discover will be the CEO.

The point of bringing that up is this is a company that is not really looking at itself as being an independent organization for the long haul. It is all-in on this deal. I would say that if this deal doesn't happen, I think Discover and its board- they've already sold off their student loan business.

It doesn't strike me that they will be in a position or really with the compliance activity be able to just go back and say, all right, well, we'll just go back to being independent, or they will probably try to be bought by someone else. There are certainly other folks that, the network being the crown jewel of the acquisition essentially, would be interested in that.

Reggie Young:

Yeah. It's an interesting gloss to all the M&A discussions. Oh, if these fall through, sometimes companies have to find another exit that's not as good. Not every blocked M&A has the experience Plaid has been through.

Zarik Khan:

Yeah. And it's very interesting. I mean, the regulators just released some new guidance on bank mergers, specifically looking to- perhaps this could be relevant to the Discover-Capital One talks. The gist of it is their intent is to make sure that bank mergers are beneficial to the communities of the customers of these banks. Interesting to see if this is their indirect response to the hearing perhaps.

Reggie Young:

Yeah. It's interesting. I hadn't thought of that. Would love to chat a little bit about your audit experience at the Google marketing payments function, because I think fascinating company. They do lots of interesting payments initiatives that have maybe not totally gone through. There's always a running joke in fintech of how Google rebrands their payment products every year and a half. Would love to hang out on the topic of your experience at Google for a little bit. What were some of your top insights and lessons from that time?

Zarik Khan:

I was there for just over two years, and what a change from Discover where, granted, Discover is a very nimble company. They don't consider themselves, say, a true bank, but they are, for all intents and purposes, still a bank, and moving to a tech company, for all intents and purposes, Google was a fascinating switch. I actually started during the pandemic, joined in September 2020. That's a fascinating experience to just jump over to such a massive organization during such a strange time in the history of mankind.

I think one of the insights I had is just working at such a large global company with a lot of products and a lot of different business lines. It's very easy to get lost if you don't at least have a high-level appreciation for how the company is laid out. I would say that's true for any organization, whoever is listening to this, whatever type of company they work for, just get an appreciation organizationally for how the company is laid out, whether that's in terms of product divisions or in terms of the org chart, because it really just helps you figure out who is important to your day-to-day working and who is maybe less important but still somebody that you want to find a way to stay connected with for various other reasons.

I would say another insight is at times, because there's so many products, it can be difficult to figure out how they all tie together. I would say that's more of a Google-specific item. Google's been around for well over 20 years. They have dipped their toes into so many things since they started off as a search engine. Some of it is a byproduct of just the company has chosen this model of, hey, we're a large organization and we have this umbrella, but some of these divisions, like the Other Bets, for example, they almost run as independent companies. Thus, the Alphabet idea came. It's like, okay, we're going to have the structure at Google is going to be one of the bets. But then you have all these other companies like Waymo, for example, that very much has its own CEO, has its own line of folks, but ultimately, they all roll up to Alphabet.

In some ways, it’s just trying to find the narrative thread between all of those beyond just, hey, we're trying to organize the world's data and make it useful, which is their mission. It can be a little hard to see that in some of the places, especially because data is such an important part of everybody's day-to-day life and every waking minute at this point in 2024.

I would say another insight from a payments perspective, I think they are very well set up actually from a regulatory point of view. They have licenses in various jurisdictions, wherever the Google Play product in particular is available. I had the chance to work with some very sharp legal and compliance minds based in the UK, in India, Singapore, Brazil. For me, it was a great opportunity to learn about how that process works in terms of getting licenses from various central banks that if you just work for a US-centric company, for example, you'll never get that exposure to them. It actually created a lot of interest for me in just understanding how these regulatory bodies work. In turn, you also get a chance to interface, on occasion, with those international regulators.

The other insight, I would say, is that this is an organization that's essentially run by engineers. It's going to be different than an organization that is run by bankers or run by business people. That comes down to the culture, the way folks dress. You're probably not going to see folks in shorts and flip-flops running around at a bank, but you'll probably see that in a Google office, especially in the summer.

