Category: Compliance, KYC & Accounting
Compliance used to be a background concern for small businesses — something that was handled during account opening and then largely forgotten. No longer. Over the past decade, the compliance landscape for businesses that handle payments has expanded dramatically, creating a burden that is increasingly difficult for small and mid-sized operators to bear.
PCI DSS requirements, anti-money laundering regulations, sanctions screening obligations, data protection laws, payment services directives — the list of compliance frameworks that apply to a business accepting international payments grows longer every year. Each new requirement is individually reasonable. Collectively, they represent a weight that can overwhelm a business without dedicated compliance staff.
This is not a complaint about regulation per se. Strong compliance standards protect consumers, prevent financial crime, and maintain the integrity of the financial system. The problem is one of scale: the compliance infrastructure required to meet these standards was designed for large financial institutions, not for a five-person trading company with $500,000 in annual cross-border flow.
The Expanding Compliance Landscape
The compliance requirements that apply to a cross-border business have expanded along several dimensions simultaneously.
Anti-money laundering regulations have been tightened in virtually every major jurisdiction. The Financial Action Task Force continues to raise the bar for customer due diligence, beneficial ownership verification, and transaction monitoring. Implementation of these standards varies by jurisdiction, but the trend is uniformly towards greater stringency. The sixth EU Anti-Money Laundering Directive expanded the scope of criminal liability, whilst new beneficial ownership registers have created additional reporting obligations for businesses in many jurisdictions.
Sanctions compliance has become more complex as the sanctions landscape has fragmented. A business that processes payments involving multiple jurisdictions must screen against the sanctions lists of each relevant jurisdiction — the United States, the European Union, the United Kingdom, and others. The lists change frequently, and the consequences of a violation — even an inadvertent one — can be severe. The increasing use of sectoral sanctions and secondary sanctions has further complicated the compliance picture, creating situations where a payment that is legally permissible under one jurisdiction's rules may violate another's.
Payment services regulations, including the European Payment Services Directive and similar frameworks in other jurisdictions, impose requirements on businesses that provide or facilitate payment services. Even businesses that are not themselves payment institutions may be subject to requirements related to payment processing, fund safeguarding, and transaction reporting. The second Payment Services Directive (PSD2) introduced strong customer authentication requirements that affect every business accepting card payments online.
Data protection regulations, including the General Data Protection Regulation and similar laws in other jurisdictions, impose requirements on how businesses collect, store, and process personal data — including payment data. Cross-border data transfers are subject to additional requirements that vary depending on the jurisdictions involved. The invalidation of the EU-US Privacy Shield and the subsequent adoption of alternative frameworks have created ongoing uncertainty for businesses that transfer personal data internationally.
And then there is PCI DSS — the Payment Card Industry Data Security Standard — which imposes a comprehensive set of security requirements on any business that stores, processes, or transmits cardholder data.
PCI DSS Requirements for Card Programmes
PCI DSS is perhaps the compliance framework that causes the most anxiety for small businesses, because it is both mandatory and technically demanding. Any business that accepts card payments — which is to say, virtually every business that sells internationally — must comply with PCI DSS, regardless of size.
The standard comprises twelve core requirements organised into six categories: building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management programme, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.
For a large business with a dedicated IT security team, these requirements are manageable. For a small business without dedicated IT staff, they can be daunting. The self-assessment questionnaire — the compliance validation tool used by smaller merchants — can run to dozens of pages, and the technical requirements it references assume a level of security expertise that many small businesses do not possess.
PCI DSS version 4.0, which began its enforcement in 2024, introduced additional requirements that further increase the burden on small businesses. These include enhanced authentication requirements, stricter controls on script management, and more rigorous penetration testing obligations. The new version also introduces a continuous compliance model that replaces the previous annual assessment cycle, requiring businesses to maintain compliance on an ongoing basis rather than merely demonstrating compliance at a single point in time.
The consequences of non-compliance are significant. If a breach occurs and the business is found to have been non-compliant with PCI DSS, the business may be liable for the costs of the breach — including forensic investigations, card reissuance, and fraud losses. The card brands may also impose fines or revoke the business's ability to accept card payments.
The Cost of Compliance for Small Businesses
The cost of compliance for small businesses is disproportionate — not because the absolute cost is higher, but because it represents a much larger share of available resources.
Financial cost: compliance requires investment in security tools, audit services, legal advice, and staff training. For a large business, these costs are a rounding error. For a small business, they can represent a significant percentage of operating expenses. A single PCI DSS assessment by a qualified security assessor can cost several thousand pounds — a material expense for a business with modest revenue.
Time cost: compliance activities — completing self-assessment questionnaires, implementing security controls, responding to audit requests, maintaining documentation — consume management time that would otherwise be spent on revenue-generating activities. For a business with one to fifteen employees, this time cost is particularly acute because compliance responsibilities typically fall on the principal or a senior manager.
Opportunity cost: the time and money spent on compliance is time and money not spent on growth, product development, customer acquisition, or operational improvement. This opportunity cost is difficult to quantify but is frequently cited by small business owners as the most frustrating aspect of compliance.
