EntrepreneurBible
All hubs

Business Model

Building in regulated industries

Regulation looks like overhead until you've built in an unregulated space and watched 10 competitors clone your product overnight. Done well, regulation is the strongest moat a startup can build. Done badly, it's an 18-month detour to a product nobody wanted. This hub is about doing it well — picking the sector, the licensing path, the partners, and the timelines that make a regulated business defensible.

Last updated June 1, 2026

Who this is for

Founders building in fintech, healthtech, legaltech, regulated AI, or any sector where regulators are part of the customer journey.

What you'll learn

  • Why regulation is a moat (and how to use it intentionally)
  • Licence vs partner vs sandbox — the three structural choices
  • Sequencing: when to pursue regulation vs when to validate first
  • The cost of compliance and how to budget for it
  • When the regulatory environment kills the business
Self-audit your legal readiness

Regulation as a moat — the strategic case

Stripe is the canonical example. Payments processing is regulated heavily; Stripe spent years building the compliance infrastructure (KYC, AML, fraud, money transmitter licences) before the API became their growth engine. Once it existed, every competitor who didn't have it had to either spend the same years OR build on top of Stripe. Both paths benefit Stripe.

Other examples:

  • Wise / Revolut (cross-border money transfer) — banking partnerships in every corridor.
  • Carta (cap-table management) — light regulation in equity record-keeping; broker-dealer licence opens secondary markets.
  • One Medical (healthcare) — licensed providers in every state; HIPAA-compliant infrastructure as the moat.
  • Lemonade (insurance) — direct insurance licences as the differentiator vs MGA-only competitors.

The strategic principle: regulation that increases the cost of imitation by years protects compounding growth. A 2-year regulatory moat means your competitors are 2 years behind permanently, not just 2 years behind today.

The corollary: don't pursue regulation in a market where it's not a moat. Selling a B2B SaaS productivity tool to law firms doesn't make you a regulated business; you don't get the moat. Selling legal-advice-generation that constitutes the unauthorised practice of law does — and the licensing cost is the moat.

License vs partner vs sandbox — three paths

Direct licensing — you become the regulated entity. Slowest, most expensive, strongest moat. Money transmitter licences in 49 US states cost ~$3-5M + 2-3 years. Banking charters cost more. Healthcare clinical licensing varies by state. Pursue when:

  • The moat is worth the time + capital
  • The regulatory expertise becomes part of the company's DNA
  • The product is genuinely the regulated activity (not just touching it)

Partnership — work through an existing regulated entity. Faster, cheaper, weaker moat (the partner is the moat). Examples: Wise initially partnered with banks; many fintechs partner with sponsor banks; insurance MGAs work under carrier paper. Pursue when:

  • You need to validate before committing to direct licensing
  • The partner adds genuine value (capital, distribution, brand) beyond just the licence
  • The regulatory burden of going direct would crowd out product development

Regulatory sandbox — apply for a time-limited regulatory exemption to test innovative products. Available in UK (FCA), Singapore (MAS), Australia (ASIC), and increasingly other jurisdictions. Pursue when:

  • The regulator is open to your category (less common in US)
  • You need formal regulator engagement as part of the product validation
  • The product is genuinely innovative enough to warrant a bespoke regulatory conversation

Most successful regulated startups eventually do all three: start in a sandbox or partnership, validate, then pursue direct licensing as the moat matures.

Sequencing, compliance budgets, and when to walk away

Sequencing: don't pursue licensing on day one. The licence is the moat once you have a product; without product validation, you're spending $3M on a permission slip for an idea you might pivot away from. Sequence:

  1. Months 0-6: validate without licence (sandbox, partnership, manual workarounds)
  2. Months 6-12: prove demand at small scale; collect data the regulator will want
  3. Months 12-24: pursue licence aggressively, in parallel with growing the proven product
  4. Months 24+: licence becomes available; switch motion; competitors who started later are now 2+ years behind

Compliance budgets: regulated startups under-budget compliance by 3-5×. Real costs:

  • Legal: $100k-$500k for initial licensing across multiple states / jurisdictions
  • Headcount: a Head of Compliance ($150-250k US) by Series A, often earlier
  • Tools: KYC/AML platforms ($30-100k/yr at scale), audit logs, monitoring
  • External audits: SOC 2 ($30-80k/yr), HIPAA assessments, PCI compliance
  • Capital reserves: many licences require minimum-capital deposits ($100k-$5M+ depending on jurisdiction)

Budget 15-20% of operating expenses for compliance through Series B. Below that, you'll either fall out of compliance or fall behind on product.

When to walk away:

  • The licence cost exceeds 2 years of expected revenue (the moat isn't worth it)
  • The regulator publicly signals hostility to your category (don't fight a regulator with their finger on the trigger)
  • Your business model requires regulatory exemptions that don't exist in your target markets
  • A larger incumbent has captured the regulator (regulatory capture is real)

Step-by-step action plan

Do these, in order

  1. 1Map the regulatory landscape for your product — agencies, licences, sandbox programs
  2. 2Choose the entry path: partner, sandbox, or direct licence
  3. 3Budget compliance at 15-20% of opex through Series B
  4. 4Identify the licensing path that becomes your moat by Series A
  5. 5Build the regulatory relationship early — regulators reward founders who engage transparently

Frequently asked questions

Should I get a licence or partner with a regulated entity?
Partner to validate; licence to scale. The partnership lets you build the product fast; the licence gives you the durable moat. Partnerships dilute economics but reduce risk; licences improve economics but require capital + time.
How does regulation affect fundraising?
Regulated businesses are easier to raise for once the regulatory path is clear — investors understand the moat. Before the path is clear, regulated startups are harder to raise (uncertain timelines). Get clarity on the regulatory route before fundraising the round that funds the licensing.
Do I need a Head of Compliance from day one?
Usually no, unless you're in a heavily-regulated space (banking, insurance). Most regulated startups hire a fractional compliance lead in year one and a full-time Head by Series A. Founders should personally own compliance until then — outsourcing this to a junior hire is dangerous.
What about international expansion?
Each jurisdiction is its own regulatory cycle. Don't expand to 10 countries on day one. Win one geography first, then expand to adjacent regulated regimes (EU member states share frameworks, so going from UK to EU is faster than UK to US).

Related resources

Founder Legal Checklist

Related tools

Legal Readiness Checklist
GDPR Readiness Checklist

Related courses

Fundraising Fundamentals

Related hubs

Startup Legal Setup

Educational orientation to the legal stack first-time founders actually need — entity, founder agreements, IP assignment, privacy, and when to call a lawyer.

Startup Fundraising

An operator's guide to fundraising — pre-seed, seed, and Series A milestones, deck structure, process, and the calculators you need.

Scaling a Business

What actually breaks as you scale — org, cash, customer types, hiring profile. The honest version, not the LinkedIn one.

Building a Healthtech Business

Building a healthtech business: HIPAA basics, FDA software-as-medical-device, clinical evidence, payer relationships, claims & billing, the regulatory cost curve.