And then I think the leadership style, the company's ethos of leadership and how folks who are in leadership roles tend to lead is a little bit more in that lead by example and roll up your sleeves. Again, coming back to this organization of engineers. These are folks who have been in the trenches before and they understand how it is to get your hands dirty, which I think is something I really appreciated while I was there.

Reggie Young:

Definitely. I like that last point of how an org is run, whether it's run by engineering, whether it's run by more- some orgs are run more by product teams, by marketing teams. It varies a lot by the type of product you're selling and that has big implications for compliance and legal and other functions.

On that topic of compliance functions, you run the testing and assurance function at Flex. What exactly does compliance testing entail? I think it's a super important role but, I think, a little less well understood. People hear compliance and they think AML, they think KYC, transaction monitoring, that kind of stuff. I feel like testing doesn't get a ton of attention. What exactly does that function entail?

Zarik Khan:

I think sometimes you hear the word monitoring, compliance monitoring. You could argue that testing falls under that umbrella as well. But essentially, when you talk about testing, we are just another piece of the puzzle for what is more commonly, and especially in the eyes of a regulator, known as a compliance management system. Any compliance organization is going to have its governance and then day-to-day operations, which can include things like the BSA, AML, financial crime, day-to-day operations, if you will.

This all starts with, as a compliance org, or actually, I would argue, at a company org, you have to essentially know the risk that company can be exposed to, or essentially what's called a risk assessment. This is basically a company's view, a compliance team's view of what regulatory risks apply, and then from that, what regulations are applicable to your institution.

Coming back to testing, I would say why we do it, we're not a directly regulated institution ourselves, but we work with partner banks that are under the supervision of those regulatory bodies. It's on us to be good partners to those banks and essentially operate as though we are regulated as well, because we're basically an extension of their business.

What we do in testing, I mentioned the risk assessment earlier. This is our way of essentially doing a deep dive into whether or not we, as an organization, are compliant against the regs, very much like sometimes, not all the time, but sometimes just here's the regs and then here's our business and let's interpret whether the way this business works, pull out the operations that could be applicable to these regs and see if we're compliant. This is really getting into the guts of transactions, interactions with customers, marketing scripts, marketing advertisements, payments, just how our payments are processed and so on.

The key to success here really is to think exactly as an examiner would, against regulators like TILA, the alphabet soup. These regulatory bodies, the CFPB in particular, their examination manuals are publicly available. It would behoove anybody who is doing this sort of compliance testing and monitoring type of function to actually take a look at those and potentially even adapt those into your testing approach.

Reggie Young:

I want to hang on risk assessments for a little bit, in part because I feel like this has been a common theme in consent orders recently. I feel like a lot of consent orders have said, hey, banks, you need to go do a risk assessment for your fintech programs. It's a funny check-the-box sort of thing, but it's really about doing the exercise to make sure that you've taken that second to think about what are we doing, what is this going to expose the company, obviously, from a compliance perspective.

Risk assessments typically will have a compliance layer and then an actual risk, a financial risk exposure, an operational, do we have redundancies in plan in case a cloud provider goes down, those sorts of things. They're obviously compliance-focused risk assessments, but I'm hearing that this is an expectation from banks more and more from fintech. So you want to launch this product, show us your risk assessment so that we have to do our risk assessment. It's just like a good initial step to kick the tires on programs. Yeah, interesting to see that stuff will become more commonplace.

More broadly, what are the hallmarks of a good compliance function? I'm particularly curious to hear your thoughts given that you've seen the spectrum from Discover, more bank-type organizations, to an engineer-run Google, and now to Flex and everything they're building over there.

Zarik Khan:

I think the key is your actual understanding. That's a very broad answer, so let me deep dive into that a little bit. I did talk about this at the beginning and I said, the biggest insight I learned from my time at Discover was you have to understand the business you're working with. And then the other side of the spectrum, when you just step out of your business and you look at what regulations you're subject to or what's going on in the industry, when you talk about regulations, you really need to understand the intent behind it and actually keep up with emerging trends and risks.

I think the point is that coming back to the understanding point, without understanding your own business, without understanding what's going on outside your own business, you're either going to run into this problem where you'll be that type of compliance professional who's just going to barrel into an area without speaking the language of the people who are running that business, and you run the risk of your compliance function becoming more of a check-the-box activity where, on the surface, you think, okay, this works, or okay, this is just all wrong.

