The COMPLY Podcast showcases trailblazers in the financial services and compliance space. Each episode dives deep into the challenges, triumphs, and innovations of executives at top banks, fintechs, and enterprises.
In this episode, I’m joined by Bert Friedman, whose experience spans serving as an examiner at the CFPB to holding key compliance roles at companies like BMO Harris Bank, Deserve, and Payitoff.
We discuss:
- The importance of compliance as an enabler rather than a roadblock, emphasizing a strategic approach to saying “yes, and here’s how” instead of defaulting to “no”
- The evolving regulatory landscape, including UDAAP enforcement, BNPL regulations, and increased scrutiny of banking-as-a-service (BaaS) partnerships
- The role of AI and technology in compliance, the need for human oversight, and the challenge of balancing automation with regulatory documentation and risk management
- The increasing role of state regulators in compliance enforcement, especially as federal agencies shift priorities
Show Notes:
- COMPLY Podcast Speaker Interest Form: https://comply.performline.com/comply-content-speaker-interest
- Connect with Bert: https://www.linkedin.com/in/bert-friedman-cams-crcm-a5251962/
- Connect with Rhonda: https://www.linkedin.com/in/rhonda-mcgill/
Subscribe to COMPLY: The Marketing Compliance Podcast
About COMPLY: The Marketing Compliance Podcast
The state of marketing compliance and regulation is evolving faster than ever, especially for those in the consumer finance space. On the COMPLY Podcast, we sit down with the biggest names in marketing, compliance, regulations, and innovation as they share their playbooks to help you take your compliance practice to the next level.
Episode Transcript:
Rhonda:
Hey there COMPLY Podcast listeners and welcome to this week’s episode. In this episode, I sat down with Bert Friedman, whose experience includes serving as an examiner at the CFPB and holding key compliance roles at companies like BMO Harris Bank, Deserve, and Payitoff. We explored how compliance can be an enabler rather than a roadblock, the role of AI in compliance and the need for human oversight, and the growing influence of state regulators as federal priorities shift. Thanks for listening, and enjoy.
Rhonda:
Hello to our listeners, and please help me welcome my dear friend, Bert Friedman. Bert, as far as I’m concerned, you’re a master of collaboration and incredibly well-connected throughout the industry. You’ve been in the compliance world for quite some time, working with multiple startups and fintechs. If I recall correctly, you also spent some time at the CFPB.
I’ve been looking forward to this conversation, and I really appreciate you taking the time to join us today. I’m excited for our listeners to learn more about you and your compliance journey. With that, Bert, could you introduce yourself and share a bit about your professional background and how you found your way into compliance?
Bert:
Thank you for having me, Rhonda. I appreciate it. This is exciting, and I’m glad to be here.
I got into compliance in what I think is the traditional way—I started in advertising and marketing. I was a copywriter at some national agencies, including Bozell and J. Walter Thompson, and later became a commercial producer. My scripts had to go through legal review, and at one point, an attorney at one of the firms suggested I consider law school. I had already earned an MBA before entering advertising, so I had a business background. In retrospect, maybe that attorney was subtly telling me I wasn’t the most talented writer! But I took the advice, went to law school, and while I never took the bar exam, it led me down a different path.
What I’ve learned over time is that advertising and marketing are highly creative fields. What appealed to me about law school—and later, compliance—is that compliance officers also have the opportunity to be creative. Anyone can recognize the difference between right and wrong, but especially in the startup and fintech world, the key is not just saying “no” but rather “yes, and here’s how.” That’s where creativity comes into play.
I like to say that you’re not in compliance because you think this way—you think this way because you’re in compliance. And to the seven people who got that joke, thank you!
I started out in large international banks. I worked for a bank in Chicago that was later acquired by Bank of America, which led me to move on. I spent some time at a private investment company doing KYC, onboarding high-net-worth individuals who were purchasing tranches of debt in the tertiary market. That was a lot of fun, but eventually, I wound up in government. As you mentioned, I worked as a regulator with the CFPB, which was a terrific experience.
