EU vs US: Navigating Regulatory Expectations
When the Regulator Calls First, You Have Already Lost I launched a fintech product in the US and the UK on the same day in 2017. It felt like a milestone. Two major markets, simultaneous entry, the kind of thing I put in an investor update with some pride. What I did not fully appreciate at the time was that I had not launched one product into two markets. I had launched two entirely different regulatory relationships, and I only understood that after one of them had already gone wrong. The US engagement started with a detailed inquiry. A user complaint had reached the regulator before my proactive risk framework had reached anyone. The product was live, customers were onboarding, and the first substantive conversation I had with a US regulator was reactive. I was explaining myself rather than introducing myself. The tone of that distinction matters more than most founders realise until they are sitting in it. The UK experience was almost the inverse. I had pre-application meetings, scenario testing, and a structured review of my risk framework before a single customer had touched the product. The FCA wanted to understand how I thought before they watched how I behaved. At the time, I found the process slow and occasionally bureaucratic. In hindsight, I would have paid for it. The Moment I Realised I Was Already Behind Here is the part I do not often tell. By the time I understood that my US launch was already out of compliance – not catastrophically, but materially – I had been operating for several weeks. The product had passed my internal review. It had passed legal. I had built a risk framework I was genuinely proud of. What I had not done was map my compliance assumptions against US-specific regulatory philosophy, because I had made the mistake of assuming that a well-built product with strong internal governance would translate cleanly across jurisdictions. It did not. The first user complaint was not about the product. It was about a data handling notice. A feature that no customer had meaningfully used – and that most of my team had forgotten was even in the product – had a data retention disclosure that did not meet state-level requirements in one US market. The regulator’s first question to me was not about my business model, my risk controls, or my financial standing. It was about my data retention policy for a feature my customers had ignored. I had spent months perfecting the user experience. The regulator’s opening question was about a disclosure buried in a settings page. There is a lesson in that irony that I have never fully stopped finding uncomfortable. Three Things I Now Understand That I Did Not Then The rules are not the philosophy. Every jurisdiction has rules. What determines how those rules are applied – the timing of engagement, the tolerance for ambiguity, the willingness to work through uncertainty with me – is the philosophy sitting underneath them. The US regulatory model, particularly in financial services, operates on a philosophy of permissiveness with enforcement backstop. I am broadly allowed to innovate, and the system corrects through action after the fact. The EU and UK model is built on a philosophy of pre-emptive assurance. The regulator wants confidence before I build momentum, not accountability after I have it. Neither philosophy is superior. But confusing one for the other is where serious exposure lives. Proactive engagement is not a soft skill in the EU – it is a market entry strategy. The assumption most founders carry into European regulatory engagement is that more rules mean slower progress. The opposite is often true. Because EU and UK regulators expect pre-engagement, they are structurally set up to give it to me. The FCA’s innovation pathways, the sandbox frameworks, the pre-application guidance – these exist because the philosophy demands proactive dialogue. If I use them properly, I arrive at launch with documented regulatory alignment rather than undisclosed risk. That is not a slower path to market. That is a cleaner one. The regulator does not surprise me. I surprise myself. This is the thing I keep coming back to. In both markets, the regulator behaved exactly as their published guidance, their public speeches, and their prior enforcement actions would have predicted. I was the one who had not read the signals correctly. I had read the rules. I had not read the character of the institution. Those are different things, and the gap between them is where most cross-border regulatory failure actually happens. What This Means If You Are Building Across Jurisdictions Now If I am running a fintech, a GRC platform, or any regulated product across more than one geography, the question is not whether I have legal coverage in each market. The question is whether the person responsible for regulatory strategy in each market has genuine fluency in how that regulator thinks, not just what it requires. Rules can be read by a good lawyer. Philosophy has to be learned through proximity – through pre-meetings, through sandbox engagement, through understanding what a regulator has said in its last five public consultations and why. The organisations I have seen handle multi-jurisdictional launches well share one common trait: they treat regulatory engagement as a relationship to be built before it is needed, not a process to be managed after something goes wrong. That requires time, and it requires the kind of senior attention that often gets deprioritised in favour of product and commercial priorities. I have made that deprioritisation myself. I am not exempt from the lesson. It also requires the kind of honest internal culture where the compliance team feels genuinely empowered to raise a concern before launch, not after. That is a different conversation – one I have written about elsewhere – but it is inseparable from this one. The Closing Thought Two regulators, one product, entirely different outcomes – and the difference had nothing to do with the quality of what
