How to Create a Lender’s Regulatory Compliance Blueprint

Blog Post Digital Lending

From a regulator’s standpoint, it makes good sense to scrutinize lenders. Especially those that use online channels for account origination, funds transfers, and payments processing as this niche isn’t yet as well-controlled as brick-and-mortar businesses. That’s why it makes equally good sense for lending professionals to hardwire regulatory compliance into their business model and product design. Savvy lenders are learning to leverage compliance as an asset, instead of a necessary evil.

It takes the right kind of tools to develop and implement an effective regulatory compliance program. This white paper includes a 7-step plan to help digital and alternative lenders create a comprehensive regulatory blueprint. A working document that can be used to manage an in-house compliance department, or an outsourced compliance consultant.  

When we finished writing this piece we understood that it’s way too big and way too complex to just be a blog post. So we’ve significantly trimmed it to publish on our blog and will be giving out the full version in the form of a white paper. So, for now, let’s get to it.

Building a strong regulatory compliance foundation as a digital lender

A strong regulatory compliance program supports strategic, long-term growth. It can increase profitability, improve workflows, and reduce potential regulatory issues. In addition, it can protect a lender from the financial and reputation risks associated with a weak compliance infrastructure.  

It’s no secret that the Consumer Financial Protection Bureau (CFPB) in the US, and the European Banking Authority (EBA) in the EU, are targeting lenders. Proactive regulatory compliance management is doubly important for digital and alternative lenders because our landscape changes so quickly. Consumers are fickle. New products and technologies are released constantly. And new regulatory rules are issued on an almost daily basis. The emergence of open banking will probably accelerate the process. However, a solid regulatory compliance foundation will ensure your organization remains on firm ground, even as the marketplace evolves in ways that could never have been anticipated.  

Risks of a weak compliance foundation

A weak regulatory compliance foundation creates several tangible and intangible risks.

Tangible risks tend to be financial in nature, predominantly monetary penalties for non-compliance issues.

Intangible risks are more complex. Some examples are reputation risk and process inefficiencies. These intangible risks often convert to a tangible, quantifiable financial risk in a two-step process. Reputation risk, resulting from the negative press or social media backlash, can:

  • Tarnish brand image
  • Erode consumer trust
  • Eventually, reduce sales revenue.

In addition, investors could decide to withhold capital funding just when the company is about to enter a growth phase.  

How to create a regulatory compliance blueprint

Regulatory compliance rules are often complex, which can make compliance program development and implementation into an overwhelming exercise. A good first step is to create a blueprint that will guide your task level activities.

Here’s our 7-step plan:

  1. Assign ownership, and fund the program
  2. Map the touchpoints where consumers interact with your business
  3. Determine the regulatory guidelines that apply to your business
  4. Publish written policies and procedures
  5. Launch the compliance program
  6. Monitor and update on a regular basis
  7. Leverage regtech software, and outsourced compliance resources

1. Assign ownership, and fund the program

Start by assigning a director to own the regulatory compliance function. This is an oversight position with executive authority. It should be a CCO (chief compliance officer), or a senior manager who reports to a c-suite executive like the CEO or COO.

A formal program will telegraph to employees and regulators that regulatory compliance is a serious consideration for this lending operation. It’s not just an exercise in checking the boxes and satisfying the minimum requirements. Stated another way the program procedures and launch communications will tell employees and regulators whether to take the program seriously or not.

2. Map consumer touchpoints

Regulatory rules are designed to protect consumers. Therefore, the basis of your compliance program will be the touchpoints where prospects and customers interact with your company.

The customer journey starts with the advertising campaign that attracted the prospect to your lending operation. Then it continues through a number of potential stages depending on credit review policies, account onboarding, funds delivery, and ongoing customer communications.

Review your revenue model, including all interest rates and account fees. Review the product features, including technical support, customer service communications channels, and customer service messages. Review the funds transfer processes, information security, transactions tracking and reporting, and account penalty fees. And finally, review the processes for managing customer complaints, and the processes for detecting and managing fraud and unauthorized activity access.

3. Determine applicable regulatory agencies and guidelines

In order to determine the regulatory agencies and rules that govern your lending operation, you’ll need to conduct an internal and external review.

During the internal review, you’ll examine your business model, revenue model, business plans, marketing plans, ad campaigns, product design, technology platform, operational processes, consumer touch points, and geographic markets. Be sure to consider the launch phase, as well as a growth phase with new products and expansion markets.  

During the external review, you’ll determine the regulatory agencies that govern your business, as well as all applicable rules within each agency. For example, in the US the CFPB oversees a wide range of lending activities, and the Securities and Exchange Commission (SEC) has a Cyber Unit that oversees Internet-related activities like online advertising and digital funds transfers. Lenders in the US must comply with all applicable federal regulations, as well as state regulations that govern in the geographic areas where a borrower lives.   