At the CFPB, I gained an in-depth knowledge of consumer protection regulations and became intimately familiar with 12 CFR, which was incredibly valuable for my career. As an examiner, you typically had one of three roles: an individual contributor (IC), a lead examiner overseeing a small team, or the examiner-in-charge (EIC), overseeing multiple leads. When I joined, the CFPB was still actively recruiting attorneys for exams, but they realized that having practicing attorneys on an exam team could be intimidating for the companies being reviewed. Our role wasn’t to prosecute but to assess compliance.
It was a fantastic learning experience, and I built strong professional relationships. Perhaps most importantly, I had the rare opportunity to review 20 to 30 compliance management systems (CMSs). Since the CFPB isn’t prescriptive about how to build a CMS, I was able to observe different approaches firsthand and determine what worked well in various environments. That experience proved invaluable.
So, naturally, the first thing I did with that knowledge was… not use it. Instead, I joined what was then one of the largest money services businesses (MSBs) in the country—a short-term, small-dollar lender called Community Choice Financial. I built their financial intelligence unit from the ground up, overseeing a large team and a significant compliance workload. As an MSB and a short-term lender, we were filing around 500 suspicious activity reports (SARs) and 1,500 currency transaction reports (CTRs) per month.
We also dealt with various state regulators, who often had differing interpretations of compliance requirements. One state in the Southeast, for example, insisted that stored value cards were currency and wanted us to file CTRs for transactions over $10,000. I had to push back because, well, the “C” in CTR stands for currency, and stored value cards are not currency. I was right, but that didn’t stop the back-and-forth.
Ultimately, I moved on when the company asked me to relocate to their headquarters in Columbus, which wasn’t in the cards for me. At the time, I was in Chicago, and while both cities start with “C,” they are worlds apart.
And all my favorite sports teams were in Chicago, so I couldn’t leave. Instead, I wanted to work for Bank of Montreal. It was a great experience—cross-border transfers, that sort of thing. They had merged with Harris Bank in Chicago, and, like every bank, they had legacy systems that didn’t communicate well with each other. Now, we had two sets of legacy systems to manage.
English is the default language for banking, but adding cross-border transactions created an extra layer of complexity. It was a lot of fun, but by 2018, both my wife and I were looking for new challenges.
And that brings us to the real point of our conversation: we decided to head out to Silicon Valley to see what we could do.
Rhonda:
Wow.
Bert:
I wish I could say there was a master plan—there wasn’t.
Rhonda:
But you made it work.
Bert:
Honestly, that’s very true. I had never been tasked with building a compliance management system (CMS) from the ground up before, but I was eager to take on that challenge. I got the opportunity at a company called Deserve. My CEO, Kalpesh Kapadia, saw something in me, even though I had never worked in fintechs or startups before.
He and I have a great personal and professional relationship, which made the experience even better. I built their CMS from scratch and grew the team from just me to a staff of about seven.
In 2020, I left to do the same thing at another startup. At the time, we were called Hatch, but there was some confusion with Hatch Bank, and we were strongly encouraged to change our name. So, we rebranded as Nearside.
Nearside focused on SMB banking—serving very small businesses. We also had an ancillary business that helped these businesses incorporate or file LLC paperwork in various states, as well as manage deposits. While Deserve was in the credit card space, Nearside focused on SMB lending and banking. The company was sold in 2022.
After that, I did some fractional work, building and evaluating CMSs for different startups, which was a great experience. I got to meet a lot of interesting founders and dive deep into the technological aspects of compliance—things I probably never would have done if I had stayed in large banks.
One thing that carried over from Deserve to Nearside and even my next role at Payoff was helping companies obtain security designations, like SOC 2. I’ve worked with several companies on that process, and I have a favorite audit firm in San Jose, Audit 1, that has been a great help. Not sure if I’m supposed to give endorsements, but they’ve always been fantastic to work with.
I’ve also worked with companies on PCI certification for credit card compliance.
Rhonda:
You’re extremely well-rounded, and that’s so important in compliance—especially for someone building compliance management systems. When you were doing this, what were some of the challenges you ran into? And if you could look back now and give advice to someone who’s just getting started in compliance, what would be the biggest piece of advice you’d offer?
