Interview with Dr. Max Steiger for COMPLY Magazine

Before joining Unzer, you spent many years in various compliance roles at Deutsche Bank. You joined Unzer around five years ago and are now Chief Compliance & Governance Officer. Looking back, what are the three achievements you are most proud of over the past five years?

One of our biggest achievements was clearly the fact that BaFin officially lifted the special supervisory mandate in September 2024. That decision showed that we had taken the right steps over the previous years. It gave the entire company tremendous momentum going forward.

To make that possible, we fundamentally elevated compliance at Unzer. We did not just improve systems and processes significantly, we also created clear structures across the entire company. That includes standardized processes, strong governance, and a consistent three lines of defense model. Examples include a completely redesigned merchant onboarding process with strict criteria, highly advanced transaction monitoring software, and more than €20 million invested overall in compliance and process optimization. In short, we made Unzer fit for the future.

And personally, the point I am most proud of is that we built a real culture of integrity. Technology and processes are important, of course, but what really matters is the mindset behind them. That is why it was so important to me that we did not just introduce more rules, but created a culture where compliance becomes a natural part of everyday business.

Through regular training on topics such as anti-money laundering, fraud prevention, and data protection, we strengthened awareness across the company. Our goal is for compliance not to feel like an obligation, but like a natural part of our DNA. And to further strengthen that foundation, our next step is pursuing ISO certification for our compliance system.

But one thing is also very clear: you are never finished. You always have to keep working on it. A strong compliance culture is and remains an ongoing management responsibility.

You once said: “Ideally, a football match should work even without a referee. My job is to empower the players, meaning employees, to act fairly and with integrity without constant supervision.” Compared to companies that focus heavily on control mechanisms, that is quite an innovative approach. Doesn’t it also create risks?

I have worked in compliance for more than twenty years. The compliance guidelines issued by the European Commission and national regulators run into thousands of pages. They are important, but they can never cover every possible situation.

In many cases, the rules are clear and decisions are straightforward. But very often, the actions of management teams, leaders, and employees have to be guided by integrity. Put simply: employees need to do not only what is legally permitted, but what is right. And you cannot create that mindset with more forms and more paperwork.

My experience is that this kind of culture is far more effective in the long run than pure control mechanisms. At Unzer, we focus on clear ethical guidelines and an open speak up culture where employees not only understand what is right, but also feel comfortable raising concerns or conflicts.

Of course, there are still review and control mechanisms in place. In every well run football match, you still have linesmen, video review, and clear rules of the game. We have strong monitoring systems, clearly defined compliance processes, and technical solutions to identify violations early.

But the core idea is this: the best decisions are not made because people fear sanctions. They are made because people genuinely believe they are doing the right thing.

At Unzer, governance and compliance appear to come together under your leadership. I have personally advocated for years for an integrated approach where governance and management systems are intelligently connected. Novartis, for example, refers to this as “integrated assurance.” Do you apply a similar approach in practice, and if so, what are the biggest challenges?

I completely agree with that approach. At Unzer, governance is not a rigid framework sitting next to compliance and risk management. It is an overarching system that intelligently connects all relevant steering and control mechanisms. Our goal is to ensure these functions do not operate in silos, but work together seamlessly.

A good example is our three lines of defense model. The operational business, especially sales, forms the first line of defense. We introduced clear merchant onboarding processes with defined exclusion criteria and implemented modern transaction and sanctions monitoring technologies.

In the second line, compliance, risk management, and information security work very closely together. Instead of isolated control mechanisms, we rely on a unified system with clear governance structures, standardized reporting lines, and an integrated risk management approach.

The third line, our internal audit function, then reviews whether these structures are actually working as intended.

At the same time, I am not solely responsible for every area. Internal audit and customer onboarding, for example, are overseen by our CEO. Sales is managed by our Chief Commercial Officer, and risk management is led by our Chief Risk and Transformation Officer.

That means governance, compliance, and risk management are not isolated functions at Unzer, but highly interconnected. At the same time, we deliberately distributed responsibilities across the management team to ensure a healthy checks and balances structure.

