Saturday, June 15, 2024

EXCLUSIVE: “Compliance will be rewarded. Are you ready to comply?”- Anuradha Muralidharan, Expensify; Amanda Heinemann, Very Good Security and Andrew Veitch, Eedenbull in ‘The Paytech Magazine’

We quizzed Anuradha Muralidharan from payments superapp Expensify, data custodian Very Good Security’s Amanda Heinemann, and Andrew Veitch of expense management platform Eedenbull on the burden and competitive opportunity of compliant payments data handling

Anuradha MuralidharanThe Paytech Magazine: Is the amount of regulation surrounding use of sensitive data a barrier to fintechs launching and achieving their full potential?

Anuradha Muralidharan (COO, Expensify): Definitely. It’s a mental and monetary deterrent to businesses. Expensify started as a corporate card. Our founder and CEO David Barrett is a brilliant network engineer, and he’d been able to homegrow an infrastructure for the corporate card with all the encryption and Payment Card Industry Data Security Standard (PCIDSS) and system and organisational controls compliance built in from day one. That’s not easy for everybody to do because you need the right expertise, which is expensive, and you have to go through the cumbersome compliance certification process.

Even so, maintaining a corporate card as a startup was so difficult, we ended up pivoting. In fact, we’d originally built the expenses app just to demo the card’s functionality – but it had generated a huge amount of interest.

Andrew Veitch (COO, Eedenbull): Having to hire full-time engineers and compliance managers to handle the certifications, before we could even launch, was indeed a challenge. There are so many other things you want to be doing to develop your product, interface and experience. Taking people away from doing those things is an overhead to begin with. So, you have to work with partners that can help you get through it, as easily and as quickly as possible.So, regulation is a block but, that said, having the policies and procedures in place helps businesses – banks and other financial institutions can then work with them because it gives them confidence you know what you’re doing.

Amanda Heinemann (BUSINESS DEVELOPMENT & PARTNERSHIPS LEAD, VERY GOOD SECURITY): Very Good Security is all about reducing the data security and compliance liability for our customers, and taking that on ourselves. We sit on sensitive data for our customers, enabling them to get the full utility from it – without having to house it – to expedite compliance.

About 70 per cent of our customer base is in fintech – it’s our sweet spot. The remainder are healthtechs, healthcare and e-comm providers. Maintaining good data security has become a core KPI for fintechs. How they treat sensitive data is very important and, in the worst-case scenario, a data breach can lose them customers. As Andrew says, data security and compliance are also prerequisites for partnering with other ecosystem players.

TPM: How can businesses iterate once they have the core compliance features in place, to get new features out to market quickly?
AV: Hopefully, they’re savvy enough to understand what additions need to be made, if any, on top of what they already have. It then depends where they’re going – product improvement in the same market or moving to other countries and regions, which have their own requirements. It’s a constant challenge of looking at what they have to do in each market. But, once the core’s there, it’s just about adding on top of it.

While we’ve got good processes and policies, and keep data as secure as we can, we use partners that have that skillset to help us do for that particular bit quickly and easily. So, for instance, we started off saying that we, and our processing partners, would never hold full PAN data, it would always be redacted and masked. Now we’ve entered virtual card issuance, where we have to have that, we use a partner like VGS to help us comply.

AH: We provide always-on compliance to our customers for handling changes and additions. They’ve outsourced their data to us, so it’s 100 per cent on us to make sure they’re maintaining compliance as things change. They need to have someone in-house who knows what they’re doing, or defer to an expert.

AM: Building everything and getting it certified the first time is a lot of work. However, ongoing maintenance, if you’re disciplined in considering your compliance requirements at the design stage when developing new products and features, is not that complicated. We don’t have a dedicated compliance team that only does this. They handle certification renewals and support new developments through the course of a year, but they are also doing other things, so it’s not a specific drag on our financials. We also liberally use industry experts to teach us when we run up against something that we don’t understand, to grow ourselves as a team.