Bert:
Really good question, Rhonda. I think when you’re in a startup, especially, you have to recognize your role within the bigger picture. I’m from Toledo, Ohio, which is near Detroit, so I tend to use car analogies. I think of myself as a rod in an engine—seemingly a small part, but if it fails, the parts around it start to fail as well.
Humility is important. In a startup, you might want to work in a compliance-focused environment, but more often than not, you’re in a company where compliance isn’t the priority. Understanding that distinction is key. In a large organization, there’s room to hide; in a startup, there’s nowhere to hide.
You have to own your decisions. You won’t always make the right one, but you need to make it for the right reasons. Saying “no” is always the safest decision, and founders and CEOs expect compliance professionals to say no—but the real value comes from having a strategic mindset, from being able to say, “Yes, and here’s how.”
Rhonda:
That ties back to the creativity piece you mentioned earlier.
Bert:
Absolutely. Startups are in the business of building products that delight customers. Compliance shouldn’t be a roadblock—it should be an enabler.
That means working with internal teams, like developers, to integrate compliance seamlessly. It also means collaborating with external partners, like your partner bank, to build trust. Sometimes, it means engaging with regulators. And then there’s vendor management—banks are understandably concerned about third-party oversight in fintechs because our third parties become their fourth parties. They need to know who we’re doing business with.
There’s also the question of who we’re onboarding—KYC (Know Your Customer) and KYB (Know Your Business). There are two aspects to this: preventing fraudsters from getting in, which typically falls under risk, and dealing with bad actors once they’re inside, which often becomes a compliance issue. So, there are a lot of layers to managing compliance effectively.
Rhonda:
Yeah, for sure. When you were building all these CMSs and setting up compliance at early-stage fintechs—where budgets for compliance aren’t always large—what tools would you recommend for someone just getting started? What can they do that doesn’t cost a lot but still delivers results?
Bert:
That’s really the key question.
Rhonda:
Spreadsheets—the almighty spreadsheet.
Bert:
Look, when I was at the MSB, we were still using spreadsheets. There are companies that still get by with that. The challenge in any organization is always the fight for resources—it’s the classic build-versus-buy decision. For me, the priority is saving my engineering team’s brainpower. I’d rather have them focus on building the products we want to roll out, rather than internal systems that make my life easier.
Often, it becomes a question of outsourcing and budget—where are our biggest pain points? As a startup, you’ll conduct multiple risk assessments. You’ll assess consumer risk, perform a security risk assessment like SOC compliance, and conduct a BSA/AML risk review. And that starts moving into the realm of governance, risk, and compliance (GRC)—because, in a startup, you often wear many hats.
Rhonda:
Yeah.
Bert:
When looking at governance, risk, and compliance, the big-picture question is: What does our overall risk profile look like? Then, you determine your biggest vulnerabilities and prioritize them. At the same time, you have to consider the fintech’s appetite for risk.
Rhonda:
That’s a great point.
Bert:
At Deserve, we actually created a one-page risk appetite document for the board—an articulation of the risks we were willing to accept. I don’t know if I’ve seen that done elsewhere, and while it’s not always necessary, it’s a more structured and rational way to approach risk.
Once you’ve articulated your risk appetite and conducted your risk assessments, the next step is mitigation—figuring out where your vulnerabilities lie. What needs to be addressed on day one versus what can wait until day two?
And once we’ve mapped all that out, the big question becomes: Can we run this off a spreadsheet? If so, for how long? Maybe the first six months? What tools do we have available? And of course, everyone listening to this is probably thinking, Why not just use AI?
Rhonda:
Yeah, I was going to say—it’s improving.
Bert:
It was—until it wasn’t. There are major concerns, especially with developments overseas. What happens if your NDA is violated? Whose AI model are you using? How do you know for sure? If you’re using real customer data, where is that data going? That sound you just heard—that was a can of worms opening. Or maybe it’s Pandora’s box. Either way, once it’s open, you can’t put things back in.
Rhonda:
Exactly—like toothpaste. It doesn’t go back in.
Bert:
So what do we do?
Rhonda:
Exactly.
