Let’s talk about working with compliance as a Product Manager. Whether you are a Product Manager or you aspire to be one, you will come across the world of compliance and risk management. This is especially important in industries or domains that require heavy regulation.

For example, financial services, healthcare, medicine, food etc. are all heavily regulated.

While you are not expected to be an expert in compliance and risk management, you are expected to understand what this means for the product and for the business.

How does this really work? Let’s begin by first understanding the levels of compliance.

Number 1: Company-level compliance

At the very center, you will have compliance rules at the company level. There are certain guidelines that the company abides by and defines as standards to adhere to. These become your compliance rules.

For example, “We do not want to sell our products to people under 18 years of age.” That’s a compliance guideline set by the company.

Another example might be: “We do not wish to sell in a certain country or continent.” This means when your user tries to access your product from that country, they need to be blocked or restricted.

Number 2: Country-level compliance

The next level is compliance guidelines applicable in the country you are based in. For certain industries, each country sets up a bunch of rules and regulations for the safety and benefit of their citizens.

Let’s say you are headquartered in USA and you wish to sell medicines online. USA might have a regulation that requires certain medicines to be FDA-approved before selling online. It is your responsibility to ensure that your online store cannot sell those specific medicines unless they’re FDA-approved.

Let’s take another example. Imagine you’re in financial services or fintech sector in India. One of the rules for international transfers might be: “You cannot transfer more than $10,000 in a single payment.” If your product offers international payment transfers feature then you have to ensure that people don’t transfer more than $10,000 in a single payment.

Number 3: Compliance in country of operations

Suppose you are based in Singapore and headquartered there, but your products are being sold in the USA then you must also comply with USA regulations.

Being compliant in Singapore alone is not sufficient anymore. You must be compliant in your home/base country and in every country you sell your product in.

This is where many junior PMs make a mistake. I made a mistake too. I assumed that our product was ready for the global expansion only to realise later that I needed to be compliant in each new country that we expand to.

Number 4: Global or Domain-specific compliance

Finally, there may be compliance rules specific to your product’s domain or applicable globally. For example, The OFAC (Office of Foreign Assets Control) in the U.S. may blacklist certain countries or individuals. The OFAC is a financial intelligence and enforcement agency of the United States Treasury Department. While it is meant for the USA, their list of sanctioned people and countries is widely used by the Fintech companies.

Why is this important? International payment transfers are very risky. People send money for all sorts of wrong reasons. While there are multiple ways to prevent fraud, one of the ways to detect is to validate sender and receiver details. Suppose the receiver is a criminal organisation and it is part of the OFAC sanctioned list then payment apps block such payments.

Similar to OFAC, there will be other global bodies that may be relevant for your product’s sector; and you need to be aware of those.

Why do we need Compliance team?

Most companies will have Compliance team. They have titles like “Compliance Officer”, “Risk Analyst”, “Compliance Manager”, “Fraud & Risk Analyst” etc. People with these titles come with vast experience of the domain knowledge. If you are part of a company that does not have a dedicated Compliance Team then you should talk to your managers or core team and establish the key decision-maker.

Here are 3 reasons for having a dedicated team:

1. Awareness of implications for non-compliance: This is by far the most important reason. A company should be aware of all possible implications for not complying with rules and regulations. The implication can be as small as minor fee or as big as a multi-million dollar court case. It is the team’s responsibility to understand and break down these implications and ensure that the product is compliant. They work with the Legal team to ensure that the company’s interests are protected at all times.
2. Keeping up with the authorities: Regulatory authorities continuously make changes to the policies and issue new guidelines. This team knows the right place to get the latest updates and make sure they don’t miss out on critical updates.
3. Understanding the legalese: If you have ever seen a guideline or a document issued by any regulatory body, you know how incomprehensible it can get. With their experience in reading these complex documents, they are able to decode it much faster.

You might think this all sounds very trivial. But in reality, it is not nice to get police complaints and legal notices.

What is Product Manager’s role if Compliance Team exists?

Compliance team’s focus is to protect company’s interests at all costs. This means at times, Compliance team will seem like a blocker. They would want to impose all types of restrictions. While some requirements are non-negotiable deliverables, some other requirements might be negotiable. Let me explain what I mean by negotiable with an example.

