From burden to breakthrough – how a fintech CTO turns regulations into opportunities

The CTO vs Status Quo series studies how CTOs challenge the current state of affairs at their company to push it toward a new height … or to save it from doom.

“If there’s one thing that always keeps me awake, it’s keeping the Personally Identifiable Information (PII) of our customers safe”

Being a technology expert is not enough if you want to flourish as a CTO of a highly-regulated company. Few industries can compete with finance when it comes to regulatory complexity, so Dennis Overbeeke is the perfect person to explain these challenges. 

He’s the CTO of an innovative fintech company in the European Union, a region known for its legal complexity. During our interview, he told us about:

• how to ensure that your company can quickly adapt to new regulations,
• when to use third-party vendors and how to verify them,
• the single best way to think about compliance.

Find out how to turn regulatory burdens into business opportunities. 

About Dennis & New10

New10’s vision

Arkadiusz Kowalski: Hello, Dennis. You were given quite a challenge this year – for a few months, you were the interim CEO of New10 in addition to your role as CTO. Could you tell me more about this role? Did you have a lot to learn in the early weeks? Was it unexpected? How was it for you?

Dennis Overbeeke: Hi Arek, thanks for having me! It was really interesting. Our CEO went on sabbatical and asked me to step in, which was both nice and a bit scary. 

I’ve always been interested in areas outside of tech. I love to be a part of our management team discussions, not just the ones related to software or architecture. Financial goals, setting the strategy, marketing, risk and regulations – they all have been interesting topics to me for a long time.

Nonetheless, the experience broadened my perspective on the company. My understanding used to be focused on  knowing how technology contributes to our company goals – now, I understand even better our  bank’s perspective on what New10 can contribute towards their goals.

New10 helps companies secure funding. What are your main challenges going forward in 2024 and 2025 in this area – both from a technical and a more general perspective?

When New10 was created, the goal was to digitize a very traditional process. As a director of a small SME company looking for credit or a loan, you had to go through many tedious steps. But now, digitization is a commodity, so we must keep innovating and figuring out ways to improve our customer experience. 

It can be difficult – we want to help people do things at scale, but at the same time we don’t want them to feel like they’re talking to a robot. So while we’re trying to innovate and figure out how to use new tech like AI, we can’t forget that we’re doing it to make our customers’ lives easier.

Another challenge is maintaining compliance with all new regulations in the financial industry, which never ends.

Compliance and regulations

I’m glad you mentioned compliance. The financial sector has always been highly regulated, so one could think that maintaining compliance is a trivial problem by now. Yet I’ve read a report that stated 93% of fintechs struggle with it. Why do you think that is?

Rules and regulations from governments, legislative parties, or centralized banks usually aren’t requirements but guidelines that must be interpreted. So you need to interpret the law properly, then figure out how to be compliant with your current technology setup and – even more importantly – how to stay customer-friendly while doing so.

A lot of compliance is about gathering more data. The easy solution is to burden your customers with more questions, intake forms, or onboarding steps. However, you should aim to solve it in a smarter way. And, of course, by the time you’ve figured out what new legislation means for your business, how to solve it, and what tech to use, there’s already something new you need to address. So, another challenge here is that you’re trying to future-proof your tech so that you won’t have to do an overhaul next year.

Some banks or fintechs succeed when they see compliance as an opportunity, not a burden. They look for opportunities to do things better than their competitors or even create entirely new products, propositions, or business models based on new legislation.

In a previous interview we covered TrusTrace, which uses AI and blockchain to centralize supply chain data and improve regulatory compliance. This made me think about using automation for compliance. Some call it a proactive compliance strategy as opposed to a reactive one where companies manually make changes to respond to new regulations. What’s your take on it?

Automation is part of the solution, but I think the more important thing is modularity and configurability rather than pure development. You can’t predict regulations ahead of time, but there’s usually a long time frame when you can tag along and see where things are going. With a modularized system, implementation is easier.

If you pre-code every eligibility rule or business rule hard, you will need to revise everything when something changes. Instead, you can make a decision engine where you change rules rather than having to update your code or platform each time.

What I’m hearing is that your tech should be flexible. What are other ways to make sure that you can quickly implement new compliance requirements down the line?

Early on, you need to figure out where in your processes you will have these regulatory decision-making points. We have to make decisions constantly on each application, so we try to build engines where we can have these decision rules configured. 

It’s a scalable solution in the sense that when you get new rules, you just add them to your existing engine rather than having to build new kinds of checks and balances each time.

Compliance and growth can be seen as opposing forces. But the way you put it, that we have to look at them as potential opportunities to move forward is really interesting.

This is what defines fintech. Many fintech companies are challenging a very traditional industry, and they use tech to provide modern ways for solving constantly changing legislation and compliance issues. 

