When the Regulator Calls First, You Have Already Lost
I launched a fintech product in the US and the UK on the same day in 2017. It felt like a milestone. Two major markets, simultaneous entry, the kind of thing I put in an investor update with some pride. What I did not fully appreciate at the time was that I had not launched one product into two markets. I had launched two entirely different regulatory relationships, and I only understood that after one of them had already gone wrong.
The US engagement started with a detailed inquiry. A user complaint had reached the regulator before my proactive risk framework had reached anyone. The product was live, customers were onboarding, and the first substantive conversation I had with a US regulator was reactive. I was explaining myself rather than introducing myself. The tone of that distinction matters more than most founders realise until they are sitting in it.
The UK experience was almost the inverse. I had pre-application meetings, scenario testing, and a structured review of my risk framework before a single customer had touched the product. The FCA wanted to understand how I thought before they watched how I behaved. At the time, I found the process slow and occasionally bureaucratic. In hindsight, I would have paid for it.
The Moment I Realised I Was Already Behind
Here is the part I do not often tell.
By the time I understood that my US launch was already out of compliance – not catastrophically, but materially – I had been operating for several weeks. The product had passed my internal review. It had passed legal. I had built a risk framework I was genuinely proud of. What I had not done was map my compliance assumptions against US-specific regulatory philosophy, because I had made the mistake of assuming that a well-built product with strong internal governance would translate cleanly across jurisdictions.
It did not.
The first user complaint was not about the product. It was about a data handling notice. A feature that no customer had meaningfully used – and that most of my team had forgotten was even in the product – had a data retention disclosure that did not meet state-level requirements in one US market. The regulator’s first question to me was not about my business model, my risk controls, or my financial standing. It was about my data retention policy for a feature my customers had ignored.
I had spent months perfecting the user experience. The regulator’s opening question was about a disclosure buried in a settings page. There is a lesson in that irony that I have never fully stopped finding uncomfortable.
Three Things I Now Understand That I Did Not Then
The rules are not the philosophy. Every jurisdiction has rules. What determines how those rules are applied – the timing of engagement, the tolerance for ambiguity, the willingness to work through uncertainty with me – is the philosophy sitting underneath them. The US regulatory model, particularly in financial services, operates on a philosophy of permissiveness with enforcement backstop. I am broadly allowed to innovate, and the system corrects through action after the fact. The EU and UK model is built on a philosophy of pre-emptive assurance. The regulator wants confidence before I build momentum, not accountability after I have it. Neither philosophy is superior. But confusing one for the other is where serious exposure lives.
Proactive engagement is not a soft skill in the EU – it is a market entry strategy. The assumption most founders carry into European regulatory engagement is that more rules mean slower progress. The opposite is often true. Because EU and UK regulators expect pre-engagement, they are structurally set up to give it to me. The FCA’s innovation pathways, the sandbox frameworks, the pre-application guidance – these exist because the philosophy demands proactive dialogue. If I use them properly, I arrive at launch with documented regulatory alignment rather than undisclosed risk. That is not a slower path to market. That is a cleaner one.
The regulator does not surprise me. I surprise myself. This is the thing I keep coming back to. In both markets, the regulator behaved exactly as their published guidance, their public speeches, and their prior enforcement actions would have predicted. I was the one who had not read the signals correctly. I had read the rules. I had not read the character of the institution. Those are different things, and the gap between them is where most cross-border regulatory failure actually happens.
What This Means If You Are Building Across Jurisdictions Now
If I am running a fintech, a GRC platform, or any regulated product across more than one geography, the question is not whether I have legal coverage in each market. The question is whether the person responsible for regulatory strategy in each market has genuine fluency in how that regulator thinks, not just what it requires. Rules can be read by a good lawyer. Philosophy has to be learned through proximity – through pre-meetings, through sandbox engagement, through understanding what a regulator has said in its last five public consultations and why.
The organisations I have seen handle multi-jurisdictional launches well share one common trait: they treat regulatory engagement as a relationship to be built before it is needed, not a process to be managed after something goes wrong. That requires time, and it requires the kind of senior attention that often gets deprioritised in favour of product and commercial priorities. I have made that deprioritisation myself. I am not exempt from the lesson.
It also requires the kind of honest internal culture where the compliance team feels genuinely empowered to raise a concern before launch, not after. That is a different conversation – one I have written about elsewhere – but it is inseparable from this one.
The Closing Thought
Two regulators, one product, entirely different outcomes – and the difference had nothing to do with the quality of what I built.
Regulatory strategy is not about understanding the rules that currently exist. It is about understanding the assumptions those rules were written to protect. I get the assumptions right and the rules become predictable. I get them wrong and no amount of legal review will save me from a conversation I was never prepared to have.
The regulator is not my adversary. In most cases, they are not even my obstacle. They are a mirror. What I see depends entirely on how carefully I looked before I stood in front of one.