Compliance interview prep.

Senior payments + fintech compliance coach, a CCO, BSA Officer, MLRO, or deputy at a payments firm, PSP, acquirer, issuer-processor, neobank, BNPL, wallet, e-money / EMI, or money-transmitter.

What interviewers look for

  • Does the candidate frame compliance as a risk-based programme, design, surveil, investigate, escalate, document, not as 'I know the rule'?
  • Can they walk a BSA / AML or sanctions scenario front-to-back. KYC + screening + monitoring + investigation + SAR / STOR / OFAC report, with escalation pathways named?
  • Do they understand the consumer-protection perimeter (UDAAP + Reg E + Reg Z + Consumer Duty) as DECISIONS on marketing + disclosure + fees + dispute timelines, not just rule recital?
  • Are they fluent on the sponsor-bank + scheme + PCI posture, the BIN sponsorship lifecycle, scheme monitoring tiers, PCI-DSS scope, programme + audit cadence?
  • Can they think about licensing + the state MTL + EMI / API authorisation lifecycle, perimeter creep, new-product expansion, regulator engagement, not just box-tick?
  • Do they have an evidence + documentation instinct, every decision logged, every exception tracked, every regulator / sponsor / scheme touchpoint predictable + on the record?

Behavioural questions to expect

  1. Walk me through your CV.

    What it tests: Story coherence + deliberate compliance trajectory in payments / fintech. Teams want evidence of progressive regulatory scope (a rule -> a programme -> a regulator / sponsor relationship) and quantified outcomes (exam findings closed, SAR throughput, programme builds), not 'I worked on compliance projects'.

  2. Tell me about a compliance review, control gap, or regulatory response you owned end-to-end.

    What it tests: Ownership + judgment + documentation discipline. Tests whether the candidate frames a real issue with a specific risk, a structured investigation, an escalation decision, and a documented remediation, not 'I reviewed transaction-monitoring alerts'.

  3. Tell me about a weakness, a failure, or feedback you've received and worked on.

    What it tests: Self-awareness + judgment discipline. Cross-role canonical. Fake weaknesses downgrade immediately. In payments compliance, the costly failure is escalating too late, being too quick to clear, over-relying on a vendor score, or being inflexible against the business when a risk-based call was needed, honesty about a real pattern matters.

  4. Why payments + fintech compliance, why not bank compliance, asset-management compliance, legal, or the front office?

    What it tests: Authentic fit for the payments compliance seat: real-time perimeter (BSA + AML + sanctions + UDAAP + scheme + PCI + sponsor-bank), product-launch cadence, regulator + sponsor + scheme triangle. Tests whether the candidate is drawn to the constraints specifically, not just 'I want a compliance job at a hot fintech'.

  5. BSA / AML + sanctions, consumer-protection, licensing + state MTL, scheme + PCI, or sponsor-bank oversight, which seat appeals, and why?

    What it tests: Genuine fit + grasp of how payments-compliance sub-functions differ. Tests whether the candidate has a reasoned preference rather than 'wherever you put me'.

  6. Why this firm?

    What it tests: Whether the candidate has done the homework. Bar: firm-specific evidence from the product, segment, regulatory perimeter, sponsor-bank posture, scheme standing, and people, not generic 'great fintech'.

  7. How would you describe this firm's compliance programme + regulatory perimeter in your own words?

    What it tests: Whether the candidate has internalised HOW the firm runs compliance, perimeter shape, sub-function org, sponsor-bank + scheme posture, programme cadence, not just that it 'has compliance people'. Tests whether they've read the licensing footprint, public enforcement, scheme placements, recent talks, and can speak to specifics.

  8. What recent regulatory programme or change has touched this firm, and how would you have approached it?

    What it tests: Whether the candidate follows the payments + fintech regulatory agenda. CFPB 1033 open-banking rule, FedNow risk, EU DORA + MiCA + PSD3 / PSR, UK Consumer Duty + APP-fraud reimbursement, AI Act on algorithmic decisioning, and can frame the operational implications for a payments firm.

Technical concepts to master

BSA / AML + sanctions fundamentals

KYC + CDD + EDD + UBO
KYC = identify + verify at onboarding. CDD = standard ongoing due diligence (risk-rated). EDD = enhanced on higher-risk (PEPs, high-risk geographies, complex structures). UBO = beneficial ownership at typically 25%+ threshold.
Transaction monitoring + SAR + STOR
Rules + ML monitor for typologies (structuring, layering, integration, mule, trade-based, crypto layering); alerts go to investigators; confirmed suspicion files SAR (US, 30-day from detection; MSB threshold $2k+) or STOR / SAR-equivalent (UK / EU, 'as soon as practicable').
OFAC + UK OFSI + EU sanctions screening
Screen onboarding + every transaction + counterparty against SDN + sectoral + UK / EU sanctions lists; block + report within 10 business days (US); UK + EU equivalents.
Travel Rule + Beneficial Ownership + CTA
FinCEN Travel Rule = sending PSP must transmit originator + beneficiary info on $3k+ transmittals (crypto threshold harmonising); CTA = corporate beneficial-ownership filing to FinCEN.