Also, with a compliant environment and strict data encryption requirements, you have the capability to handle data that’s within PCI scope, and can encrypt other sensitive information not covered by PCI. For example, you have to encrypt 16-digit primary account numbers (PAN). So, if you have that functionality already, why not also encrypt social security numbers, and so on? We always have that extra layer of protection on sensitive data, to protect against data breach liability, hackers etc.

TPM: What else can data insights support and how can you access and analyse them securely?

AH: We help companies alias data for this purpose, as often they don’t want insights into the underlying, sensitive data, like the PAN. Rather they want to analyse metadata attached to it or to a social security number. So, with a lending customer, what the company cares about isn’t their actual social security number but the fact it generates a credit score of 780 when we send it to the bureaus.

We can let them sit on our alias to represent that social security number with a unique identifier they can tie to the metadata, and run all the analysis they want. This also offloads the liability, because they’re no longer sitting on that raw data; it’s fully outside of their system and doesn’t ever even touch their servers. Our customers retain full remote control over everything pertaining to the sensitive data, though. They can decide where it’s routed and how it’s treated, while we take all the liability off their plate. If they decide not to use us anymore, we give them all their data back.

AM: As an expense application, Expensify offers incremental value to our users with travel booking or making restaurant reservations. And we aggregate transaction data to provide insights to help us do that. So, for instance, we offer a service called Concierge Travel with our corporate card, for travel booking. Someone tells us what meeting or conference they’re going to and Concierge takes care of everything.

For Concierge to do that, we look at clients’ transaction data, see what times of day they prefer to travel, what level of hotels they stay at, and their company budgets – but nothing that identifies them as a person.

AV: The world is changing and payments aren’t just about cards, so we’re trying to enable companies to use data to provide insights to their end-customers, so that they can choose how to pay, at the best time for them.

TPM: What other up and downsides might there be to being PCI-licensed yourself as opposed to outsourcing it?

AH: A lot of customers come to VGS for PCI compliance to get smarter about their payments routing. Because they can’t build this in-house, they are locked into one processor. So, we’re giving a lot of our merchant customers PCI compliance, in their own name, in under a month, for Level 1, which is great for an industry where it usually takes a year and a huge sum of money. Then they can get really smart about routing transactions in terms of geography and card type, making sure they actually happen. A lot of customers also want a failover payment service provider (PSP) because, if it’s a good transaction and it’s getting declined, they want to make sure they put it with another processor and realise the transaction, and they come to us for that.

AM: Being PCI-compliant means we can build our own approval workflow, which is hyper-fast compared to processors, and that’s really helped us. And we purposefully designed our environment to give us a lot of processing scale.

Our processor for cards has the capability to route all approval-versus-decline decisions to companies looking to process at scale, at the point of sale, so long as they have the ability to respond in an insanely-short timespan, in line with network guidelines. This helps us build use cases others can’t, like applying a company’s business rules to card spend at point-of-sale, giving them an element of control that doesn’t take away from the cardholder’s experience by blanket rejecting on merchant category or dollar spend amount.

The only reason we can do that is because we have the scale, and we only have the scale because we built it with compliance in mind. So it certainly is a competitive advantage. If you don’t have it, you can still launch, but you’re going to depend on your processor much more, which inhibits your negotiating power with them, and increases the costs.


This article was published in The Paytech Magazine #09, Page 33-34

People In This Post

Companies In This Post

  1. Doha Bank and Mastercard Announce Long-Term Strategic Partnership to Shape Qatar’s Payments Landscape Read more
  2. eBay Launches Venmo as a Payment Option Read more
  3. CRIF Completes Bond Issue With Another US Institutional Investor Read more
  4. Payzli Announces Strategic Leadership Restructuring to Accelerate Growth Read more
  5. Bank for International Settlements and Bank of Canada launch BIS Toronto Innovation Centre Read more