“Deregulation” has become a major topic in both politics and the media. Germany’s Supply Chain Due Diligence Act is often cited as an example, and some politicians have even called for suspending it entirely. In your view, are companies genuinely overwhelmed by modern compliance requirements? Or can these different requirements actually be implemented efficiently through integrated solutions?

Looking back, the compliance function has taken on an enormous number of additional responsibilities in recent years as a result of various national and international regulations.

Like you, I do see the risk that some compliance management systems simply become overloaded. That can affect not only efficiency, but also the actual effectiveness of compliance efforts.

At the same time, I also know companies that have successfully integrated this wide range of topics into their organizations in a way that creates real value. I often describe this as a “cockpit view.” When you look at different non-financial risks holistically, preventive compliance risk management can actually become much more effective.

The term “deregulation” is now also being used in connection with the EU’s recently announced Omnibus package. Europe was once proud of how consistently the Green Deal was being implemented, but now compromises are being made. How should we interpret this shift?

The original Green Deal was ambitious and fundamentally right in its intention: making Europe climate neutral by 2050. But over time, implementation became increasingly complex and bureaucratic, especially because of the extensive reporting requirements under CSRD and the EU Taxonomy.

Now we are seeing a shift with the Green Industrial Deal, which puts greater emphasis not only on climate goals, but also on competitiveness. From my perspective, that is an important and necessary step. Especially for mid-sized companies, bureaucracy can become a significant burden.

The Omnibus packages help reduce some of these hurdles without completely losing sight of the broader sustainability goals.

That does not mean companies should stop taking sustainability seriously. Businesses that truly care about the issue will continue integrating sustainability into their strategies regardless of legal obligations. At Unzer, that is very important to us.

Ultimately, the goal is to balance sustainability with entrepreneurial responsibility and market realities. That is why I see this development more as an opportunity than a step backward.

With its deregulation agenda, the EU also seems to be following the broader trend set by the new US president, who has already suspended several regulations. One of the first measures affected was the FCPA, whose enforcement Donald Trump paused by executive order. What impact could this have on compliance overall, considering the FCPA’s extraterritorial reach and the important role monitors have played in Europe as well?

From my perspective, the FCPA remains binding law regardless of how aggressively the US Department of Justice chooses to enforce it during a particular administration.

Misconduct that happens over the next four years can still be prosecuted under a future administration, and nobody knows what enforcement priorities the DOJ may adopt later on.

On top of that, there are already many anti-corruption frameworks outside the US, such as the UK Bribery Act or the World Bank sanctions system. Many companies covered by the FCPA are already subject to several overlapping anti-corruption frameworks. In fact, a temporary slowdown in US enforcement could even encourage other countries to strengthen their own anti corruption measures.

For compliance teams, this is therefore not a period to relax. Quite the opposite. It is an opportunity.

Instead of focusing purely on enforcement, compliance can use this moment to emphasize ethics as a driver of integrity and long term business performance. A strong ethical culture is about much more than risk management. It creates value. I firmly believe that.

When people work in an environment where integrity matters, and when they understand why ethical behavior matters, they generally make the right decisions. And that absolutely includes taking a strong stance against bribery and corruption.

Finally, one personal question. You studied business administration and completed a doctorate in finance. Looking back from today’s perspective, what educational background would you recommend to young professionals who want to become compliance officers?

I have heard this question not only from my three sons, but also from students I mentor and even former applicants.

Compliance is a cross-functional discipline. It is both highly challenging and incredibly important. That means you need a broad range of skills.

Personally, that is exactly what makes it so interesting. In compliance, you constantly move between business and legal topics. It is a narrow line to walk, but that is also what makes the field fascinating.

Whether someone starts with a business background or a legal one is ultimately less important. What matters much more is being willing to engage with both perspectives and think beyond your own specialization.

People who do that remain flexible, and in my view, that flexibility is one of the most important foundations for long term success.