Compliance as a Journey: Ali Rathod-Papier on Being an Often and Early Strategic Partner

A conversation with Abir Liben.

As the Head of Financial Crime Compliance at Brex—and former Director at Barclays and secondee Legal Counsel to the National Crime Agency, Ali Rathod-Papier has worked across the United Kingdom and the United States on a range of financial crime, policy, risk, and compliance issues for nearly a decade.

I had a chance to sit down with Ali and discuss her career journey from banks to fintech, advice she has for others looking to dig into compliance work, and the impactful role AI may have on solving complex challenges alongside humans.

Tell me a bit about your background and career journey.

I started my career in London actually. I was an attorney at a white collar crime practice, around the time where Russian sanctions kicked off in 2014. It was an absolutely insane, almost terrifying, time. I was thrown in the deep end, working on very complex issues, which sparked my love of financial crime. One day we’re dealing with an oil company trying to figure out if it can continue operations in Russia, and the next I'm picking up a bribery and corruption investigation in the Middle East. I never thought I'd get to do interesting detective work as a lawyer, so it was a great start.

I got a call one day from a recruiter about a job at Barclays. At the time, I didn't want to go in-house, but when I met the team, they were lovely. The next thing I knew, I was trying very hard to get this job. I came in at a fairly junior level in the legal team and worked my way up over the years. I had a time where I was seconded to a UK government agency. It was the first time that the National Crime Agency – which is like the UK equivalent of the Financial Crimes Enforcement Network in the U.S. – had ever done a secondment into their legal department. I had the opportunity to work on  fascinating investigations and collaborate with international law enforcement partners while I was there. It was a great experience.

When I came back to Barclays, I was ready for a new challenge. That's when I fixed my sights on the U.S. As a dual citizen, I know that if you want to do amazing things with your career, the U.S. is the country to be in. I went through the process to get qualified as an attorney in the U.S., and around the same time, an opportunity came up to become the OFAC Officer for Barclays in New York in the compliance department to lead their sanctions and anti-corruption team in the Americas. I did that for a couple of years when Brex landed in front of me. I had someone who I worked with at Barclays who moved there. He said great things about the company. I thought, wow, this sounds like a fun new opportunity. I'm ready to move fast. I'm ready to leave a bit of the bureaucracy behind. Now, I'm the head of financial crime and Brex's BSA Officer. There are lots of interesting issues and challenges here now instead.

And can you share what OFAC or BSA Officers are for those who may not know?

For regulated financial institutions, they will appoint someone responsible for compliance with the Bank Secrecy Act Compliance Program, or BSA, which is the main money laundering law. The company will also need someone who is responsible for sanctions compliance, who can liaise with the Treasury Department, which has an arm called the Office of Foreign Asset Control, or OFAC, which is responsible for enforcing administration sanctions.

What surprised you through your career?

When I started my career, I always assumed people who are really successful always have a plan they execute perfectly. I've just realized that whenever you have a plan in your career, none of it ever really ends up working. So instead, I've tried to lead with, “What sounds like a fun thing to do next,” rather than, “Does this lead to my perfect dream job?” I've never been scared of taking on a challenge, and I think the things in my career that I'm most proud of have always been the hardest.

This is the advice I give to those who are junior. Your career is probably the longest single thing that you're going to do in your life. And no decision that you make is so permanent that you can't change it. Picking a certain job or a new practice area doesn’t preclude you from doing something else in the future.

Having transitioned from Barclays to fintech, I'd love to hear your perspective on some of the key things fintech founders should keep in mind on the compliance front, but oftentimes do not.

At Barclays, we call it a culture of compliance. It’s just ingrained into the institution. They've been through fines and regulatory challenges, so everyone just gets it. In fintech, I recently heard an internal comment from the business side along the lines of, “So when are we done with the compliance stuff?” As if it was just an ad hoc project, and that soon enough we'd all move on with our lives. It’s this misunderstanding with founders and within FinTech: compliance is seen as a destination, not a journey, and that you will do one thing and you'll be done with it and move on.

That’s why there’s often a lot of education. Compliance is an ongoing thing. We always have to invest in it, and if you're not, things start to slowly unravel. There's rarely a huge problem where everything breaks. It's gradual. Issues will start to creep in over time.

It's worth investing in compliance bit by bit, rather than ignoring it or doing it as a one-off. It keeps the company healthy, keeps it ticking, and preemptively avoids remediation work, where your engineers or your operations teams have to put in double the amount of effort. That doesn’t mean you can’t prioritize or be sensible with your resources, but there is a difference between that and ignoring the risks.

And look, this is a challenge anywhere. I had this challenge even at Barclays. The largest, most sophisticated institutions do not know how to bring compliance in during the early stages of a product cycle. We're there to give advice, we're there to help frame things when it's a significant risk, but we're also there to find ways to create solutions and support. We're all interested in the growth of the company and the company doing well.

Compliance is often, fairly or not, viewed as a growth inhibitor. What's your take? Are there opportunities for compliance to be a growth driver?