4. Publish written policies and procedures

It’s important to document and publish your compliance policies and procedures. Such publications ensure that every employee understands the importance of regulatory compliance, as well as the individual tasks they need to perform in order to administer the program.

Regulatory agencies typically read these documents as the first step in their audit, because it’s an efficient way for them to identify compliance gaps. Well written, comprehensive policies and procedures can be a lender’s best defense because they go a long way towards gaining the auditor’s confidence and pre-empting a more intense examination.

Your compliance publications should include a Standards Overview and a Policies and Procedures Manual.

Standards overview  

The Standards Overview functions at a strategic level. It provides an overview of the company’s compliance mission, objectives, and requirements. And it clearly directs all employees, consultants and third-party vendors to adhere to these standards. It defines ethics and integrity and uses them as the guiding force behind task level procedures. It states the company’s commitment to comply with federal and state standards, and it goes a step further. It commits to maintaining a high ethical position, even when government guidelines don’t provide a clear directive on every potential situation.

Policies and procedures manual

The Policies and Procedures Manual functions at a daily task, tactical, level. It provides details on each separate component of the overall compliance program with appropriate examples, and it includes templates for worksheets and reports. The different components of the compliance program will track directly to the areas identified in the consumer touchpoints map (outlined in step 2).

5. Launch the compliance program

Give your compliance program launch the same care and respect you’d give to a new product launch. Don’t just post an off-the-shelf training manual in the company online resource library. Think like a marketer, and create a campaign that uses both oral and written channels in a series of integrated communications.

The training sessions should be offered at regular intervals for new employees, or as a refresher for current employees. Employee training is an area that can be outsourced to a professional learning center. The modules could include direct training sessions for task level employees or train-the-trainer sessions where human resources managers are instructed to lead the learning program.

6. Monitor and update on a regular basis

Regulatory compliance isn’t a set-and-forget program that can run on autopilot. Your program must be monitored and updated on a regular basis, as regulatory rules change in response to new technologies, new products, and changes in the political landscape.

Monitor regulatory changes

Your compliance team will need to stay on top of these changes, by monitoring regulatory agency platforms where new guidelines are published. According to a Thomson Reuters report, financial governing agencies worldwide publish more than 200 new or updated rules every day. This same report goes on to say that the typical compliance officer spends 31% of their time tracking, analyzing, and reporting on policy changes. It’s easy to see how this function can be time-consuming. Regulatory technology (regtech), or an outsourced compliance resource, can manage this task far more efficiently and cost-effectively than an in-house, manual process.

Update policies and procedures  

Financial governing bodies mandate a variety of compliance procedures that may require regular testing. For example, all money service businesses (MSBs) in the US are subject to the bank secrecy act (BSA). This act includes a directive for a written anti-money laundering (AML) program with annual auditing and testing.

What you need to know about AML & KYC as a digital lender

Your Policies and Procedures Manual must include formal guidelines on how to update your compliance program. The manual should also include the process for distributing notifications and outlining any additional training requirements. Proper employee notifications and training will ensure all changes are clearly understood and implemented on a timely basis.

7. Optimize using regtech software and outsourced compliance resources

A regulatory compliance program can be expensive to develop, launch, and maintain. That’s why regtech software, and/or an outsourced compliance consultant, can be cost-effective solutions for many lenders. According to a recent business survey, 25% of financial companies outsource some or all of their compliance function. Outside resources can increase a lender’s regulatory compliance expertise, reduce manpower, improve process efficiencies, reduce costs, and increase regulatory program performance.

Outsourced compliance resources   

Many lenders outsource all or part of their regulatory function to a compliance consultant. Outsourcing is a great way to leverage someone else’s time and expertise. It boosts your creative juices and helps you focus your best energies on innovation and long-term growth strategies.

It’s important to choose a consultant that specializes in your particular type of lending, and in your geographic market. An outsourced resource can deliver a one-time consultation, ongoing on-demand fractional c-suite support, or a fully managed compliance department complete with CCO.


Fintech-driven lending is a financial category that’s exploding. The media attention is intense, but so is the regulatory scrutiny. It’s the job of the regulators to protect consumers from potential harm. That process starts with a strong regulatory compliance program.

Successful lenders in the digital age will embrace the compliance function. They’ll see that a solid compliance foundation can ensure long-term business health and profitability. They’ll learn to leverage compliance to optimize their business model and product design prior to launch. And they’ll use smart resources like regtech and outsourced compliance solutions to make the process more efficient.  

Learn about TurnKey Lender’s Information Security

Next steps

One of the best ways to implement a lender compliance program is to leverage LaaS software with built-in regulatory compliance rules. These fully managed, cloud-based lending platforms are regulatory compliant out-of-the-box, customized to meet local market rules, and updated on a timely basis as new regulations take effect.  

If you’re exploring regulatory compliance options for your lending operation, then it’s time to request a TurnKey Lender Free Trial.  

Expand your
lending business

Automate every step of your consumer or commercial lending process.
Book an intro call with TurnKey Lender today.