Azba Habib, Chief Compliance Officer at Corpay, shares how companies can stay ahead of changing regulations and even benefit from them.
In this episode of Smarter Payments by Corpay, host Brennan Robison, Director of Corporate Communications at Corpay, speaks with Azba Habib, Corpay’s Chief Compliance Officer, about the complexities of regulatory change management and how compliance can be leveraged as a competitive advantage.
Azba shares insights from her 20-year career in fintech, emphasizing that regulatory management is not just a piece of the puzzle—it is the puzzle. She outlines three key pillars of compliance: foresight (anticipating regulatory changes), translation (turning complex regulations into actionable steps), and execution (implementing changes effectively while aligning with business goals).
The conversation explores the challenges of operating in a fast-changing and fragmented regulatory landscape, including managing jurisdictional differences, maintaining strong banking and network relationships, and ensuring local expertise to navigate regional regulatory expectations. Azba also discusses the strategic importance of building robust compliance frameworks and how a well-executed compliance program can enhance a company’s reputation, foster trust with partners, and even create new revenue opportunities.
Key takeaways from the discussion include:
(Music)
Habib tease bite: Compliance can be a selling point and in some cases, when we find ourselves having to collect certain data sets or we find ourselves having to understand certain aspects of our customer, those are things that could potentially even be monetized.
Robison intro: In today’s dynamic business environment, regulatory changes are inevitable, so it’s important for companies not only prepare to comply but also to consider ways to adapt strategically moving forward. This is Brennan Robison… Director of Corporate Communications at Corpay. On this edition of Smarter Payments by Corpay, we’re joined by Azba Habib, Corpay’s Chief Compliance Officer, to help us unpack the daunting task of navigating regulatory shifts to protect and even benefit a company. Here’s our conversation.
Robison: Hi, Azba. Thanks for joining us.
Habib: Thanks for having me, Brennan.
Robison: So, before we get started, if you would give us a quick history of your professional background and what led you to the role of global chief compliance officer at Corpay.
Habib: Sure, so I always joke that I'm an attorney by trade and really a problem solver by practice. I've been in the fintech space for about 20 years, some time in private practice, then government, followed by a series of startups, and now I have the pleasure working for Corpay, which is a publicly traded company. And I guess over the course of that time, really, the role that I've had has been focused on two main components, I would say. The first being just advising my clients on navigating very complex and often pretty novel regulatory compliance issues. And the second part of it has typically been building programs that operationalize that advice. So, it's a lot more than your traditional legal function, that there has historically been a pretty heavy operational element to it.
Robison: And at Corpay, you report to the company's top attorney, the general counsel, correct?
Habib: That is correct.
Robison: And you both came from cabbage. Was that a coincidence?
Habib: We met at Cabbage and we worked together really, really well. And I think after he left Cabbage, he reached out, obviously after the non-compete period was over, and said that he had an opportunity for me. And it was very much within my wheelhouse of financial services and payments and really building programs. So, I think when you meet good people at work, you tend to just sort of bring them along with you for the ride.
Robison: Certainly. That's a Daniel Fishbein we're speaking of. So, in your role, you have many important responsibilities. Where does regulatory management fit into the mix? Specifically, what does the word compliance refer to in this context?
Habib: Sure, so often folks ask me that question of like where does it fit into the puzzle and I almost feel like regulatory management isn't just a piece of the puzzle, it's very much the puzzle itself because it really ensures that all the other pieces, whether it be risk management or product or customer service, even profitability, they all sort of have to come together in a way that keeps the company in the game without really sort of going out of bounds. And so that's really kind of how I think of regulatory management. As far as what does that mean in the context of compliance, it really boils down to, I would say, three things. First being foresight, second being translation, and then the last piece being execution. So, foresight would be very much about staying ahead of the regulations and anticipating the changes before they hit us. So, there are no surprises. There are resources lined up. There's budget lined up and we're prepared. And the translation piece is really critical because it's all about translating those sort of complex, lengthy regulations into practical, digestible, actionable guidance. Because that's really what the business is looking for. That's really our role is to translate those requirements in a way that makes sense for our business and in a way that our business can digest them. So, that's really the translation element. And then the last piece that I touched on was execution. And that really is about responsibly implementing the regulations in a way that aligns with our business goals and objectives, but also our risk tolerance. And so that part really requires an understanding of the business, an understanding of the risk tolerance, and really the ability to get things over the finish line through a large complex organization.