I have modeled my career, and my approach, on not being the person that says no all the time. Instead, I find solutions without taking a disproportionate amount of risk. If you have the right people in your organization, that should be how they can operate. You should be able to help in a way that doesn't make everything impossible. That's certainly not how you want to grow your business. Obviously, there are things that you have to take into account with certain risks or challenges. But there are usually ways that you can help figure out the right solution for the business and not be that inhibitor.

If you have a really good compliance team, they’ll pay for themselves in terms of the money they'll save you. I've seen situations where a company has really high fraud rates. That's a very immediate pain point. But if you can get to a point where you reduce your fraud rates and build controls and solutions, you're saving money immediately, and compliance teams can make that happen.

Looking at the ever changing financial crimes landscape, what are some key trends Heads of Compliance should be on the lookout for in today's market?

We just went through another banking crisis. The FDIC took over SVB, Silvergate and Signature Bank both failed. Hopefully we’ve seen the worst of it now, but that was a pretty crazy time in the market.

This kind of crisis actually creates opportunities for bad actors. Look at COVID: everyone was so confused, there was so much chaos, the government was trying to step in and do the right thing. Lots of loans were made to businesses across the globe to help prop them up. But we also saw huge amounts of fraud as a result. Companies just pretended they needed backing by the government. Fraud rates went up.

A similar thing is happening now. Money is moving quickly, customers are trying to open accounts or move significant amounts of cash to different institutions, and there's a lot of opportunity for things to go wrong. At some point during every crisis, regulators or external parties step back, take a look around, and look at what happened. Not only are they trying to understand how SVB failed, but what were the reactions in the market? Have we seen an increase in fraud? Have we seen an increase in financial crime? Where were the weaknesses, gaps, and issues that bad actors took advantage of?

AI is at the top of everyone's minds these days. Do you see any opportunities to leverage AI in the compliance world? How is AI changing the fraud or risk landscape?

Wherever you have processes that don't require a lot of human brain power, but are very burdensome, an AI is a really good place for that. Many financial institutions have been doing a form of intelligent automation for a while. For example, using machine learning for things like sanction screening to help with screening all transactions and customers against sanctions lists. Because you’re talking about potentially millions of payments, plus your customer base that needs to be routinely checked against these lists. It's a huge operational burden. But I think we're on the cusp of something revolutionary with tools like ChatGPT and I see a lot of enthusiasm to use this more.

For example, imagine using an AI or ChatGPT for your onboarding process. What if the machine requested information from the custom, digested it, compared that to publicly available information, and then asked the customer intelligent questions based on what it found? You can do really good due diligence with more consistency, better documentation, and less room for error. You've basically managed to hack customer onboarding in a way that doesn't require as many people and could be way better than your current automation.

What advice do you have for aspiring Heads of Compliance, especially those looking to work at the national level?

Ask what you think are really dumb questions. Most of the time the questions aren't dumb. I've not given good advice, or I've misunderstood the risk, because I didn't really understand the factual circumstances. I just thought, “Everyone else must know exactly what this is because they’re so much smarter than me. I am the idiot in the room.” That mentality meant I didn't actually ask a good question. Later I came to realize, “Shoot, if I just asked that question, I would've known this a month ago.” It takes curiosity and confidence to speak up, which is really good for anyone wanting to work in compliance.

Another phrase I'll borrow from someone I used to work with at Brex was “Be a builder and not an arsonist.” I really like that phrase because compliance shouldn't be about saying no, and laying down the law, and holding people to the policies. Sure, there's a lot of that, and you want to make sure you do the right thing for the company, but that doesn't mean that you can't facilitate the business and help.

Third, don't be afraid to be that strategic partner, that trusted advisor to people who are doing the building. You'll just make yourself so incredibly unpopular if you come in and rip months of work up because of one small compliance issue. I would hate that person if someone came and did that to my own work. Instead, be the person that facilitates and issue spots early, and then helps make things better.

What is the best advice you've ever received?

Two things come to mind. When I was starting off my career in a law firm in London, I trained at a firm that prided itself on being very good at writing. You weren’t hired unless you could draft very well. I went to this presentation once by one of the partners who was considered the best communicator in the firm, and he gave us some tips. One of the things he said was, “If your thinking is confused, your writing is confused.” It's so true. I give this advice to other people now who are junior, who are drafting a memo or something. I ask, “Do you understand this?” I’ll pressure test them, and often, they say, “No, I don't really get this.” I can tell because the way they’ve written this shows they don't really understand what's happening. And that's okay—but let's find out together so we both understand.

If you don't get it, and you're trying to advise someone on something you don't really understand, they will A) pick holes in your argument immediately, and B) you're probably not giving them the best advice. So ask yourself: do I understand this? Is this a good piece of advice? Can I actually explain it to a three-year-old? And if the answer is no, then there’s more work to do.

The second piece of advice connects to a book I read many years ago called Extreme Ownership by Jocko Willink and Leif Babin. The authors are two former Navy SEALs who discuss taking absolute ownership over your work. If something goes really well, then it's your team's win. Everyone around you did the work, everyone around you killed it. If something goes wrong, it's your fault. It doesn't matter if it was or not; take the blame and make yourself responsible. It's a hard thing to live by. We're all easy to point fingers, assign blame, but I think it’s very good advice. It's made me a better professional for trying to stick with it.