It can be a neobank saying, “Hey, we don’t have offices anymore, so you can do everything from the comfort of your couch, and it’s all perfectly secure.” It could be those third parties that help with ID&V. It could be providers that can do a lot of checks and balances on KYC, or see if prospects are on sanctions lists.

Today, AI is a huge opportunity for financial services but it also brings its own problems. Will we all solve them ourselves, or will we have new fintechs that provide AI in a compliant, secure, and transparent way to be used in the financial services industry? Time will tell.

Do you do all of that in-house? Some say that you shouldn’t outsource your core competencies if you want to protect your IP. Would you say that compliance is one of those core competences of fintechs today?

It’s nuanced.

You could outsource certain aspects of compliance to SaaS solutions or third parties – but it’s you who’s going to be held accountable. You can’t outsource accountability. That’s why fintechs or banks prefer to keep that in-house.

There’s also the question of experience and expertise. You have to decide whether to make something, buy it, or outsource it. 

We also have a special fourth option – being the subsidiary of a bank, we have shared capabilities. When we have to do something new around KYC, decision-making, eligibility rules, or risk assessments, we often use the skills, expertise, and shared capabilities from the bank. They’re really good at it, and that’s why they exist. And when we want to improve on the bank’s traditional approach, we can choose to build something ourselves.

Entering new markets

One of our recent guests, based in the Netherlands, told us about the challenges of expanding into the German market. They assumed it would be relatively easy given the fact that they were neighboring countries and both members of the EU. However there turned out to be many compliance and culture-related challenges involved. Do you think internationalization is a problem that technology can solve in the fintech context?

I’m not sure. We have firsthand experience with cross-border ideas and experiments. Even within the EU, each country implements regulation differently. For example, in the Netherlands we do Identification and Verification (ID&V) – we need to know who our customers are by scanning their passport, taking a selfie, and doing an automated liveness check. We can verify them remotely.

In Germany ID&V is done through video identification – you need to ‘see’ the person on the other side. You can still do it remotely, but it has to be a videoconference involving real humans. If a company has mastered expansion across the EU, they probably have technology that solves this. So, when we use third-party vendors, we don’t just look at their solution in the Netherlands, but also if it can be transposed to other countries. 

Technology can solve cross-border problems, but you can’t be lazy and expect a ready-made, easy solution here. You have to think about it a lot.

On a global scale, what would have to change for internationalization to become easier in the future?

It would be great to have industry-accepted digital identities that work globally or even just in the EU. Customers could then easily work with different companies in different countries, and you, as a provider, would only need one way to do ID&V. 

Apart from digital identities, standardized and uniform industry-accepted KYC would be great as well. Not just knowing who the customer is, but knowing about the company, knowing their history of transactions and companies they work with.

Increasing the number of internationally accepted regulation standards and implementations would be an enormous help for fintechs that want to expand to different countries.

AML & KYC

I know that AML and KYC are particularly important elements of compliance strategy, because we need to ensure that your clients and business partners are trustworthy. What do you think are the biggest technological changes in this area in 2024 and 2025?

AI is the obvious one. More and more data is being used to make KYC and AML decisions. Regulatory and compliance demands keep adding checks and balances that we need to do as the gatekeepers of financial services. We need to connect more data sources with more complex decision-making, and AI could help with that. The problem is that we don’t know how long it will take for AI to become an accepted solution. It introduces new challenges with hallucinations, trustworthiness, or auditability. 

With transaction data, we always think in chains – one company makes a transaction with another, that one goes to another, and so on. Companies have many connections. Some are simple legal entities, others are part of a group of customers, and involve a lot of natural persons that need to be identified. Having a digital way of connecting all of those things together would help. This could be blockchain or something else that ensures you can trust data that others have already collected.

That’s the thing about the financial industry – we’re all solving the same problems. If you want to switch banks, you will have to do KYC and AML all over again. Right now, there is no way for a customer to say, “Bank A already verified me, could you use their data to verify me?”

And what about third parties? From what I know, there are some that offer robust KYC solutions. Is it possible to automate the process entirely?

Yes, I think we will be able to automate it entirely. However, without standardized international regulations, you currently can’t outsource the whole process to a third party. I think every user of a third-party KYC automation solution would still like to have their own business rules and their own decision engine.

In practice, the need for human intervention here boils down to the 80-20 rule. 80% of KYC could be automated, but there are always edge cases that need to be double-checked or re-interpreted by a human.

So, humans will always be needed in this process?

I think so, yes. 

My previous startup, Blanco, provided a digital onboarding solution – KYC, ID&V, and customer profiling. However, everyone wanted to be able to provide their own decision-making in the tool. Everyone had a different way of thinking about legislation or profiling the risk appetite of certain customers.

If vendors want to get more customers here, I would say that they need to allow their customers to customize the solution.