Robison: Drilling down a little more, payments is an industry that is quite regulated. What are some of the dynamics that you have to manage within Corpay's regulatory landscape?
Habib: That is a good question. There are typically a lot of very unique dynamics at play. Some you will see across other organizations. But there's multiple layers to it. So, I think the first and foremost that I think will resonate even with my peers is change. The volume of change and the pace of change. So, just the number of regulatory changes or even network changes that we're seeing and having to track and analyze for applicability and then implement. That volume has grown substantially over time and they're kind of coming at us pretty fast and furious. And the interesting thing is, if you look at the broader landscape of where we are with the Trump administration, all these changes that we've been implementing, it's very possible that we may find ourselves undoing the implementations within some period of time. So, it's really just being able to kind of stay nimble with the environment and make calculated decisions about where you want to invest and where there are uncertainties to where you want to maybe pause and reflect on how to go about making those changes. I think the other aspect of the change is it's just a very fragmented landscape. So, there's different regulations in different jurisdictions, even between state and federal, there's a lot of variability. So, really trying to make sure that you're understanding not just changes in a particular jurisdiction, but across all jurisdictions, because sometimes it may make sense to have sort of a centralized change management approach, and other times it might not, but having that vantage point at a 10,000 foot view is really important. The other piece of it would say is relationships. What I mean by that in the context of Corpay as a fintech is the relationships that are critical to our success. So, as a fintech we're by definition not a bank, which means we rely on bank partners. And as a fintech we by definition are not a payment network, but we still have to facilitate payments. So, how do we do that? Well, we have partnerships and relationships with banks and payment network providers. And we're really dependent on those relationships. And so, we have to comply with requirements in a way that is not only protective of our risks, but also insulates our partners from unnecessary scrutiny. And every bank partner is always concerned about unnecessary scrutiny, particularly one that comes out of their partnerships and their relationships. So, the interesting output of that is really that we may have regulatory requirements that don't apply to us directly, but we may find ourselves complying with them nonetheless because they apply to us indirectly by way of contractual pass-throughs from our partners. And so, you know, it's really about understanding the regulatory landscape as it applies to us, but also appreciating the contractual obligations we have, you know, relative to our partners to ensure that they are satisfied and pleased with the relationship and are going to continue to be our partners long-term. So, that's the other dynamic. Another one that I would mention, and this one would probably resonate pretty broadly, is just sort of the need for local talent and expertise. So, I think I touched on there's a volume of changes, and the geographic footprint we have is fairly global. So, we see changes across jurisdictions on a host of topics, whether it's financial crimes compliance, privacy, operational resilience, licensing. And so, as a global organization, we're constantly having to navigate these changes multiple times because they're happening in different jurisdictions and really appreciating the nuances of those jurisdictions and the laws and the enforcement preferences of those regulatory bodies. So, a lot of that ultimately boils down to us having to think globally but act locally. And so really having talented like boots on the ground, SMEs that understand the marketplace, the competitive landscape, the regulatory requirements, and of course the often unwritten regulatory expectations and industry norms. And so that's a dynamic that I've seen time and time again as the importance of having sort of that local expertise. And then lastly, not surprisingly, balancing the time and budgetary constraints, right? We've got finite resources and what often feels like infinite demands. So, that balancing act is a constant challenge. And I think the way we've typically gotten at it is we spend a lot of time planning on how to execute that we're really deliberate about our use of resources and the areas that we're focusing on to kind of get that greatest yield out of our efforts. And so really that planning, prioritizing, and pivoting as needed, because we are a very dynamic organization , is how we've handled the time and money constraints. But those high level would be the big themes and dynamics that we deal with daily.