Complexity cost: navigating the overlapping and sometimes contradictory requirements of multiple compliance frameworks requires expertise that small businesses typically lack. The risk of getting something wrong — and the potential consequences of an error — create anxiety that further diverts attention from core business activities.
There is also a hidden mental health dimension. The constant pressure of compliance — the awareness that a single oversight could result in significant penalties, the never-ending stream of regulatory updates, the anxiety of wondering whether you have missed something — takes a toll on the business owner. This is rarely discussed, but it is a real cost that affects decision-making, wellbeing, and ultimately the sustainability of the business.
How Compliance Requirements Favour Larger Businesses
There is an uncomfortable truth at the heart of the compliance landscape: compliance requirements favour larger businesses. Not because the requirements are explicitly discriminatory, but because the infrastructure needed to meet them scales more efficiently for larger organisations.
A business with 500 employees can justify a dedicated compliance team, invest in compliance technology, and absorb the cost of compliance as a normal operating expense. A business with five employees cannot. The result is that compliance creates a barrier to entry and a barrier to growth that disproportionately affects smaller operators.
This dynamic is particularly problematic in international commerce, where the compliance burden is heaviest. Small and mid-sized cross-border businesses — the trading companies, project contractors, and service principals that form the backbone of global trade — face compliance requirements that were designed for institutions many times their size.
The practical consequence is that small businesses often adopt one of two strategies: they either under-invest in compliance, accepting the risk of non-compliance as a cost of doing business, or they over-invest relative to their size, diverting resources from growth and operations. Neither strategy is sustainable.
Managed Compliance Solutions
Managed compliance solutions offer a third path: accessing the compliance infrastructure of a larger organisation without the overhead of building it internally. These solutions take several forms.
Compliance-as-a-service platforms provide tools and services for managing specific compliance obligations — PCI DSS scanning, sanctions screening, transaction monitoring, and so on. These platforms reduce the technical burden of compliance but still require the business to manage the overall compliance process.
Outsourced compliance providers handle compliance activities on behalf of the business, from completing self-assessment questionnaires to managing audit responses. This approach reduces the time burden but may not address the underlying complexity of navigating multiple overlapping frameworks.
A managed business workspace that includes compliance as part of its integrated offering provides perhaps the most comprehensive solution. In this model, the workspace provider maintains the compliance infrastructure — PCI DSS compliance, AML procedures, sanctions screening — and the business operates within that infrastructure. The business benefits from the compliance capabilities of a larger organisation without the cost of building and maintaining them independently.
The advantage of this approach is that compliance is embedded in the operational infrastructure rather than layered on top of it. When compliance is part of the platform, the business does not need to think about it separately — it is simply how the system works. The disadvantage is that the business must operate within the constraints of the platform, which may limit flexibility in some areas.
The Risk of Non-Compliance
The risks of non-compliance are not theoretical. Regulators in major financial centres have significantly increased enforcement activity in recent years, and the penalties for non-compliance — whether with AML regulations, sanctions requirements, PCI DSS, or data protection laws — can be severe.
Financial penalties can reach millions of pounds for serious violations, and even minor infractions can result in fines that are material for a small business. Beyond financial penalties, non-compliance can result in loss of banking relationships, inability to process payments, reputational damage, and — in extreme cases — criminal liability for responsible officers.
The risk is compounded by the increasing scrutiny that small businesses face. Historically, regulators focused their enforcement efforts on large financial institutions, on the assumption that small businesses represented a lower risk. This assumption has shifted, and regulators in several jurisdictions now explicitly target smaller firms that may be vulnerable to exploitation by financial criminals precisely because of their weaker compliance controls.
The hidden cost of non-compliance is perhaps even more significant than the direct penalties. A business that experiences a compliance failure — a data breach, a sanctions violation, an AML lapse — faces not only the immediate financial consequences but also a long-term increase in compliance costs. Banks impose enhanced monitoring on businesses with compliance incidents, regulators require remediation programmes, and the business's risk profile is permanently elevated, resulting in more frequent reviews, higher processing costs, and reduced access to financial services.
Levelling the Playing Field
The compliance burden on small businesses will not decrease. If anything, it will continue to grow as regulators expand the scope and stringency of their requirements. The question for small cross-border businesses is not how to avoid compliance, but how to manage it efficiently enough that it does not consume the business.
The answer, increasingly, lies in shared infrastructure. Just as small businesses do not build their own data centres or maintain their own telecommunications networks, they need not build their own compliance infrastructure from scratch. Managed compliance solutions, compliance technology platforms, and integrated business workspaces provide access to compliance capabilities that would be prohibitively expensive to develop independently.
The playing field will never be perfectly level — larger businesses will always have more resources to devote to compliance. But the gap can be narrowed significantly through the strategic use of shared infrastructure and managed services. For small cross-border businesses, the imperative is to find the compliance model that provides adequate protection at a sustainable cost — and to implement it before a compliance failure forces the issue.
The cost of compliance will never disappear, but the cost per unit of compliance can be reduced dramatically through the right infrastructure choices. The businesses that recognise this — and act on it — will find that compliance becomes a manageable operational requirement rather than an existential threat.