top of page

FinTech compliance and security readiness

A compliance requirements list for working smarter, not harder.

Did your Sponsor Bank, your Processor, or one of your key partners, send you a long list of Policies, Information Security requirements and Regulatory Compliance processes that they expect you to have in place before you go live with your financial service?

Don’t panic! This is not as daunting, nor as much a distraction as it may seem:

  • These requirements will make you a better company and will reduce your own risks;

  • The list may seem long, but many of the needs can be regrouped into fewer items, and most policies and processes are common to several regulations and standards;

  • Specialized companies can deliver a majority of what you need faster and cheaper than you would achieve on your own thanks to their experience and economies of scale;

  • Wouldn’t you want to perform information security evaluations anyways, to reassure yourself, your customers and your investors?

The bank or partner which sent you their intimidating onboarding / due-diligence checklist is expecting your company to understand its compliance and security obligations, its operational requirements, and to organize and operate accordingly.

Q: Why did the bank not give you a nice set of ready-to-complete templates for what they want to obtain from you anyway?

A: Precisely because they need to make sure that you understand and know what you are doing; so, giving you their own templates would be like giving you a “Cheat Sheet” to their own test.

We have seen many due diligence and compliance requirements lists from many banks before. To help you work smarter, below is a compilation of the most frequently requested items, with indicators of how frequently they are demanded by sponsor banks.

Highlighted in pale green are 7 items that everybody should start with, commented on which ones can be regrouped into single documents, and mapped the policies and security evaluation requirements to the 3 most common standards: PCI-DSS, SOC-2 and ISO27001.


bottom of page