The most common hidden risk in early fintech isn't missing systems — it's systems that grew crooked and can't be fixed later. I designed a document management architecture with FCA audit logic at its core, scalable as the company grows, so anyone at any time can find the right version of the right document.
Almost every early company hits the same problem: Google Drive starts empty, people drop files wherever seems logical in the moment, and a few months later nobody can find "the latest version," new hires don't know which document to read, and when a regulator asks for something there's no clear answer about where to look.
In an FCA-regulated fintech environment, the cost of this is higher than most. During an audit, not being able to locate a document isn't just an efficiency problem — it's a compliance risk. My task: design the architecture properly while the company was still small, rather than trying to untangle a mess later.
Corporate & Legal and Compliance & Risk are isolated as separate top-level layers, ensuring regulatory documents are never mixed with daily operations files. When an auditor comes in, you can point directly to the relevant folder — no explanation needed, no searching required.
All files named [YYYYMMDD]_[Category]_[Description]_[V1]. Anyone can sort by date and find the latest version immediately — no memory required, no asking colleagues. Superseded versions move to Archive, keeping the active folders clean.
PII and banking data: Viewer-only by default. External sharing requires Compliance Officer or CEO approval. Access control isn't about distrust — it's about ensuring that in a data breach or audit, the chain of responsibility is unambiguous.
Once the architecture was in place, every new document had a clear home. Nobody needed to ask "where does this go?" The Company Standards document (folder 00) became the single entry point for all new hires — onboarding no longer depended on oral tradition.
Alongside the folder structure, I built a Company Standards document covering remote work norms, communication standards, and conduct guidelines — giving the whole company a shared operational baseline.
Many people treat document management as admin work. In an FCA-regulated environment, it's risk management. When I designed this architecture, I wasn't thinking about how to make it convenient for three people today — I was thinking about whether it would hold up when we had 20 people and a regulator walked in.
"Designing from the future state and working backwards to the present is the thinking pattern I apply to every systems build — not just document architecture."
This future-back design approach is the consistent thread across all the systems I've built at NeroPay: design for the stressed, scaled, or audited version of the org — not just for the current comfortable state.