Robison: Sure, you mentioned jurisdictions. California is well known for having more regulations than the average state. The California Consumer Privacy Act, for example, does complying with those rules, because you do business in California, have the effect of making you comply with them everywhere?
Habib: You know, it actually really depends on the regulation. So, sometimes from a user interface standpoint, it is easier not to add that complexity of creating a state-specific workflow because then you're having to sort of manage it on a state-by-state basis. So, depending upon the requirements and the expectations, sometimes we build to the highest common denominator and sometimes we isolate because we don't necessarily want to create a competitive disadvantage in other jurisdictions if those requirements, not so much privacy in this case, but there might be other sort of consent requirements or disclosure requirements that could make that sort of user interface really bulky. So, if we feel that it's something that is not required in other jurisdictions and could potentially harm the user experience, then we'll be really balanced in sort of isolating that requirement. But again, it's sort of a facts and circumstances analysis.
Robison: And globally, Corpay operates, customers in more than 100 countries. In the UA, EU rather, there's the General Data Protection Regulation. That's a whole different set of requirements, correct? How do you navigate that as well?
Habib: That is correct.
Yeah, so I mean, I think this kind of goes back to think globally but act locally, right? So, where there are sort of unique requirements, we have programs in place at the local level to comply with those. Obviously, there is a lot of spill over to other jurisdictions because you do have the residents of those jurisdictions and to the extent that you've got servers or people or data in a different jurisdiction you have to be very sensitive to the fact that the regulation may apply extra-territorially. So, I think really making sure that we have strong local programs, but then also understanding what the crossover impact is and what the jurisdictional nexus is that triggers that impact. I think that's an analysis work we're constantly finding ourselves doing and then being very deliberate about ring-fencing when we can if we don't feel like we're ready to operationalize some of those requirements outside of the jurisdictions in which they apply.
Robison: You mentioned the potential for change under the Trump administration. What specific changes do you expect as a result of the new administration?
Habib: I think one thing that we had already been seeing was a lot of legal challenges to regulations. We started to kind of see that with the Chevron case getting overturned and suddenly the regulatory agencies not having kind of the same deference they've historically had. So, I think we're going to see a continuation of that, of legal challenges. We may see some stays on certain regulations. We may see some peelbacks on certain regulations. And I think the challenging part is some of them are so operationally cumbersome that depending upon what those changes are, it may be challenging to make them within the existing deadline. So, I think in some cases we find ourselves just operating on the assumption that the regulation is going to come into place the way it was intended to, even if some of those things are peeled back because we don't have clarity around that and we won't have time to make those changes. But there are couple of things from a disclosure standpoint and from a data collection and reporting standpoint that we're still sort of waiting and seeing. But I haven't sort of stopped the gears on it because sometimes it's just really hard to adjust in time. So, we're going, we're proceeding cautiously, but we're certainly keeping an eye on any sort of major changes to the regulations that are in flux.
Robison: Sure. Could you share with us an anecdote where you have ushered in a regulatory change through an organization, whether it's Corpay or before, and was it successful and what made it so?
Habib: So, I think regulatory change management is probably one of the more complicated areas of our business. I think... One example I would say is as we recently implemented a number of state disclosure requirements around commercial financing, which is a little bit new and different. We'd seen a lot of those disclosure requirements in the context of consumer financing, but this is a little bit different because it's happening in the context of commercial. And I think what made it successful in terms of implementation was a couple of things. First, it was having the right experts involved from the very get-go. So, making sure we had outside counsel that was well versed in our business having the right in-house SMEs to understand what the regulation was all about and how it would impact us and Which lines of businesses would be impacted? The second piece was communication just being very clear with our different lines of business on roles, responsibilities, expectations Which products are in scope which ones are outside of scope if you're in scope how to begin outside of scope because there are exceptions with thresholds and volumes and things like that. So, the communication strategy at a cross-functional level was really important. And then the last part of it was kind of once you have an operating framework and you understand who's kind of responsible for what, keeping an oversight role of the execution piece and just continuing to serve in an advisory capacity. So, we were present in a lot of workshops with the business as they were mapping out new flows and they were mapping out the user experience and were constantly providing feedback, oh, you could collapse these two asks or you could flip this to a different page or this could be conditional. just constantly being involved and being an advisor outside of just telling the business this is what you need to do but really holding their hand throughout the process and giving them the opportunity to sort of riff with us a little bit. I think that was really helpful because it made for a better ultimate outcome.