What Basel III Is Really Testing in Banks Today
When Passing Every Test Is Not the Same as Being Prepared I sat across from a risk committee in Q3 2022 that had done everything right on paper. Liquidity coverage ratio was above threshold, net stable funding ratio was solid, and capital filings were submitted on time, every quarter, without drama. The room carried the particular confidence of people who had followed the rules and knew it. Six weeks later, a rate shock hit. The CFO called me, and he was not panicking, which, looking back, made it worse. Panic I could have worked with. What he had instead was genuine bewilderment. “We passed every stress test, Laksh. How is this happening?” I gave him an honest answer in that call, but the question itself stayed with me for much longer. Because he was right, they had passed every test, and they were still unprepared. The gap, between the test and the reality, is what I have been thinking about ever since. The Situation Here is what their balance sheet actually looked like, beneath the ratios. I saw that the product team had spent eighteen months pushing into longer-duration liabilities because the margins were attractive. Treasury had flagged concerns internally, twice. Both times the conversation ended when someone cited the capital ratios as evidence the position was sound. I decided that the stress tests had been produced by a small team, reviewed by risk, filed with the regulator, and essentially not touched again until the next cycle. I also decided that capital planning happened once a year, in a process the business units attended long enough to sign the assumptions and then left. No one had broken a rule. Every number was real. I followed the framework with genuine diligence. However, I did not think. The stress tests were treated as a compliance artefact, something I produce for the regulator, not something I use to make a better decision the following Monday. When the rate environment shifted faster than the annual cycle had modelled, there was no mechanism to catch it. The treasury desk and the product desk had been living in parallel universes, and Basel III had given them enough paperwork in common to feel like they were collaborating. I say with no pleasure that a bank can be a model Basel III institution and still be structurally unprepared for a real-world shock. I designed the framework to be rigorous, but I also implemented it in a way that is backward-looking. Filing last quarter’s ratios tells me where I was. It tells me almost nothing about where the next decision is taking me. Three Things That Conversation Confirmed **Resilience is an operating discipline, not a reported state.** I noticed that the institutions that held through the 2022 rate environment shared something: risk was not a department I consulted after the fact. It was a presence in the room when the product got priced, when the liability structure got approved, when the assumption about customer behaviour got embedded in a model. The ratio I filed was a consequence of the thinking that had already happened. Not the other way around. Most banks have inverted this. I use the ratio to justify decisions already made. When the ratio looks acceptable, the conversation stops. That is not risk management. That is risk rationalisation. **Stress testing works only if someone owns the result.** I found that the problem with how stress testing is practised in the majority of mid-sized institutions is not the methodology. The models are often genuinely sophisticated. The problem is what happens the morning after the document is filed. I ask myself, who reads it? Who changes something because of it? In that 2022 committee, the answer was effectively no one, not because they were negligent, but because the process had no forcing function attached to it. Stress testing had become a production exercise. A skilled team spent weeks building a credible scenario, and the output lived in a folder. I believe that stress testing earns its cost only when it is connected to a decision. When a scenario changes a pricing assumption, modifies a product approval, or triggers a board conversation about exposure, that is when it does the thing it was designed to do. Otherwise, it is expensive documentation. **Capital planning done annually is capital planning done wrong.** I think that the world that Basel III was designed for no longer moves at an annual cycle. Rate environments shift in quarters. Funding markets can reprice in weeks. The assumption embedded in most capital planning processes, that I review the balance sheet once a year in a structured exercise, is structurally mismatched with how risk actually arrives. It arrives continuously. It arrives in product decisions and pricing decisions and hiring decisions and the small assumptions that compound quietly until one external event makes them visible all at once. I have seen that the institutions that navigate volatility most effectively treat capital planning as a standing discipline with a live component, regular, shorter reviews that connect the balance sheet to the decisions being made now, not the decisions made last autumn. What This Means for Your Organisation If you are a CFO, a CRO, or a board member reading this, the question worth asking is not whether your ratios are in order. They probably are. The question is whether the people approving products, pricing liabilities, and building forecasts have ever been in the same room as the stress test output. Whether your capital planning process ends when the document is filed or when the business has changed something because of it. Whether your treasury desk and your product desk are genuinely in conversation before the decision, or only after the loss has been recognised. The answer to that question tells me more about your resilience than any number you will report this quarter. I gave the industry a language for resilience. What I cannot mandate is whether you use it to think or merely to report. The banks that