But even if let's say you do just say, okay, this whole thing doesn't seem like it applies, I don't really get it, here's a bunch of findings, but that's not going to necessarily lead to a meaningful remediation, internal remediation process, where the person who receives those internally, you're going to actually be able to do something meaningful about it. The odds are that you might run that same test again down the road and you come up with the same thing, and then you're sort of, all right, well, let's do the same thing, it looks like what we did the last time didn't work. 

Eventually, and perhaps even before you get to it the next time, some outside party, whether it's your bank partner or whether it's a regulator, is going to come in and say, well, we found all this stuff. And then not only are you going to get called out for that again as a company, but now your compliance function is going to be brought into question for its effectiveness. You're sitting there saying, well, hey, I barreled in and I called this out. But you didn't really, did you? I think that's a risk of not understanding, speaking the language of the organization.

On the other side, you might very well just be a compliance function and name only. And you're still checking the box, which is still not right, but now your attitude is different, where you still understand it, but you're leaning more perhaps favorable to a business's operations, and you say, yeah, you know what? I think it's fine, it's not an issue. Yeah, I think it's fine, it's not an issue. Suddenly, you're on the front page of Fintech Business Weekly getting called out. I think that's the two risks that you run with lack of understanding.

I would say, talking about on a more positive front what the hallmarks of good compliance function are, I think is coordination with all dimensions of an organization, especially the larger the institution gets. What I'm talking about here is, as I mentioned at the beginning, I've spent most of my career in internal auditing. We work very closely with people who are in the actual compliance function and second line. And we work closely with people who are in, I think what is commonly known as the 1.5 function, or it's the business risk function or first-line risk, which essentially takes what a third-line function would do, a second-line function do, and does it almost on a daily basis, almost like an in-house risk function for various or specific department. Coordinating and making sure that, hey, business also has to run, so let's not repeat the same test when, oh, one team has identified this thing. So let's all be aware of what we're doing and actually find a way we can coordinate our capabilities, that's super important as well.

I would say, just zooming out, less technical, more on the human side, the hallmark of good compliance function is one that values acting like a human being. Make sure that you do stand for what you think is right and keep a degree of independence. Obviously, be firm, seek to inform and educate. But the key, to me, is, I've really learned over the years, don't be a jerk. I think it goes a long way to the success of you as a compliance professional and ultimately your organization.

Reggie Young:

I think that's a really good point. One of the big lessons I learned at some point when I was at Bluevine is just the importance of human relationships to getting legal and compliance things done. We had Pooja over at Bluevine, great compliance lead, has a lot of great relationships. I figured out that, oh, there's inputs I need from various other cross-functional teams and the better actual genuine, open- I want to have a rapport with somebody before I go to them and say, hey, I need this, I think that's hugely important. It can really hamstring compliance and legal functions if they don't have good rapport.

You should circle back to your point around just understanding the business. I normally hear this being a really important thing for the product teams and the operation teams, but it's actually super important for legal and compliance. I think there's an interesting track where a lot of general counsels will end up pivoting over to chief operating officer. It’s, I think, similar for CCOs. When you're in a head legal, head compliance role, you have to understand the full business.

You talked about a lot of the downsides. I think one of the funny things I've seen is often, or not often, but occasionally, folks will come in and say, hey, we have to comply with this law. It's like, no, no, no, you don't actually understand the product. That isn't relevant. There are a lot of times where if you don't have the full breadth of understanding of what the company you're at or company you're advising is doing, you can take on more than you actually need to in some instances. It's a super important thing to actually practically understand the nuts and bolts of the businesses, what the products are, how they're working, etc.

Zarik Khan:

Absolutely. I would add to that. Even if you're a B2B business, I would argue, understanding it from that customer's perspective as well is, I think, super important, if there's even a way where you can simulate the customer experience on your end. One of the things that I've loved doing over the years, whether it's at Google or at Flex or at Discover, from a Discover perspective, it would actually be sometimes listening to the calls where there'd be recordings of folks calling in and actually getting the experience and interaction of Discover or testing out some of the apps in a QA environment, which is something that we were able to do at Google. I think these are other ways that you can get that understanding. But it's important to point out also the customer, again, whoever that customer is, whether consumer or business, is super important, too.

