In the finance industry, internal control is often misunderstood as a rigid system designed to eliminate risk. But in reality, it’s much more dynamic. At its core, internal controls are a set of processes that act as a safety net—not to remove risk, but to allow for calculated, controlled risks.
‍
Much like the net beneath a trapeze artist, internal control ensures the show goes on without catastrophe.

At Defacto, we’ve reimagined internal control from the ground up, leveraging automation to build a lean, scalable system. Here, I’ll share our journey, the philosophy behind our approach, and how we’ve set the new standard in compliance.

The team behind the system

Our internal control engine is a collaborative effort led by a diverse team:

• Myself (Jean-Eloi): As Head of Compliance, I bring expertise in designing business requirements and ensuring regulatory alignment.
• Marco: Our cofounder and Chief Technical Architect, responsible for implementing the technical infrastructure that powers our system.
• Charlotte: Our CFO and internal customer, whose vision and needs drive the priorities for the system.

Each of us plays a unique role, ensuring the system is not only robust but also embedded into Defacto’s broader engineering and risk workflows.

My experience: moving from banking to fintech

My career began in auditing processes in banking, where I learned the fundamentals of risk management. Back then, internal control meant working through manual, spreadsheet-driven processes. While effective, these systems were slow and prone to human error.

Later, I joined Qonto, where I built the Compliance, AML, and Internal Control functions from scratch. Here, I introduced automation alongside a fully staffed team of four, creating tools to complement people rather than replace them.

When I joined Defacto, I had the opportunity to take this approach even further. Instead of layering automation onto an existing manual process, we designed our internal control function to be automated and systematic from the start. This lets us stay lean and rely on a strong technical foundation while team focuses on higher-value tasks.

Key benefits of our systematic approach

Defacto’s internal control engine isn’t just another compliance system. It’s built to be:

• Lean & scalable: We’ve minimized overhead while ensuring the system can grow with the business.
• Real-time: Unlike traditional systems that operate on a monthly or quarterly basis, ours provides daily visibility into key risk metrics. Our Internal control committee has immediate visibility on processes to fix or controls to deploy.
• Highly accurate: Automation reduces the likelihood of errors, ensuring reliable data and insights.
• Well-integrated: Instead of being an adjacent process, our system is embedded within the workflows of our engineering and risk teams, driving better adoption and collaboration.

Building the system with iteration and innovation

Creating a scalable internal control system doesn’t happen overnight. At Defacto, we adopted an iterative approach:

1. Start simple: We began with a no-code solution, using Google Sheets and Zapier to prototype the logic and workflows. This allowed us to quickly test ideas and refine the process.
2. Automate thoughtfully: Once the logic was clear, we moved our back-office admin to Retool, and built an automated system. This transition ensured we weren’t just automating inefficiencies, but creating a truly optimized process.
3. Embed the system: By integrating the system directly into the tools and workflows used by our teams, we’ve made it an indispensable part of our operations. It is super easy for anybody to turn a query into a daily control. Team members can also create a quiz-based control in 5 minutes using our back office admin.

Modern compliance for a modern world

Compliance is too often seen as a cost center or burden. But at Defacto, we view it as a competitive advantage. By embracing automation, auditability, and systematic design, we’ve built a lean, scalable internal control engine that provides real-time insights, enhances accountability, and fosters collaboration across teams.

Here’s how embedding compliance into daily workflows transforms it from a regulatory necessity into a driver of efficiency, transparency, and innovation:

• Payments team: They use the system to monitor unreconciled transactions in real-time, setting thresholds to quickly identify and address discrepancies. This proactive approach ensures smooth financial operations and reduces the risk of errors, demonstrating how compliance tools directly impact daily efficiency.
• Risk team: They enforce that every loan originated runs through a configured set of checks in the system. This ensures the organization meets regulatory standards while also improving loan quality and reducing risks—making compliance part of the business's success strategy.
• Infrastructure team:  They track vulnerability alerts from AWS in real-time and enforce resolution processes. This example highlights how compliance tools not only protect against risks but also empower the team to maintain a secure and resilient infrastructure.

And we’re eager to take it further, further automating the process as AI lending tools progress. For now 20%  of our controls are still performed by humans. AI will let us extend the scope of our internal control system, while enabling the team to focus on the most critical components of internal control.

As we continue to iterate and improve, our goal is to not only manage risk effectively but to set a new benchmark for what modern compliance can achieve. For fintech companies and partners navigating an increasingly complex regulatory landscape, this approach is not just innovative—it’s essential.