[mrshoe]

This story starts out reporting on a board ousting a CEO after a public scandal involving non-compliance with various laws, which incited multiple government investigations.

It then takes an abrupt turn and starts repeating everyone's favorite Silicon Valley trope du jour: the unicorn bubble is bursting, the fundraising environment is tightening up, and the halcyon days of multi-billion dollar valuations for everyone are over.

There's really no connection between the two.

[sandworm101]

Successful startups all, and I mean ALL, have serious compliance issues. They probably do not not realize their problems. Some actively try to avoid knowing, such as by shunning legal advice that may inform them of inconvenient obligations. Part of the going public and/or being bought out process involves measuring the rate of non-compliance.

A unicorn wants to go public, but that means first getting your compliance ducks in nice rows. The growing realization that unicorns are in fact very non-compliant pushes them towards the easier route of being acquired/merged. So there is a direct link between compliance and the very existence of unicorns.

[twright0]

> Successful startups all, and I mean ALL, have serious compliance issues.

This feels like a very hyperbolic claim. There are definitely high-profile examples of startups that had compliance issues and are struggling to bring them under control or remain in arguably grey areas (Zenefits is an example of the former, Airbnb the latter). But it's hard to imagine that it's a truly universal problem; many startups are in industries without heavy regulatory rules. Can you elaborate on what makes you believe this to be the case?

[sandworm101]

A successful startup is one that has grown rapidly in recent years. No growth = not successful, and not recent = not a startup. Any tech company that grows quickly starts bumping up against any number of compliance issues, both legal (ie HIPAA) and private (ie PCI). Today's growth curves don't keep pace with many of these regulations. As you expand laterally into new markets you constantly run into new obligations. And as you expand vertically (increased sales) you trigger new expectations, especially the PCI DSS. The chances of anything rationally called a startup having accommodated these things is astronomically low.

Ask any tech lawyer to list all the laws applicable to a startup. Bring a lunch. Until a company has devoted resources (ie a full-time compliance team including lawyers) and has a decade or so of experience with the relevant rules, imho proper compliance is a pipe dream. At best you can hope to keep the wolves away long enough to get whatever they want ready asap.

Anyone here working at a startup, just have a look at the PCI DSS, specifically the SAQ you are meant to fill out every year (if you handle credit cards). And this is basic compliance 101 stuff, no lawyers required.

https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merc...

[jbooth]

All that being said, when your frickin business is selling HR stuff, you should be on top of compliance. Jesus.

They had people selling health insurance without a license. This isn't just a failure to sit through the "don't bribe foreign officials" training.

[nostrademons]

Isn't that why many companies are using Stripe and similar payment processors now?

https://support.stripe.com/questions/do-i-need-to-be-pci-com...

[sandworm101]

>> "Just go to your security settings and click on “View completed document”. We have pre-filled the documents for you."

Services like these are part of the problem. They can verify that the service they provide is compliant, but nobody can determine remotely whether or not you are compliant with something like PCI. You cannot outsource compliance. It is something you have to actually do.

And fyi these "iframe" services that allows a merchant to opt for SAQ-EP rather than the longer SAQ-D, that might be going away in the next couple years. Merchants may have to go with a full redirect, not a frame, if they want to wash their hands of chd.

[Outdoorsman]

Agreed... A very astute comment...

Things move quickly...and that's an understatement...

There is a fever that descends upon a team on the brink of hitting a "home run"...the push is incredible..

Do what needs to be done NOW, we'll clean up afterwards...so difficult to resist...

[delazeur]

I imagine just about every company, startup or not, has compliance issues; it's just a matter of degree. (Then again, I am an environmental compliance consultant, so there's some selection bias in which companies I interact with.)

The qualifiers in "successful startup" and "serious compliance issues" make it hard to say whether the statement is objectively true or not, but I see two factors that probably exacerbate the problem for startups: regulations designed by established companies to thwart upstart competitors, and the "disrupt"/"move fast and break things" attitude that doesn't mesh well with red tape.

[cylinder]

This is a startup that literally sells compliance services! The fact that SVers are dismissive of this is actually very troubling.

[sandworm101]

They have fallen into an ignorance trap. Too many thing that all regulation/paperwork is just a pointless homage to entrenched power. They think it cool to bypass red tape. They think they know better. They forget that those silly lectures often contain really important information, that someone with far more experience than they decided that regulation was needed.

[jmspring]

One tangential connection...Startup makes progress flouting the law, they hit a wall they can't overcome (get persecuted for). Uber has run the same risk (more lax laws), but approach was basically the same.

[Zigurd]

Correct. What went wrong at Zenefits and other places was failure to correctly execute the kind of submarine approach to compliance exemplified by PayPal. Lots of startups skate near the edge and sometimes get dinged by regulators. The question is whether you do it to excess and/or make yourself a target. Failure to navigate this can make you an ex-unicorn, but it says nothing about unicorns in general.

[wpietri]

The obvious connection to me is that when the numbers are excellent, you have to do something pretty egregious to attract scrutiny. But when the numbers are ok or bad, suddenly people become much more interested in the details.

I note that the Zenefits CEO was ousted after missing targets and during a time when I think we can all at least agree that the industry is less exuberant. Maybe he would have gotten sacked anyhow, but missing the numbers sure didn't help him.

[steele]

Possibly due to word count incentive