Reggie Young:

I would love to talk about your newsletter for a little bit. You publish the Fintech Compliance Chronicles, which all good fintech compliance folks I know read regularly. I imagine it has given you a good view into current compliance trends, things that are brewing. What are some of the more interesting, important trends that you think you're seeing right now that founders and fintech operators should be paying more attention to?

Zarik Khan:

I think one of the big ones that has really taken the industry a little bit by storm is CFPB's Rule 1033 proposal, which has to do with open banking. I won't go into too much detail on it here, but suffice to say, it is the hot topic of discussion.

I was at Finovate last week, Finovate Fall in New York. I think there were two or three panels. For those who know about Finovate, it's primarily a conference that is focused on allowing fintechs to demo their offerings. Then they have a portion of the program, which is more of the traditional panels and talks and speeches. I think there were at least two or three- in fact, there was probably a whole track that was just focused on nothing but open banking.

For those who know about open banking, it provides a lot of interesting potential for consumers to have control of their data. The product implications could be massive, exciting, but the regulatory structure needs to be there for something to work meaningfully like that. There are some products you could argue are out there in the US. I think Mint was a classic one, which is no longer with us. There's also the MX and Plaid approach as well. These are just a couple of the more well-known examples of what open banking has tried to look like in the US in the past. With this, it would actually be a lot more seamless, and you have less of that screen scraping that has unfortunately characterized a lot of those previous attempts.

With it, obviously, the CFPB released a, I want to say, 300-page proposal. We did a five-part deep dive on this last year, shortly after the proposal was released. Like I said before, I think they're now in the process of finalizing the rule, which will be published, sounds like, in October. So one year, essentially, they've had to get this thing hammered down.

Reggie Young:

I'm really curious to see the 12 to 18 months after the rule is finalized, what actual changes do we see. Part of me is skeptical and I was like, well, the US has had open banking. Is this really just adding certainty and a clear self-regulatory standard and operations? The skeptic in me wants to think that it's not going to be sea change. However, I would love to see some super innovative stuff. I would love to see some net new innovations happen. I'm very curious to see what happens.

Zarik Khan:

The thing to point out with this rule, you talked about 12 to 18 months, there's actually a provision that extends the compliance timeline to about five years for some of the smaller institutions. That is actually where I think you're seeing the most noise with some of these proposals, particularly from CFPB. If you read the comment sections of some of these rules when they're open for comment, it's where you get a lot of the pushback from credit unions and community banks in particular, because from their perspective, they're looking at it and saying, hey, our customers, they might benefit from this, but frankly, the cost for us, tech costs in particular, for us to even try to get to this thing actually working are almost going to be insurmountable for us.

The CFPB, essentially, what they've done with this four to five-year approach is just kick the can down the road and hope that that four to five years timeline gives these institutions the ability to actually build something meaningful. Whereas I think the institution is a little more skeptical that regardless of how much time you give them, that they're going to be able to afford to make solutions that are compliant with Rule 1033.

Reggie Young:

I think this is a part of my skepticism, that there's going to be sea changes. If there is, it probably will take time. I think there's an interesting analogy to RTP. It's like, oh, RTP is here, but it's not ubiquitous. It's not like these things take time just because open banking gets finalized doesn't mean- I think the initial 12 to 18 months is when I'm curious to see some of the nascent ideas and early stages of innovation that might happen, but it's not going to be like, oh my God, every bank now has this really- every fintech now has this really cool feature or new infrastructure. So I'm curious to see what actually happens.

How about other trends? Any besides 1033 that you're paying attention to?

Zarik Khan:

Yeah. A couple of months back, the CFPB put out another proposed rule attempting to regulate the whole paycheck advance earned wage access industry or products that have come up. I think they're inspired by how they come out and commented and attempted to regulate the BNPL space. This was another area that they saw emerging.

Essentially, what they're asking is you're looking at whether the regulation Truth in Lending Act, TILA, applies to these loans, which is the same route they took with BNPL when they put out their initial rule for that particular set of products. I think there's some folks, Alex Johnson in particular, who's done a lot of deep dive research and has some good conversations with folks on this. So I'd highly recommend folks to check out his writing on that.

