Maha El-Dimachki: "I don’t want fintechs to lose their agility"
The FCA's former Head of Early Oversight on building regulated fintech startups
In the UK, more unicorns have been built in fintech than in any other sector. It’s the source of so many startup successes yet also, critically, one of the most complicated and mature regulated markets that exists. Scaling a company in such a rigid environment isn’t an obvious task: at Form, we believe in the craft of building in a regulated market, with different founders taking different paths depending on their product, customer base and appetite for risk.
While the granular detail of the FCA Handbook is rarely attention-grabbing, the trade-offs and opportunities of regulatory strategy are often overlooked as a source of competitive advantage for founders. So it was a delight to sit down with Maha El Dimachki, formerly the FCA’s Head of Early Oversight and now head of the Singapore Centre at the BIS Innovation Hub, to discuss her new book, Fintech Regulation in Practice. Tracing a startup’s full regulatory journey, and featuring case studies from companies like Truelayer and OakNorth, the book unpacks the complexities of building in financial services to provide a practical handbook for founders.
While our conversation focused on UK fintech, there are lessons here for any founder building in a regulated space.
*N.B. All views expressed are Maha’s own + don’t represent any other organisation/entity*
Maha’s advice for fintech founders:
In the early days, startups live hand to mouth, focused on fundraising and attracting customers. But don’t underestimate how leaning into regulation and risk management can be a source of competitive advantage, helping you to secure large clients and avoid ‘regulatory debt’ down the line. Equally, don’t lose your agility: build a culture that allows you to spot risk quickly, without becoming ‘over-governed’.
Leverage sandboxes to your advantage, but don’t just enter them to get the badge. It’s a cost and resource to your company: make sure you understand what applies to you and how it might work, and whether it’s really to your advantage. Look around for any accelerators or investors who can support on regulation as well or instead.
Understand the different language and incentives of regulators before engaging. They’re primarily focused on risk and consumer protection, and often expect founders won’t be mature enough or won’t have thought about regulation properly. Doing your homework up front can ensure the relationship starts off on the right foot.
Try to hire strategic risk talent, not just box-ticking compliance managers. Leaders who can set the right risk tolerances that are acceptable to you as an organisation, and then empower people to make decisions within that, are much more effective — but there’s a huge shortage of these!
Make the overlap of interests of your key stakeholders — customers, investors and regulators — as wide as possible, and be prepared to invest in your back office to support the longevity and sustainability of your business.
Full interview with Maha El-Dimachki:
FORM: At the FCA you were Head of Early Oversight, so you supervised companies just as they’d been authorised, and also as they were really starting to scale. Can you give us a sense of how regulators think about the regulatory journey and what they’re expecting of firms at different stages?
ME-D: The starting point for me is the difference between how a regulator thinks and how an entrepreneur or innovator thinks. That was stark because when I joined the regulator, I came from industry. Entrepreneurs think about how to seize the opportunity, how to move quickly to grow market share, etc. whereas regulators start from risk and risk management. They think about market failure, competition, asymmetry of information and free riding. Now regulators are also forced to care about social issues. They need to think about equity, inclusion, diversity, financial inclusion, environmental issues. The lines are blurring for regulators as well. Some of the rules are quite difficult to navigate, and this is where this miscommunication comes in.
In the book I do a primer on what regulation is. Whilst people intuitively know that it's important, everyone's got a different perspective. What I found is that innovators don't necessarily think of risks up front, because they are busy building their business. They are busy worrying about where their funding is coming from, how they're going to attract customers, etc. What I'm advocating is that they should start thinking about this. If innovators think about their risk taxonomies, what are the key impact areas and how do they mitigate those risks, that will change as a dynamic over time, usually that ties in quite nicely to what is expected of them from their regulators.
There’s still a strong sense in tech, maybe more outside of fintech than within it, that regulation is just a barrier and constraint — that it’s incompatible with startups’ need to move quickly. On the other hand, regulators will say that their main objective is consumer protection, not startups’ freedom to move quickly. Clearly the two sides are coming with different languages, vocabularies and incentives. Have you seen mistakes where startups or regulators haven’t approached this relationship in the optimal way, where they’ve got off on the wrong foot?
Yeah, that's inevitable. I don't necessarily think it is widespread, but I do think entrepreneurs think regulators don't understand, while regulators think entrepreneurs aren't mature enough or aren't thinking about these things.
I’d say there's frustration at times rather than distrust. There's a lot of short term thinking as a startup because you're kind of hand to mouth a little bit at the beginning, aren’t you? So it's the maturity to think beyond that and start to think about how you embed it in your business.
I've seen examples where entrepreneurs have probably gone a bit too far and regulators need to rein them in. I've seen it personally, when I authorized and regulated firms where it’s just a box-ticking exercise. They really put it as an afterthought — “let's just get this out of the way and let's work on building the business”.
