Governance & Audit

Why PM owns this (even though there's a Compliance team)

You don't write the AML policy. You don't sign the MTL. But every product decision you ship either makes the compliance team's job possible or impossible. Senior payments PMs:

• Know the AML / sanctions / scheme rules well enough to anticipate compliance questions in design.
• Build the audit trail first, not last.
• Have a standing partnership with Compliance, Risk, and Legal — not "consult once at the end."
• Will halt a launch if compliance signoff isn't in place. Cheerfully.

AML, sanctions screening, transaction monitoring

The floor controls:

• KYC — identify the customer at onboarding.
• Sanctions screening — match against OFAC, EU, UN, UK, local lists, at onboarding and ongoing.
• PEP screening — politically-exposed-person checks, EDD where applicable.
• Transaction monitoring — rules and ML detecting suspicious patterns (structuring, smurfing, unusual jurisdictions).
• Adverse-media screening — ongoing.
• Source-of-funds / source-of-wealth — for higher-tier accounts.

PM hook: every new payment-rail launch must integrate into these controls. Adding PIX in Brazil means PIX events flow into transaction monitoring on day one, with rules tuned to PIX patterns (instant settles, MED returns, recipient-name mismatches).

Travel Rule — the crypto-specific overlay

FATF Recommendation 16 — the Travel Rule — requires VASPs (virtual-asset service providers) to share originator and beneficiary information on crypto transfers above a threshold (often USD/EUR 1,000). Implementations vary by jurisdiction.

• Protocols / networks: TRP, TRUST, Sumsub Travel Rule, OpenVASP — multiple competing standards.
• Inbound & outbound: you must collect for outbound; verify when receiving inbound.
• Self-custody wallets are the hard case — you typically need a wallet-attribution claim from the customer.
• Threshold and exact data vary: EU TFR has different rules than UK FCA than MAS.

Knowing this exists puts you above the median candidate immediately.

Card scheme rules — Visa Core Rules, Mastercard Rules

The card schemes publish (lengthy, byzantine) rulebooks. Highlights you should be able to mention:

• Acceptance categorization — quasi-cash MCC (6051) treated specially.
• Surcharging rules — when and where you can pass on the fee.
• Stored credentials — must flag a card-on-file payment with the right credential indicator.
• Cross-border indicator — must accurately represent merchant country.
• Dispute response timelines — fixed windows; missing them is a forfeit.
• Excessive-disputes programs — VDMP (Visa), ECP (Mastercard); fines and forced de-platforming above thresholds.
• Authorization integrity — Visa's AI program penalizes excessive declines/retries.

PCI DSS & scope reduction

PCI DSS governs how you handle cardholder data. Touching raw PAN puts you in highest scope — expensive audits, harder controls.

• Scope reduction = the goal. Don't touch raw PAN.
• Use vault / tokenization (PSP-hosted fields, iframe, or third-party vault like VGS).
• Use network tokens from Visa/MC — they aren't PAN.
• SAQ A vs SAQ D — your scope determines which Self-Assessment Questionnaire you complete.

Architecture decisions in design rounds: prefer iframe / hosted-fields over collecting PAN yourself. Tokenize as early as possible. Never log PAN.

Licensing — MTLs, EMI, banking license

Why a PM cares: launch into a new market often requires either a license or a sponsor partnership. Timeline and product surface area depend on which.

Local regulators — who watches each market

• India — RBI (banking, payment systems); SEBI (securities); NPCI runs UPI under RBI mandate.
• Brazil — BACEN (central bank, runs PIX); CVM (securities).
• UK — FCA (financial conduct); PSR (payment systems).
• EU — ECB, ESMA, national competent authorities; MiCA from 2024 onwards for crypto.
• Philippines — BSP (Bangko Sentral ng Pilipinas).
• Singapore — MAS.
• Hong Kong — HKMA, SFC.
• Nigeria — CBN.
• Saudi Arabia — SAMA.
• UAE — VARA (Dubai), ADGM/FSRA (Abu Dhabi).

SARs, CTRs, regulatory reporting

• SAR — Suspicious Activity Report. Filed when transaction monitoring flags something compliance can't dismiss. Filed to FinCEN (US), NCA (UK), or local equivalent.
• CTR — Currency Transaction Report. US, cash over $10k.
• STR — Suspicious Transaction Report (non-US equivalent).
• FBAR — foreign bank account reporting.
• Regulator examinations — periodic, sometimes adversarial. You hand over evidence of what you did and why.

Implication for PM: data retention windows are non-negotiable (typically 5+ years AML data). Logs must survive cache eviction, ETL re-runs, and partner contract terminations.

Designing for audit

The single mindset shift: every decision must be replayable. If a regulator examines a flow 18 months from now, can you reconstruct:

• What rules were active at the time?
• What inputs the system saw?
• What action was taken, by whom (human or system)?
• What evidence supported the action?

Concrete PM moves:

• Version every routing rule, fraud rule, mandate template. Don't mutate in place.
• Log inputs and outputs at every decision boundary.
• Surface human approvals as first-class events (timestamp, user, reason).
• Retain raw event data for the AML window — at minimum 5 years, longer in some jurisdictions.