PocketPay is a fictional payments startup — one of ten companies we ran end to end through the live Bylaw system. It is fictional, and it is deliberately scrappy: five thin, messy documents, the way a fast company actually looks before someone forces the issue. If you are racing ahead of your own paperwork, this one is for you.

PocketPay is a venture-backed fintech moving money — a wallet, a card program, a bit of lending, all riding on partner banks and a payment processor. It has product velocity and a tiny compliance footprint: five governing documents, written quickly, covering the basics and not much more. That is not negligence; it is the normal state of a company that has been busy building. The risk is that PocketPay’s obligations are those of a financial institution while its documentation is that of a seed-stage startup, and the gap between the two is invisible right up until a partner bank’s diligence team, a card network, or a regulator asks to see it.

What PocketPay wants is to keep shipping, keep its sponsor-bank relationships, pass the next funding round’s diligence, and not trip a regulator on the way up. What stands in the way is that it cannot yet prove the controls a money business is assumed to run — and in payments, “we are working on it” is not an answer a sponsor bank accepts.

What a payments company is actually being asked

PocketPay sits under a stack heavier than its size suggests. PCI-DSS governs how it touches card data. BSA/AML expectations apply the moment it moves money. State money-transmitter licensing imposes its own patchwork of bonding, reporting, and control requirements. GLBA safeguards and the CFPB’s consumer-protection lens both apply. Its sponsor banks pass their own regulatory weight downstream through partner-oversight programs that are, in practice, continuous audits. And the EU AI Act reaches PocketPay the instant it runs an AI fraud-scoring or credit-decisioning model on EU users — both are high-risk uses with logging and human-oversight duties attached. On top of all of it: the SOC 2 report every enterprise customer and partner now demands before signing.

Each of those asks the same underlying question — can you prove the control operated — and for a company with five documents and no continuous record, the honest answer at the start of the run was “not yet.” That is precisely why PocketPay was worth running: to show what the system does with a company that is under-documented for its risk.

PocketPay’s live evidence index after the run — a real posture for a scrappy company, gaps included.
pocketpay · home live data

Where the cracks were

With only five documents, the contradictions were fewer but sharper, and the silences were louder. The engine read the set and surfaced 44 items of orphan data — obligations gestured at but not governable as written — and a cluster of conflicts where the same rule was stated differently in two places. More important than what conflicted was what was simply missing: whole control areas a money business is assumed to operate had no documented rule at all. The system does not paper over that. It names the gap, in writing, and routes it for a decision rather than inventing a control nobody adopted.

Of thirty issues raised, twenty were ruled and recorded during the run; the rest were queued with owners. For a scrappy company this is the point — the review does not pretend you are further along than you are. It gives you an honest map of strong, fragile, and missing, which is the only useful starting line.

The Ruling Guide: a human resolves a contradiction once, and the decision propagates — logged, not lost.
pocketpay · ruling guide live data

How Bylaw stepped in

We ran the office at PocketPay’s scale, not a bank’s. The five documents were cleaned into atomic statements, fitted to the governed template, and mapped to 25 live controls — small on purpose, because an honest 25 beats an aspirational 200. Each control is a plain sentence with one operator, one expected value, and the signal it reads. Contradictions went to the Ruling Guide for a human decision; nothing was mapped across an unresolved conflict; and nothing went live without the three-signature gate. The early evidence index landed at 53 — not a finished posture, but a real one, and a baseline that compounds the moment it starts running.

Crucially, the gaps did not become a lecture; they became a queue. PocketPay left the run knowing exactly which controls to write next, in what order, to clear a sponsor-bank review or a SOC 2 readiness check — with the evidence for the controls it already had already accumulating. And as with every company in the fleet, Bylaw held no PocketPay data; the record carries proof, never card numbers or customer records.

Testing tomorrow before it arrives

Even a five-document startup benefits from rehearsing the future, and PocketPay’s future is full of new rules. In the Simulation Lab we ran the five territory packs — California, Texas, New York, the EU, and Canada — against its controls, and ran an EU-expansion shock test that put the EU AI Act and GDPR against a fraud model it has not built yet but will. Each run returned a ledger of conflicts and ripple counts, which for a young company doubles as a roadmap: here is what breaks if you expand before you write these controls.

We also connected partners. PocketPay issued evidence-scoped keys to two counterparties — the shape of a sponsor bank and a processor — and ran partner-versus-company simulations where only evidence crossed: control sentences, verdicts, hashes, never raw data. Across its sessions PocketPay ran fourteen simulations and exercised an M&A diligence scenario both ways — useful for a company whose most likely exits are acquisition or a priced round, both of which start with someone reading your controls.