Bert:
These are the questions that everyone, not just compliance professionals, should be asking. AI might be the perfect solution in some cases, but it also might not be. It needs to be used judiciously, not relied on entirely. I’ve seen people assume, Hey, I don’t need a compliance person—AI can write my regulatory policy! And sure, it might generate something that looks like a policy, but you’ll quickly see what’s missing—or what should be enhanced by a human. You always need a human reviewing it.
Rhonda:
Absolutely. In everything you do, you can’t rely on a single solution. There’s always a need for a human touch. I don’t believe in purely tech-driven compliance solutions unless there’s human oversight involved. A compliance professional is always a necessity.
Bert:
And that’s where testing comes in on the back end.
Rhonda:
Yeah.
Bert:
For example, let’s say we use an AI-augmented lending model—how do we ensure that we’re lending fairly? How do we explain what’s happening inside that black box?
And most importantly, how do we document it? One thing I learned as a regulator is that if it’s not written down, it didn’t happen.
If something only lives in your CTO’s head and it’s not documented, then:
A) It might not actually happen.
B) If your CTO gets abducted by aliens, you’ll have a really hard time replicating what they were doing.
So, there’s always a good reason to document everything.
Rhonda:
Oh yes, I live by documentation—I love a good document.
So, with that in mind, we’ve talked a bit about AI, but there are also a lot of regulatory changes happening. Whether at the federal level in Washington, D.C., or at the state level, what trends do you see emerging in compliance over the next six months? What should we all be keeping an eye on, according to Bert?
Bert:
There’s so much happening.
I think UDAAP is going to continue to be a major issue, particularly in the world of fintechs and startups. BNPL regulation is also something to watch, as well as open banking and Section 1033 of Dodd-Frank—personalized financial data rights are going to be a big topic.
We’ve touched on AI and algorithmic decision-making, and that ties into fair lending and ECOA (Equal Credit Opportunity Act). And of course, banking-as-a-service (BaaS) and partner bank crackdowns—there’s a lot of attention on third-party oversight right now.
Another key area is P2P payments and fraud—the rise in scams, consumer protection, and how we train consumers to recognize when something isn’t what it seems. Fraud comes through phone calls, emails, and various digital channels, and as startups, we need to focus not just on protecting consumers but also on protecting ourselves.
I don’t necessarily play in the stablecoin or crypto space, but that’s going to be a major issue as well—particularly SEC vs. CFTC jurisdiction battles and how startups integrating payments with stablecoins create a robust compliance framework.
Rhonda:
Yeah.
Bert:
When I was at Payifoff, I worked in student lending, and I think we’ll see heightened focus on loan servicing and debt repayment—especially in California but more broadly as well. Who qualifies as a servicer? That’s going to be a big question.
Rhonda:
Yeah.
Bert:
And borrower communications—how lenders interact with borrowers, disclosures, and ensuring compliance in those areas.
Rhonda:
I love it because you’re touching on a lot of areas that people often only consider at a surface level. But when you start peeling back the layers, you realize how much more there is beneath the surface.
And you’re not just talking about fintechs—these issues apply across the board. At the end of the day, it all comes down to consumer protection.
And that doesn’t stop at the federal level. If federal regulators don’t act, states will pick it up. I’ve been feeling like, over the next six months, we’re going to see even more state enforcement stepping in where the federal government doesn’t.
Bert:
It really depends on what you do and what state you’re in. I’m in California, and I think people in New York probably feel the same regulatory pressure. It also depends on your business model.
Right now, I’m working with startups in lending—whether for high-net-worth individuals or people just trying to make student loan payments or pay their rent. The regulatory environment will always tend toward consumer protection, and rightly so. States are going to be very focused on protecting their citizens from abuse.
That’s a really good point. Coming from a federal regulatory background, I naturally see things from that perspective. But since you’re living it day to day, you probably see state enforcement trends much more clearly.
Rhonda:
For sure. It doesn’t feel like things are letting up anytime soon.
Bert:
No, definitely not. No matter what you’re doing today, you need to do more of it—or do it better.
As a fintech, you can’t rely on your bank to handle compliance for you. In fact, banks are increasingly relying on fintechs to ensure compliance. If you’re working with a bank that has relatively lax oversight, that doesn’t mean you have a lower obligation.