One of the other things I would say is it's not anything particular where a federal regulator has spoken on it. This is actually part of the problem, is that the US doesn't have a federal privacy law on the books. States have started- I think CCPA from California several years back was one of the more prominent examples, but states have now started to attempt to fill the void. We're seeing more of these local, if you will, privacy laws begin to come on the books.

The worry is on one side, you could say, okay, this is great, you got more and more privacy laws. Consumers are going to be protected. The downside is that this is going to be a patchwork of regulations with different standards. Ultimately, if you're an operator listening to this conversation, it's going to create a massive headache for you to try and keep it all straight from a compliance perspective.

Reggie Young:

If you've navigated, somebody in California can opt out in these three ways, but somebody in this other state can opt out in these two ways. It raises the cost of doing business a lot.

Zarik Khan:

Yeah. Almost like which state has the most- some businesses just say, all right, we're just going to follow the most conservative state law. Well, which one is actually the most conservative? Then it has to be down to common interpretation at that point.

Reggie Young:

I'm a fan of the newsletter. I've been reading it for a while. Why don't you enlighten our listeners in case they're not subscribers?

Zarik Khan:

We publish once, maybe twice a week, just on various topics that are happening in the industry with a compliance focus on them. I think we've been around since January 2023. It's been fairly well received. Most of our audience is compliance officers, fintech founders, folks who are working in more traditional banking, etc.

One of the things we've recently launched is actually a premium offering where there's two dimensions to it. One is where we're trying to put on in-person and virtual events anywhere from one to two times a month. We actually held a recent in-person event as a sort of Finovate after hours, get together. It was a nice, more intimate gathering of folks around a dinner table talking about compliance and regulations and what's going on with their companies in a much more relaxed format.

Then the other piece is something that I'm really proud of. We've put together a database of all the, essentially, consent orders and regulatory actions, if you will, that have been taken by all the major regulatory global bodies. If you're talking about all the US federal regulators, also include the RBI in India, for example, and even the FCA in the UK, we've got them in there as well. We're growing. We're looking to add regulatory actions that have been taken by Chinese regulators as well, some of the Middle Eastern regulators, etc.

It's meant to be a one-stop shop where you can actually go in, get an idea, do some trend analysis, actually see the original orders as they were issued, the amount of fines, if those fines are applicable. It really gives you a sense of what is going on in the industry, not just at a country-specific level, but even at a global level.

Reggie Young:

Listeners should go check out Fintech Compliance Chronicles if they haven't yet.

I think the database point is really interesting, too. It's easy to sit around and think theoretically about legal and compliance obligations, but to actually see data and to have databases, it helps triage and prioritize the risk assessment stuff that we were talking about earlier, like of all the consent orders, what are the top issues that are actually most commonly cited. Great database for folks to check out.

Last topic, let's jam on Flex. I've seen a flurry of awesome fintech talent joining Flex this year, including yourself. The company seems to be becoming a bit of a center of gravity for fintech talent. For listeners who might not be familiar, what exactly is Flex?

Zarik Khan:

Without getting into the nuts and bolts, Flex is essentially a company that is helping consumers make their rent payments easier, and it's helping properties actually receive their rent payments in a more guaranteed fashion. The mission of the company is centrally to empower as many renters as possible with flexibility over their most significant recurring expense, which we think is rent. No matter who you are or how you're earning income, we think that everybody has the right to pay their rent in a way that really works best for them.

I would say as a company, I think it's a great place to work. It's got great forward-thinking leadership. Really, at the end of the day, we're making a commitment to serving both folks who are renters and also property owners with really innovative products. This is a company that is definitely growing. We're excited about the future. We're excited about the folks that we're partnering with, the folks that we're serving, and we are hiring.

I would absolutely encourage folks who see roles on our company website or on LinkedIn for Flex. Our website is getflex.com, because there's unfortunately a lot of tech companies out there that also have the title Flex.  So getflex.com is a way to distinguish, which you can then link to our careers page. You can see all the various opportunities that we have available.

Reggie Young:

I would second that for listeners. I have a few friends and folks I know in fintech that reached out about, if I know any great companies hiring, Flex is always in the roster of places I'm pointing them to right now.