A built report with the hash of every node embedded — tamper-evident, and stuck at the locked export gate until approved.
pocketpay · reports live data

Proven, not asserted

Every action passed through the single audited door and chained to the one before it; by the reporting session PocketPay’s workspace held more than 150 chained audit records, verifying end to end, with export requests pending at the locked gate. The three independent audits re-checked PocketPay alongside the rest of the fleet — rebuilding the chain, proving the gate cannot be bypassed, recomputing every figure — and found no fabrication. The 52% pass rate is not flattering, and that is the point: it is true, and it is a starting line a scrappy company can actually run from.

What it looks like when the sponsor bank asks

Picture the moment that actually decides a fintech’s quarter: the sponsor bank’s oversight team sends its partner-due-diligence packet, or a card network requests evidence, or an enterprise customer’s security desk attaches a 200-line questionnaire to the contract. For a company with five documents and no record, that email is a wall — days of pulling screenshots, guessing at answers, and hoping the gaps are not the ones they ask about. Deals stall here, quietly, in security review rather than in the demo.

With even a small honest record running, the same packet is answerable. PocketPay’s lead opens the workspace, pulls the controls that exist, answers from the evidence instead of from memory, and — just as importantly — shows the roadmap for the controls still being stood up, with owners and dates. Reviewers do not expect a seed-stage payments company to look like a bank; they expect it to know exactly where it stands and to be moving on the gaps with discipline. A truthful 25-control record with a sequenced plan beats a vague claim of maturity every time, because the reviewer can verify the former and cannot trust the latter.

That is what turns governance from a deal-blocker into a deal-accelerator for a young money business: the company that can show its work — even partial work — keeps the conversation moving, while the one that scrambles gives the reviewer a reason to slow down. Starting the record early is the cheapest insurance a fintech can buy, because every day it runs, it proves a little more.

If this were your company

If you are scaling a money business ahead of your paperwork, you do not need to be shamed about it — you need an office that turns the gap into a sequenced plan and starts banking proof today. Hiring that function in-house is out of reach at your stage; embedding it through Bylaw is not, and it arrives fluent in PCI, money-transmitter expectations, sponsor-bank oversight, and the EU AI Act’s line on fraud and credit models. PocketPay is fictional so we could show the honest version — the gaps and all. The fastest way to see your own starting line is a governance review.

What crossed, and what never did

It is worth being precise about how the evidence for PocketPay was collected, because it is the whole difference between Bylaw and the tools that ask for your data. Bylaw never logged in and pulled records. It dispatched worker packets — small, single-purpose, read-only instructions — to the payment processor, the onboarding and KYC stack, the identity provider, and the cloud, each asking one question and returning one structured verdict: the operator, the expected value, the observed value, and a content hash. The reasoning happened on the other side of a wall, in a sealed engine reached with a key PocketPay controlled, working only over configuration and event state.

Between PocketPay’s environment and anything that left it sat the edge wall, which rejected every name, email, and identifier before it could cross — to us, to a partner, or into the audit trail. What crossed was proof: statuses, timestamps, and hashes. What never crossed was content — no card number, no transaction, no customer record. That is not a promise; it is the architecture, and it is why a worst case for Bylaw could never become a data breach for PocketPay or its users. The record is defensible precisely because it contains evidence of operation and nothing an attacker would want.

Why this matters now

The reason to do this now, rather than after the next audit, is that proof cannot be reconstructed backward. You cannot retroactively show that a control operated last quarter if no one was recording it; the evidence either accrued or it did not. A continuous record is the one compliance asset that is strictly more valuable the earlier it starts, because it compounds — every day it runs, it proves a longer period.

The deadline pressure is real and specific. The EU AI Act’s high-risk obligations are phasing into force through 2026, and for a fintech the exposure is concrete the moment an AI fraud- or credit-scoring model on EU users is in play: logging across the system’s lifetime, demonstrable human oversight, and post-market monitoring — all of them evidence duties, not policy statements. Add the frameworks already on the table and the enterprise buyers who enforce them faster than any regulator, and the company that started keeping the record is simply ready, while the one that waited is assembling screenshots against a clock. That is the whole argument for starting before you are asked.

If this were your company

We’re ready to step in.

Every figure in this study came from the live system, run against a company built to look like a real one. The fastest way to see where your own proof stands — strong, fragile, and missing — is a structured governance review. No data required; findings in weeks, and yours to keep whatever you decide.

Talk to a Bylaw SpecialistSee how it works
Brandon JunkinFounder, Bylaw Evidence

Brandon spent years alongside hundreds of mid-market companies at GoDaddy and watched the same story on repeat: good teams unable to prove the good work they did, governance buried under tools that demanded data and returned screenshots. He founded Bylaw Evidence to be the guide those teams were missing — someone who maps the rules, keeps the record, and has the answer ready when the auditor asks. BA in Philosophy of Law, Politics and Ethics, Arizona State University; ARM candidate.