And then on the other hand, regulators don't necessarily understand the market and they might go too far. I would argue that there's a lot of tension at the moment in this whole concept of consumer protection. And when the regulator is perceived or is seen to be going too far, the market also can respond and say “we respect regulation, we've always had a good relationship, but now it's the right time to speak up”.
Now that is relevant for regulation that's in place for existing technologies or business models. But then imagine new technologies coming, where a lot more dialogue needs to happen. There I think the tension is helpful, in that regulators don't have all the answers and neither do entrepreneurs and innovators.
I've seen examples of both sides, and tension is good. I don't think we should see it as somebody's failing or making a mistake.
There’s another angle here I think, in that many fintech founders today have a fairly mixed experience with regulators — and it's less about whether regulation goes too far, but more about how the organisation works generally. So we’ve been arguing that we need to fix the resources, rules and risk appetites of regulators to enable innovation. When have you seen regulators work particularly well to support innovators?
I think the sandbox has worked really well, but sandboxes have to be targeted and there was a time at which everybody wanted to be in the sandbox. It's a resource and cost to the FinTech to actually be in this. Do you really want to be in the sandbox? Don't just be in a sandbox because it's a cool thing to do, it’s not just a badge. So I'm a fan of the sandbox as long as it is targeted to what it's mean to achieve.
The other thing is whether these sandboxes, in isolation, are really helping. I would much rather that, if there's an accelerator program, you have a regulatory sandbox as almost a module, that it’s integrated in how the startup is actually building its business and embedding that conduct culture at that early stage. So you don't have to necessarily apply separately to a sandbox and use all of your resources there as well as using resources elsewhere.
From the regulators’ perspective, the problem you have — and this is a problem with regulators all around — is the resourcing and capabilities. It's not necessarily a very high turnover environment, so how do you balance the talents that are needed for these new technologies within regulation? The danger you have is that the sandbox staff at the regulator know it all, but it's never been transferred to the rest of the organization. These firms are loved when they're in the sandbox and then they go off and do their authorisation and it's like hitting them with a ton of bricks.
I would say though — and I say this in the book — that if you're going to go into the sandbox, you have to do your homework. You have to have at least made an attempt of understanding what regulation applies to you and how it might work. It’s the same when you're willing, ready, and organised to submit your application for authorisation— you need to have demonstrated that you have done your homework, you haven't just left it to a compliance company.
To that end, at Form we think a lot about regulatory as a core competency for startup. A good internal policy & regulatory function can be a source of competitive advantage: being ‘good’ at it can help you get approvals quicker than others or avoid building up ‘regulatory debt’ — which we’ve seen delay the plans of even very large fintechs. How have you seen companies’ approach vary? Are there any particularly good examples to be followed?
There are several case studies in my book, including Insignis Cash, where the founders needed to go from directing massive teams at large financial institutions to getting under the table and wiring the computers, etc. They understood that regulation was important because their customers were large banks who were directing funds through their platform. So being regulated, and showing they were adhering to regulation as if they were a large organisation, was a really good thing.
OakNorth was another great example. They had a really good compliance function and had to change their risk management based on how the company was growing. They actually talked about how they got a point where they felt like they were over-governing themselves, so they sat back and said “we can’t lose our entrepreneurial spirit”. And this is what I keep saying: I don’t want fintechs to lose their agility, I just want them to embed risk management in their mindset and culture so they spot things quickly. The flip side of regulatory debt is regulatory capital: if you have the right engagements and put the right resources in from the start, you can then avoid directing all your resources into lengthy remediation later on, which is much harder to untangle in your organisation.
All of the case studies in the book show how successful companies who are doing very well, have gone from startup and they’re either scaling or reaching that level of maturity where they’ve embraced regulation in a really practical way.
But it’s also important to mention the critical shortage of talent in risk management: I don’t mean people who just read the fundamentals, I mean people who understand how risk is a strategic function in an organisation, how to set risk tolerances, empowering people to make decisions within the boundaries that are acceptable to you as an organisation. That’s a fundamental function that you need for good governance and good decision making, and we don’t have compliance functions that do that. We have compliance functions that tick boxes, that are too scared to get you to talk to the regulator. There’s a shortage of really good strategic risk managers.
Your new book digs into the practicalities of fintech regulation and covers strategies to navigate it. What are the most important lessons for fintech founders to take away?
The book is for the whole ecosystem, but I have a chart that has the three key stakeholders: customers, investors and regulators. If you can make the interests of those stakeholders overlap as wide as possible, then you’re doing the right thing.
The other thing is front office running away from back office: always think about how your back office can support the safety, longevity and sustainability of your business.
Maha’s book, Fintech Regulation in Practice, is a practical handbook, featuring case studies and advice about the lifecycle of building a regulated fintech startup. It’s available now:
Hit reply with follow up questions, suggestions of technology or policy leaders we should interview, or get in touch if you’re building at the frontier of tech and regulation.