I know in the past, you mentioned to me that you think Flex's compliance function has been pretty successfully set up. Why do you think that is? More generally, what does a tactically successful compliance team setup look like?

Zarik Khan:

I think the piece about success as a compliance org, we did touch on that a little bit. But specific to Flex, I think why it's worked so well, it really has to do with, I think, the people and the vision. As a compliance function, we are technically, organizationally part of the legal team. It's legal and compliance. But the vision is set really from there with our chief legal officer, chief compliance officer, and then the folks that we brought in to deliver on that vision, to continue to evolve that vision so it doesn't stay static. These are folks from a variety of backgrounds. You have folks who are lawyers, folks who've actually done more operations. You've had folks who've done audits like yours truly. You've had folks who've worked in big banks, community banks, so different org sizes as well. Again, just different backgrounds and walks of life.

I think that has actually contributed to just a really well-rounded group of folks that have really come together to deliver on this vision and deliver it in a way where it's not just very binary. Coming back to that risk assessment point earlier, I think you almost need to have this multi-perspective view to be able to then crystallize what your ultimate view of risk is and ultimately how you think about things like regulations.

I would say success, really, why Flex in particular has been successful beyond just our leadership and the folks in our team, our company leadership is extremely supportive of compliance particularly. It's not just, oh, okay, hey, we've got a great compliance function, rah, rah, but actually, providing our team the support to make some of those hires that you talked about and actually back the compliance team with action and hold folks accountable for saying, hey, if compliance finds X, Y, or Z things, then we expect you to take it seriously and remediate those in due time as well. I think these are things that it sounds like, oh, yeah, it should be a no-brainer, but they're really not, frankly, in the industry.

Unfortunately, I think the reason why consent orders and so many things occur at times is where folks don't necessarily give the importance to compliance that it deserves. I would say, especially at a fintech, having leadership that does recognize that is a huge reason for the success of our compliance function.

Reggie Young:

Yeah, all the bank consent orders, this is bank level, not so much fintech, but I think one of the very common themes is, do you have a compliance officer who is actually listened to? The actually listened to part is clearly very emphasized over and over and over in these consent orders. Same logic applies to fintechs, I think.

Zarik Khan:

In big companies, most of these orders, they're directed to the board. You could argue that when these things happen, yeah, everybody shares some degree of responsibility when things go wrong, but the buck actually does stop at the top. That's where having that credibility but also getting everybody on board is very important. If that leadership of that company believes that compliance is important, then compliance is going to succeed. If that leadership doesn't think compliance is important, then it doesn't matter how great your actual compliance team is, you're going to have a hard time actually being meaningfully successful. Again, I'm just very grateful to have supportive leadership at Flex as a compliance function.

Reggie Young:

Yeah, it's an asset in the long run. It's interesting. It's a common theme I see among fintechs that are well run and growing healthily and in a stable place and in a kind of tricky environment. I think about Daniel Simon on the podcast. He talked about fleet payments and everything he's building over at Coast. He talked about compliance and legal being a super important early hire, early investment at both Bread and Coast, and that is part of the core philosophy almost. People don't think about it as a differentiator, but I think in the long run, it absolutely is.

Part of the reason I’m staying at Lithic is I see that from the leadership team here. You're right, it's not necessarily as common as I would like to see in the industry. So when you find companies that have that clear emphasis and support from leadership on the importance of compliance and legal, it's usually a good fintech to stick around that.

Last wrap-up question, Is there anything you've been thinking about a lot lately that you think folks in fintech aren't talking about enough?

Zarik Khan:

Yeah. The two areas that have really stood out to me, and a lot of this comes from my occasional perusing of the CFPB's complaint database.

Reggie Young:

Just some light reading before bed.

Zarik Khan:

Yeah, exactly. These are maybe what I would say- you don't hear a lot about these in the articles and the podcasts and the news coverage, but they're very much in consent orders that are coming out against organizations. The two topics are credit reporting and collections. These are very core topics that should be operating successfully when you think about banks, when you think about fintechs, etc. For whatever reason, I think it's actually the amount of parties that are involved in both of these that make it difficult to be successful.