Data privacy & AI

I’m curious how you approach sensitive user data. Tech can go a long way in protecting the clients of financial institutions and fintechs. What are some threats that you’re especially concerned about regarding sensitive user data?

If there’s one thing that always keeps me awake, it’s security and keeping our customers’ Personally Identifiable Information (PII) safe. We’re forced to store more and more information each day. 

In the past we stored a bit of information in one system, now we store a lot of information across many systems. Each system needs its own security – the right data classification, the permission systems, access control and so on. And we’re not even talking about hackers yet, just trying to decide who should have access to which data.

Then, there are retention policies, with GDPR being a very important piece of legislation in the EU. How long do you have to store your customer’s data? Are you 100% confident it will be wiped once you are not allowed to store it anymore?

Some companies go to great lengths to anonymize user data before using OpenAI or other proprietary LLMs. Do you see AI as a potential threat to privacy?

I don’t see AI as a threat to privacy, at least from my company’s view. But we need to be aware of where we push our data. I think nobody in financial services, be it a big bank, a fintech company like New10, or a neobank, would say, “Oh yeah, let’s use the public OpenAI model to run some business decisions on our customers’ data.” I think we are all implementing a secure and compliant AI implementation that fits our requirements. 

The reason is that everyone is afraid of two things: that PII will leak to a third party and that we might leak certain strategic information to the outside world, and proprietary models will train on it. 

Nonetheless, there are a lot of possible solutions with your own hosted models or masking data before sending it.

What are some other requirements that third parties need to meet if they want to cooperate with a fintech that works in this tightly regulated sector?

It’s different for every company in financial services, but I’m 100% sure that all of them have third-party risk management. Risk is very specific to your company, and everyone has a risk appetite. Within that appetite, you determine the rules and regulations and the requirements for your third-party vendors. 

It might be on the tech side, like what kind of encryptions you’re using, or on the business side – what kind of processes you have in place or what subcontractors you are working with? 

There are a lot of strict rules on third parties that we can use, but they don’t have to be a blocker. If we want to use a new vendor, we do a Change Risk Assessment (CRA). Doing a CRA on a third party tells you that we have requirements for each third-party vendor that we want to integrate or work with.

Innovation

Because compliance can take a lot of effort, even if you do use a lot of technology to achieve it, it’s still a continuous struggle. As a fintech, it can deter you from innovation. So how do you strike a balance to not let the compliance issue hold you back, but not compromise it either? How to use data for innovation in a way that is still fair and competitive?

As I mentioned before, we can be most successful when we see opportunities instead of burdens. 

Take the Payment Service Directive (PSD2). I think a lot of banks were struggling with it because they had to open up their systems. Sometimes, even traditional mainframe systems had to provide APIs so that third parties could collect transaction data.

But I think it shows that it can also help solve AML or KYC problems. We use these PSD2 connections in a very client-friendly way. We say, “We need to review your transaction data, we need to know which countries you’re dealing with, we need to provide a risk profile, we need to do a risk and credit assessment. Can you provide us with all that information?” – but we can do it at the click of a button.

Fintech in a highly regulated sector – wrapping up

It’s a continuous struggle. To sum things up and given all we’ve talked about today, what do you think are the most important takeaways to remember for the CTO that faces fintech compliance challenges?

The first big thing is: don’t see compliance as a burden. It’s a necessary part of being a CTO in financial services. 

Secondly, see how technology can help you solve compliance and regulations, and try to go one step further – see how rules and regulations can open up new opportunities and possibilities to apply technology.

Resources

Can you share some resources for our readers who want to learn more about regulatory challenges in fintech or in general, something that you would recommend for anyone working as a CTO or tech leader in the fintech industry?

I read a lot of books on tech, management, and business in general. My favorite is still Essentialism from Greg McKeown. I read a lot of articles from places like HBR or Medium and I am subscribed to a few newsletters for inspiration, such as CTO Craft.

When it comes to podcasts, I like FinTech Insider, Leaders in Finance, Modern CTO. I’m now hooked on a Dutch Podcast on Artificial Intelligence.

What’s next? 4 priorities for fintech CTOs to uphold

Building a company in a highly regulated industry like fintech requires a unique mindset. Technology is just one piece of the business puzzle when you have to navigate complex, continuously changing regulations and balance them with innovation, growth, and customer experience. 

Here are the most important considerations for fintech CTOs, according to Dennis:

• Instead of looking at it as a burden to deal with, look at compliance as an opportunity to create new products, offerings, and even business models.
• Always be aware of where you’re pushing your data to avoid leaking your customers’ PII and your in-house IP – be particularly careful if you want to use proprietary LLMs.
• If your company is planning to expand internationally, you have to make sure your tech will be compliant with different regulations in your target countries.
• To easily and quickly adapt to changing regulations, you should design your system to be modular and configurable.

With that framework in mind, you’ll be able to see any challenge on your way as a new opportunity to make your fintech company stand out.