Consumer protection + UDAAP + Reg E / Reg Z + Consumer Duty

UDAAP. Unfair, Deceptive, Abusive
Dodd-Frank Sec 1031, 1036: unfair = substantial injury, not avoidable, not outweighed by benefit; deceptive = material misrepresentation; abusive = materially interferes with consumer understanding or takes unreasonable advantage.
Reg E + EFTA error resolution
Consumer disputes an EFT (debit, ACH, wallet); financial institution acknowledges in 30 days, investigates in 10 business days (45 max with provisional credit); recredits + writes findings.
Reg Z + TILA disclosures
Closed-end + open-end credit: APR, finance charge, amount financed, payment schedule disclosed; cost-of-credit disclosure timing + format prescribed; right of rescission on certain products.
UK FCA Consumer Duty
Higher standard than TCF: four outcomes, products + services fit target market; price + value fair; consumer understanding sufficient; consumer support effective. Board-level accountability + annual report.

Card-scheme rules + PCI-DSS posture

Chargeback + fraud-to-sales monitoring tiers
Schemes monitor merchant chargeback ratio + fraud-to-sales ratio. Standard tier ~0.9% chargeback + ~0.5-1.0% fraud-to-sales; high-risk tier ~1.5% + ~1.8%+; breach = monitoring program + fines + remediation.
PCI-DSS v4.0 scope + SAQ + QSA
Payment Card Industry Data Security Standard: 12 requirement areas + 250+ controls; SAQ (self-assessment) by merchant level; QSA (Qualified Security Assessor) for Level 1; ROC = Report on Compliance.
BIN sponsor + Bank Service Company Act
Non-bank payments firms (program managers, processors, issuer-processors) operate under a BIN sponsor bank; sponsor bank holds the scheme licence + the regulatory perimeter; programme + AML + UDAAP + scheme oversight are sponsor-led.
Network rules + reason codes + representment
Each scheme publishes operating regulations + reason codes for dispute categorisation; representment + arbitration paths; specific timelines (30-45 days typical) + evidence requirements.

Licensing + sponsor-bank oversight

Licensing perimeter. MSB + MTL + EMI + API + CASP
FinCEN MSB registration (US); state Money Transmitter Licences via NMLS (~50 states); FCA Authorised Payment Institution + Electronic Money Institution (UK); national-competent-authority licensing (EU); CASP under MiCA (EU crypto).
Sponsor-bank oversight + BaaS programme cadence
Sponsor bank reviews fintech partner programmes monthly / quarterly under Interagency BaaS guidance; finding + remediation cadence; escalation contacts; programme exit clauses.
Three-lines-of-defence + independent testing
First line = business + risk-owner controls. Second line = compliance + risk oversight. Third line = internal audit + external audit + regulator. Annual independent testing of AML programme is BSA-mandated.
Regulator + sponsor + scheme engagement
Predictable cadence with each: regulator filings (FinCEN, state DFS, FCA, NCA) + exams + remediation; sponsor monthly / quarterly reviews + ad-hoc; scheme registration + ratio reporting + audit; no surprises is the senior bar.

Practical drills

  • this firm is launching a new cross-border remittance corridor from the US to a higher-risk geography in 90 days. Volumes projected at $20m / month, average ticket $400, consumer + small-business mix. Walk me through the BSA / AML + sanctions programme you'd build pre-launch.
  • A real-time screen flags a $480k cross-border payment to a high-risk corridor as a potential OFAC SDN match, a 50% partial-name hit on the beneficiary. The merchant is escalating commercial urgency (cargo on the dock). Walk me through how you handle it.
  • The marketing team submits a new BNPL landing page. Headline: '0% APR, no fees, ever.' Product: 4-payment Pay-in-4 plan (no interest, $7 late fee after 10-day grace); a longer-tenor 12-month plan at 19.99% APR + $30 origination fee on a $1,000 purchase. Walk through the review + run the numbers.

Smart-question anchors

  • Sub-function + scope, which compliance sub-function the role would own + the perimeter + escalation pathways
  • Programme + sponsor-bank cadence, review pack rhythm, finding closure, sponsor-relationship posture
  • Regulatory agenda. CFPB 1033, Consumer Duty, DORA, MiCA, PSD3 / PSR, AI Act exposure
  • Sanctions + financial-crime stack. KYC / IDV / screening / monitoring vendors, alert + investigator productivity
  • Licensing footprint. MSB + MTL + EMI + API + CASP perimeter + change-in-product expansion plans

Related roles

Sourced from

Ready to Generate Your Own Prep?

Drop your CV and a job description on the home page. A couple of minutes later you get a report with everything you need to land the job.

Generate my first prep