by Raul Tudor, Fractional Chief Technology Officer
Much of fintech commentary still frames risk as a purely technical concern: encryption standards, model accuracy, infrastructure resilience. Those things matter, but after building and scaling regulated financial systems, I’ve learned that the hardest risks to manage are organisational, not technical.
As CTO and co-founder of Raindrop, I was responsible for taking a product from early MVP through FCA authorisation and into regulated production use. Later, as Lead Engineer on NewDay’s most complex initiatives: its first move from closed-loop cards into open-loop payments using a white-label infrastructure. In both cases, the biggest challenges weren’t lack of tools or frameworks. They were decision-making under uncertainty.
In early-stage fintechs, teams often optimise for speed, assuming compliance and security can be “added later”. In reality, regulatory expectations shape architecture from day one. At Raindrop, passing InfoSec and data privacy due diligence wasn’t a box-ticking exercise. It influenced how we designed data flows, auditability, incident response, and access controls. Retrofitting those concerns later would have been far more expensive than building with them in mind.
At NewDay, the complexity was different but no less instructive. Our initiative involves PCI compliance, cryptographic controls, third-party coordination, and close collaboration with AppSec and platform engineering teams. The technology itself was well understood. The risk lay in aligning multiple teams with different incentives, timelines, and threat models. All while delivering a system visible at senior leadership level.
What’s often underestimated is that fintech risk accumulates quietly. It emerges from unclear ownership, hand-offs between teams, and assumptions that “someone else” is covering a control. The most effective mitigation I’ve seen isn’t another tool, but clarity: explicit responsibility, shared understanding of regulatory impact, and engineering leaders who can translate legal or compliance requirements into practical system design.
As embedded finance becomes more widespread and infrastructure more commoditised, this gap will widen. The winners won’t be the teams with the most advanced technology, but those who treat regulation, security, and delivery as first-class product constraints rather than downstream problems.
In my experience, building resilient fintech systems is less about engineering brilliance and more about disciplined leadership, making the right trade-offs early, and revisiting them as the organisation grows.