Robison: So, beyond making sure a company is complying with regulations, how can a company take advantage of regulatory changes to their benefit?
Habib: Well, I think compliance done right is a branding exercise. So, it's really an opportunity to show your clients and your partners that you take their security, their privacy, their trust seriously. And if you do that well, that differentiates you from your competition. And I think that particularly when it comes to sophisticated clients, there is an element of robust compliance that they've come to expect that's part of their diligence process. A lot of our counterparties are banks. So, they are certainly looking for a organization that understands its compliance obligations and is able to execute on them pretty seamlessly and has the sort of resources, expertise, and frameworks in place to be able to do that time and time again, because the landscape is hardly static, right? So, I think presenting as that, presenting as a very attractive partner that the banks can rely on and delegate to and really even be clients of. Because we've got banks that are our partners and we've got banks that are our clients. And the reason we're able to kind of secure some of those high power relationships is really because we have a very mature program. So, I think, I always feel like compliance can be a selling point and in some cases, when we find ourselves having to collect certain data sets or we find ourselves having to understand certain aspects of our customer, those are things that could potentially even be monetized. So, really always looking at the compliance expectation with the business mindset of how could this be a selling point? How can this be monetized? How could this help with customer retention? Things that the business would care about because you're essentially showing up on their P &L, right, as an operating expense. So, to the extent that you can also show up in the revenue line, I think that can be really compelling. So, always kind of having that mindset as you go into understanding the regulation.
Robison: Well, as we wrap up our conversation, if you would share with the audience one or two key takeaways or best practices on regulatory change management moving forward.
Habib: So, I think this is something you've probably seen thematically throughout my answers, but this idea of thinking global but hiring local, you have to have local expertise to understand the regulations, the unwritten preferences and trends. And equally as importantly, they have those local relationships. And those relationships are important because a lot of the regulatory bodies are local, and they have expectations that are unique to that jurisdiction. So, we find ourselves a lot of times having global programs, but then also jurisdiction specific programs because there's an element of sovereignty there that those jurisdictions are expecting reporting relative to that jurisdiction specific disclosure. So, I think it's really hard to be able to do that effectively unless you have local talent that is in some jurisdictions is actually required so that's not even an option. But having that talent that can really be your front line and keep you informed of what's happening in that jurisdiction and what's to come is critical when you're operating at this scale at this level of volume and complexity. So, think global but higher local would be my first one. I think the other one would be investing in framework. So, I think it's really important to have a regulatory change management framework that you can sort of repurpose over and over and over. And it helps with sort of framing expectations. It helps people understand their roles and responsibilities and ensures that no critical steps are skipped. And I think the way I think about it is like really building a machine, right? Like let's make sure we build a really good machine because there's gonna be a lot of stuff coming into it and there's gonna be a lot of stuff coming out of it. And how good the stuff coming into it is translated and how good the product at the end is, is dependent upon how good that machine is. So, build a really good machine that can manage these expectation ns, you know, year over year, day of the eye day, month by month.
Robison: Very good. We appreciate your time and your insight. Azba Habib, Global Chief Compliance Officer at Corpay. Thanks, Azba.
Habib: Thanks Brennan.
That's it for this episode of Smarter Payments. Thank you for listening. Be sure to follow the show wherever you get your podcasts, so you don't miss an episode. Smarter Payments is a production of Corpay Incorporated, copyright 2025. I'm Brennan Robison. And we'll see you next time.