Compliance-by-Design: Locking Requirements into Flows
Compliance becomes expensive when it’s added late. This is how I structure requirements early so the product stays fast, safe, and audit-ready.
Common failure
- Teams ship “happy path” flows without evidence trails.
- Later, compliance asks for logs/approvals/controls → rewrites.
- Ops starts doing manual work in spreadsheets → risk increases.
Approach
1) Convert compliance into product requirements
- What data must be captured?
- What actions require approval?
- What evidence must be retrievable later?
- What controls prevent misuse?
2) Build flows with “proof” built-in
- Immutable event logs for critical transitions
- Reason codes + attachments for manual actions
- Maker-checker for high-risk operations
- Search & export in backoffice
Design artifacts I create (as a PM)
- Product Boundary Doc: what’s in MVP vs not
- User Money Risk Doc: where money can break + safeguards
- Compliance Flow Checklist: data capture, evidence, approvals
Practical examples (generic)
- KYC state machine: pending → verified → rejected → re-review
- Withdrawals: risk checks + velocity limits + escalation path
- Manual adjustments: maker-checker + immutable audit entry
- User restrictions: reason codes + time-bounded bans
Outcome
- Fewer late-stage changes because evidence paths exist from day 1.
- Ops can resolve issues without risky ad-hoc edits.
- Audits become manageable because data is queryable and consistent.