In fact, you can make your bank look great in the eyes of regulators by strengthening your own compliance program. I’ve seen a trend where partner banks are increasing testing and reporting requirements, and when I push back and ask if we can scale things down a bit, the answer is almost always no.
But instead of seeing this as a burden, fintechs should see it as an opportunity. The stronger your compliance program, the more proactive you can be—offering reports to your bank before they even ask.
Rhonda:
Yeah.
Bert:
Or at least increasing the frequency of reports. If they’re asking for data quarterly, maybe you start providing it monthly.
Now, I generally believe in answering only the question asked and not offering more information than necessary—which you wouldn’t guess from this podcast! But when it comes to building trust with your partner bank, proactivity matters.
I can’t imagine banks won’t start dropping risky fintech clients in the near future. Fee income is great, but risky income in this environment is not.
Rhonda:
Very true. That was a great conversation.
Before we wrap up, I always ask our guests: Do you have a secret superpower you’d like to share?
Bert:
I have several.
Rhonda:
Superman!
Bert:
First and foremost—modesty.
But seriously, I think my biggest strength is bridging the gap between compliance, strategy, and innovation. I bring a broad perspective, and if I’m only being used for one of those things, I’m not being fully utilized.
I also think like a regulator and execute like an operator—which is key in fintech.
Another superpower? Making compliance less intimidating. Many people in fintech are young, fresh out of college, and eager to do things the right way. Fear-based compliance isn’t effective—approachability is.
I focus on training, open office hours, and being available—especially in remote environments. Compliance isn’t just about saying no—because “because I said so” doesn’t work past the age of four.
Rhonda:
Not at all.
Bert:
When I was in law school, I got a 20-page handout titled “A Lawyer is a Teacher”—and that’s exactly what a good compliance officer does.
Another superpower? Explaining the “why.”
It’s not just, “Do this because the bank wants it.” It’s, “Here’s why this matters.”
For example, some companies think they should process adverse actions at the end of the month. But that’s risky, because some months have more than 30 days—and per 12 CFR 1002.9, you can’t exceed 30 days.
One of my engineers once said, “Why don’t we just do it in three days?” And that’s exactly the right thinking—it’s not that you must wait 30 days, you just can’t exceed 30 days.
I know I’ve done my job when people come back to me later and say, “I remember that training, and we adjusted accordingly.” That’s when you know compliance is embedded in the company culture.
Rhonda:
Absolutely. And when you build trust, people seek you out instead of avoiding you.
I used to love when my marketing team would track me down before launching something—because they wanted my input early. That’s how you know compliance is working.
Bert:
That reminds me of two things.
One of the core principles at a startup I worked at was:
“Seek to understand before making yourself understood.”
I’ve fully adopted that mindset. If you want to give an answer before you understand the question, you’re not actually answering the question—you’re just talking.
That ties into approachability and active listening. If companies hire compliance professionals but don’t listen to them, it’s a waste.
Compliance professionals—whether leaders or individual contributors—are part of a team. What we do matters, and our voices deserve to be heard.
Rhonda:
Yes, I love that. That’s going to be a quote!
Bert, thank you again for taking the time to join us today on the COMPLY Podcast. To our listeners, I hope you all took away some great insights from our conversation.
Bert, you’re always welcome back, and we look forward to talking with you again soon!
Bert:
I appreciate it. Thanks for having me—I hope this was worthwhile for everyone.
Rhonda:
I always enjoy talking to you, my friend. We’ll definitely chat again soon!
Rhonda:
Thanks for listening to this week’s episode of the COMPLY podcast! As always for the latest content on all things marketing compliance you can head to performline.com/resources. And for the most up-to-date pieces of industry news, events, and content be sure to follow PerformLine on LinkedIn. Thanks again for listening and we’ll see you next time!
Rhonda:
Thanks for listening to this week’s episode of the COMPLY Podcast! As always for the latest content on all things marketing compliance you can head to performline.com/resources. And for the most up-to-date pieces of industry news, events, and content be sure to follow PerformLine on LinkedIn. Thanks again for listening and we’ll see you next time!