When we're talking about success, I'm just viewing it from the lens of a customer. When you're talking about credit reporting, if you look at the CFPB's database and see which entities or which companies have the most complaints against them, it's actually the credit bureaus. That shows from the consumer side, they're getting the bad experience. They will let the bureaus know about it. But ultimately, there also has to be some downstream involvement from the furnishing companies, many times are the banks and even the fintechs, for contributing to that poor experience that customer felt so compelled to actually go to the CFPB website and file a complaint.

I would argue a big part of that is, without getting into the nuts and bolts of credit reporting, the bureaus are using this system called Metro 2. Unfortunately, it's well over 20 years old. There was a previous version called Metro 1. I found that many people don't actually know that even Metro 2 had a predecessor. It's very, not just attribute by attribute, but in many cases, character by character, has to fit in a certain format.

Knowing that, I know there's some players in the industry that help to make that process easier, especially for smaller organizations. But just how much information flows through that process and then comes back from a consumer's perspective when you're talking about things like credit disputes or, oh, my credit report has wrong information and how and what regulated entities or fintechs are expected to do when they get things like a credit dispute from a customer or an indirect dispute from a bureau on behalf of a customer. There's a lot of complexity to that. There's a lot of parties that get involved as issues with credit reporting arise.

And then we're talking about collections. There, I think the interesting part is that, again, many times the issues there arise from the fact that, well, customers went into collections, and you have now a third party that's acting on your behalf as the original creditor. Just that experience, on paper, you would think, yeah, it makes sense that you're not supposed to be as the unfortunate- stereotype sometimes goes, like, oh, the shady collector is knocking on your door and is kind of threatening. That is absolutely against the law. FDCPA exists for that reason to prevent that.

But that's not usually why customers are upset about collections. It's more so just the way that a lot of sometimes system-related issues occur or not getting proper notices about certain steps of the process in terms of knowing when they can repay, payment plans potentially coming up not being on the up and up, and just technology not working the way it's supposed to. You think something's working, maybe your technology as the bank or the fintech is working great, but then the collections firm you're working with, they have some issues. Again, these are coming directly from customers, the people that these products are supposed to be servicing. This is not necessarily a regulator that is going overboard, but this is actually directly from people who are using these products.

I've been thinking a lot about these two topics lately. I do think that the industry should perhaps shine more of a light on what's going on in those spaces, more from a solutions perspective. You hear a lot about different solutions, at Finovate or a lot of innovative things there. But really, I would say it'd be great if we can get more solutions that focus on things like credit reporting, things like collection, to make it easier ultimately for not just the customer, obviously, which is the one complaining for both these topics, but also the fintechs and banks that are trying to serve them better, I think, have good intentions ultimately.

Reggie Young:

Yeah, I agree. I think those are two consistently under-emphasized areas of opportunity for innovation. It makes sense. It's wild how many complaints credit reporting really is. Folks think it's simple, think there's not going to- it's just, oh, you just send data, but there's so many backend operational obligations that are so easy to mess up. I've heard Metro 2 described as very brittle. It definitely has a reputation for maybe not being the best reporting system.

Awesome, Zarik. This has been a great conversation. If folks want to get in touch with you, learn more about Flex, or subscribe to your newsletter, which they all should go do if they're not already, where should they go?

Zarik Khan:

For Flex, you can go to getflex, one word, getflex.com. And there you can see the product, you can learn more about the company. If you're interested in joining us, you can see the open jobs and apply for any of those that you think you might be a good fit for.

As far as me, our newsletter is that long here, but it's fintechcompliancechronicles.com. That's all one phrase. That is where our newsletter is essentially published, the Substack version, if you will, which is essentially the same as the LinkedIn version, which is also where you can find me. If you look me up on LinkedIn, you can find the newsletter there as well. We have folks who prefer to consume the newsletter on Substack or the website, and you have other folks who prefer to consume it on LinkedIn. Either one of those places, we'd be grateful for you to check it out.

Also really, really enjoyed the conversation and just exchanging thoughts and insights.

Reggie Young:

Thanks so much for coming out, listeners. Again, go subscribe if you haven't. Zarik, this has been great. Thanks for coming on the podcast.

Zarik Khan:

Thank you.