From the Marine Corps to OnlyFans: advising on the front line, with Matt Reeder
We know that many of the best companies built in Europe are in regulated markets. But that comes with unique challenges in how to navigate regulatory rules and norms, often across borders.
Who better to give us a masterclass on this than Matt Reeder, who’s been legal counsel in both the Marine Corps - on the literal front line - and GC & COO at OnlyFans, on the regulatory and reputational front line.
FORM: Thanks for joining us Matt. Between being GC & COO at OnlyFans and a lawyer in the US marine corps, you’ve advised in two organisations that are both highly scrutinised and regulated, but in very different ways. Is there anything that the two jobs have in common that attracted you to sign up?
MR: Absolutely. I’ve always been drawn to high stake environments. It’s hard to think of two more serious issues than the need to than National Security on one hand, and online safety, and the safety of children in particular, on the other. It’s always really mattered to me that I make a meaningful impact on the world, and I really can’t think of many better ways to do that.
FORM: Legal and compliance are sometimes seen as enabling or supporting functions, but OnlyFans is a business where it seems to be a fundamental part of the business and its value prop. How does that change the day-to-day for the GC role?
MR: As a lawyer, I’ve always seen compliance, policies, and governance as the core structure of the business - like the frame of a house. The customer might never directly interact with it, but if the business get it wrong, you’re going to have change it, and like a house with a structural issue, changing it is a painful, costly exercise that could have been avoided if you’d engineered it properly in the first place.
This matters even moreso for a business like OnlyFans, where the product value and operations are tied so closely to legal and compliance issues. It forces a different prioritisation. Obviously OnlyFans is obsessed with UX (user experience), just like every other tech company - but companies in other markets can sometimes get away with optimising for UX, while playing fast and loose with the infrastructure behind it. OnlyFans couldn’t do that. From day one we needed to be thinking about the legal infrastructure that needed to sit behind the UX, to ensure compliance, withstand scrutiny, and set us up for scale.
FORM: How do you think startups operating in sensitive or highly regulated sectors should prepare for their “head above the parapet” moment - when they meet the full force of media and regulatory scrutiny?
MR: The first mistake I see some founders make is they think they only need for prepare for this when the company hits a certain scale or gains a level of success. This just doesn’t apply in the digital world. It takes a single end-user to file one report on one hot-button issue with one regulator in the right country and suddenly the spotlight shifts - and if you’re not ready, it becomes existential, fast.
The upshot of this is you need to understand and anticipate regulatory touchpoints as early as possible - including the likely magnitude of any risks, and the probability of them occurring. Obviously if you have something high risk, high impact, you need to be dealing with it today.
What does preparing for this look like? Every day, everything I did from a legal and compliance standpoint, if it was market facing, I was coordinating with our Chief Comms Officer, so that when questions do arrive, our answers are consistent with the core strategy and values. Young companies might think mission and values are superfluous at the early stage, but life becomes a lot easier if you have thought this through. If you’ve done that, even if you do step over a regulatory line at some point, it will be the result of a procedural mistake, not because of a fundamental issue with your company - which regulators tend to view very differently.
FORM: OnlyFans is obviously a huge success across many geographies. How did you think about scaling such a sensitive, highly-regulated product across jurisdictions?
MR: There’s always the product question, which in a way is straightforward, because usually companies just won’t scale internationally until they feel they are ready on the product side.
But then there’s the regulatory feasibility question - how you deal with different jurisdictional approaches to your product. Sometimes you can identify a jurisdiction that is just a high watermark, and by complying with them, you comply with all jurisdictions. The tougher situation is where there is a straightforward conflict - where one jurisdiction says you must do X, and another says you must not do X. In these cases, there are three options: either you are going to willingly break the rules; you opt not to operate in one of the jurisdictions; or you have to offer different products in different markets. The business needs to proactively make that call.
FORM: And when it comes to building the teams and systems that you need in place to deal with this stuff - what are your lessons learned there?
MR: Especially when you’ve taken different legal approaches in different markets, you’re probably going to have to build out an internal team because you're going to have to walk and chew gum at the same time, operating entirely differently in different locations. What does that internal team look like?
In the tech world people talk about flat org structures, but that’s a slight misnomer because for these sensitive regulatory issues you have to have a hierarchy of responsibility or you lose the ability to have real accountability and you lose sight of who owns what. Instead, you need what we called in the Marine Corps “horizontal communication” . At OnlyFans I expected my team to build relationships with their counterparts in other functional areas of the business because, for example, a software developer can spot technical problems that a lawyer thinking about compliance would never see, and vice versa.
At the same time, you need to build up more stakeholder management resource, because every time you step into another jurisdiction, people like lawmakers and journalists and regulators become interested - and if you aren’t projecting your own message deliberately, they’ll just make up their own minds about you. You have to be ready to demonstrate to those regulators that the internal risk mitigation measures you have as a business are compliant with whatever laws exist and regulations exist in that country.
FORM: Thanks so much Matt, for a lot of lessons that apply across regulated markets. We can’t wait to see what high-stakes, meaningful challenge you take on next!
Hit reply with follow up questions, suggestions of other technology or policy leaders we should interview, or get in touch if you’re building at the frontier of tech and regulation.