Suppose you are in Fintech and your app allows people to send money from their account to any person anywhere in the world. Now, imagine a regulation that says, one person in Country A cannot send more than $10,000 to another person in Country B in a month.

Your compliance team could say, “let’s block all transactions between Country A and Country B on our app.” This is the most restrictive interpretation of the rule. If you read the rule again, you will understand that the limitation is on the total amount a person can send in a month. This type of requirement is negotiable and open to discussion.

An example of non-negotiable requirement would be “government has ordered all companies to stop the transactions between Country A and Country B”. You have to simply deliver on this.

Since a Product Manager is responsible for the success of their product, you often have to find the right balance between being compliant and harming the user experience.

Therefore, a Product Manager is required to advocate for the users while the Compliance team advocates for the company.

Framework to approach compliance requirements

Let’s do a thought experiment. Imagine you’re now part of a product that has to be compliant whenever you make a new feature release. How do you proceed?

If you are absolutely new to the product you might have to do some prep work.

• Identify the Compliance team or member responsible for final decision-making.
• Identify the relevant regulatory bodies for your product. Read more about them and their frequency of issuing new policies.
• Understand the existing rules and why they exist.
• Go through the current user’s journey and make a map of it. Try to break down the journey in smaller chunks and then create detailed map of that user’s journey.
• Ensure there is proper documentation of all the existing rules and validations that make your product compliant.

By doing the above steps, you become more knowledgeable and your opinions will have depth during the meetings. If you skip these steps you are more likely to play catch-up game during important discussions.

When dealing with new feature request from Compliance team

You begin the Product Discovery phase and document everything:

• What are the exact rules issued by the regulatory body?
• What changes are expected in the product?
• How does the current user experience look like?
• What will change in terms of UI?
• How should we communicate with the users and other teams?

Tip: The key here is to be concise and precise when documenting the first draft.

By the end of your short discovery, you will have clear idea of what changes are expected.

Next is, Prioritization. It is very likely that you are swamped with work because you might have committed to a roadmap already. Before you open discussions with other stakeholders you need to know following things:

• Is there any deadline set by the regulatory bodies? Is that deadline negotiable?
• Do we have any legal implications for not delivering on this requirement?
• Does it line up with our current company strategy? Or are we doing this for the sake of doing it?
• Other than being compliant, are there other potential benefits to be unlocked, e.g. can we expand to another market easily if we do this now?

Tip: It is very tempting to neglect requests from Compliance team but ignoring them can have dire consequences for your product. As a PM you should be aware of all risks.

Assume you have the highest priority for this feature request, you then begin Design and Development phase. You can follow whatever process you have when it comes to design and development but ensure the following:

• Share the first drafts of your design for early feedback.
• Once you have final designs, share them with other stakeholders that might get impacted by the upcoming changes. For example, if you are making a change that has positive impact on business strategy then inform Business team so that they can prepare their pitches accordingly. If the change adds more work to Operations team, then show them the designs and help them prepare ahead of the release.
• During this phase, keep an active line of communication with the Compliance team. They have to be aware of delays.
• Give clarity on deadlines and expected end result to your Development team. Inform them about the implications of non-compliance.

Tip: Design and Development is highly collaborative phase because during development you will encounter new blockers. As a PM, you should facilitate elimination of these blockers.

Next comes, Testing phase. In my experience, getting your compliance team to test the features before release is very useful. It depends on the criticality of the feature and the availability of the team. Following things are important to do:

• Prepare a short demo video and share with the team before you release to production.
• Be flexible for the last minute changes to the feature.
• You might get a list of improvements soon after the release, these should be documented well.
• Document the potential impact on other teams and communicate that ahead of time.
• Keep your legal team updated as well.

Tip: When releasing critical changes, test the product yourself.

Don’t skip Post-release monitoring. Most people move on to another feature. Here is what you need to be aware of:

• Add event tracking wherever possible. This will help you create dashboard in analytics tool later.
• Create reports and add them to your regular review meetings. This way, you can keep track of the feature performance.

Final words

Working with Compliance team might make you feel less autonomous but that is the reality of working in regulated industries. Don’t seek full autonomy and don’t work in silo.

Compliance team will continue to advocate for the company and Product Manager should continue to advocate for the users. This is the balance you strike as a Product Manager.