top of page
Talk To Shan

GROWTH CREATES THE RECORD

  • Writer: Shan Potts
    Shan Potts
  • May 25
  • 6 min read

How a Prosecutor Reads a Founder’s Record — and What to Build Before They Do



The Core Problem


In regulated markets, growth does not remain just a business objective. Growth behavior becomes a legal record.


That record — investor decks, board updates, internal communications, financial controls, data practices, compliance decisions, product claims — may later be reviewed by a prosecutor, regulator, plaintiff attorney, investor, acquirer, judge, or jury. When that happens, the question is no longer what the founder meant. The question becomes what the record can be made to mean.


The issue is not what the founder meant. The issue is what the record can be made to mean.

This is the risk that founders and investors in regulated markets consistently underestimate — not because they are acting in bad faith, but because they are focused on growth, and growth feels like building. It does not feel like evidence.


But in fintech, AI, cybersecurity, health tech, crypto, payments, digital identity, and enterprise compliance, ordinary operating behavior — metrics, investor updates, fund movements, data access, compliance decisions — can be reconstructed after the fact as knowledge, recklessness, misrepresentation, or intent.


That reconstruction follows a predictable path:


Facts become records. Records become narratives. Narratives become persuasion. Persuasion becomes exposure.

Why Good Faith Is Not Enough


Many founders are genuinely acting in good faith. They have outside counsel. They have a compliance program. They have data-security tools. They feel covered.


They are not wrong to have those things. But those functions share a critical limitation: they are generally looking at what the law requires today. None of them are trained to ask the question that matters most in a crisis:


If the facts turn bad, can this company defend how it grew?

That question comes from a different discipline — one that most founders and investors have never had applied to their company while they still had the ability to shape the answer.


The Appellate and Criminal Defense Lens


Appellate work teaches a specific discipline: you learn to read a record the way an adversary will. By the time an appellate court reviews a case, the facts have been organized, the exhibits admitted, the sentencing record built. The story has already been told. The only question is what the record supports.


Criminal defense deepens that discipline. In criminal defense, you learn how the government builds a theory from ordinary facts — how internal communications become evidence of knowledge, how missing controls become evidence of recklessness, how an optimistic investor statement becomes evidence of misrepresentation, how a licensed professional’s participation can be reconstructed as legal cover for a criminal enterprise.


The government does not need the founder to have been malicious. It only needs the record to support a theory of knowledge, recklessness, willfulness, or intent. In regulated industries, that record is often sitting in the company’s ordinary operating files.


What No Compliance Firm and No Standard Engagement Provide


Outside counsel answers legal questions. Compliance firms build programs. GRC and cybersecurity platforms manage systems. White-collar defense counsel responds after allegations arise. Appellate counsel works with a record that is already closed.


None of those functions apply the criminal defense and appellate reconstruction lens to the company’s growth record in real time — while there is still the opportunity to shape what that record says. That is the missing advisory layer.


What the Record Shows: Five Cases


Five recent cases illustrate how ordinary growth behavior becomes legal exposure. In each case, the conduct was experienced internally as pressure, speed, market entry, or product execution. In the hands of the government or a regulator, the same conduct was reconstructed as fraud, misrepresentation, willful violation, or criminal enterprise.


Case

What the Record Became

FTX / Bankman-Fried

Convicted after trial, 2023

(U.S. v. Bankman-Fried,

S.D.N.Y.)

Customer fund movements, related-party transfers, and founder control became the center of a wire fraud and securities fraud prosecution. DOJ alleged $8 billion in customer funds misappropriated. No financial segregation architecture. No governance constraint on founder discretion.

BitMEX / Hayes et al. Guilty

pleas, 2022 (U.S. v. Hayes,

S.D.N.Y.; CFTC Release No.

8270-20)

Offshore structure and partial user restrictions were insufficient to defeat U.S. Bank Secrecy Act charges. DOJ and CFTC alleged willful failure to maintain AML/KYC programs. U.S. touchpoints were not governed. Controls were not tested.

Wise / Wise US Inc. CFPB

Consent Order, 2025 (In re

Wise US Inc., File No. 2025-

CFPB-0004)

U.S. customer-facing fee disclosures, exchange-rate statements, and remittance processes became a consumer-protection enforcement record. CFPB found violations of the Electronic Fund Transfer Act and the Remittance Transfer Rule. What looked like product language was treated as regulated representation.

Frank / Javice Convicted after

trial, 2024 (U.S. v. Javice,

S.D.N.Y.)

Growth metrics used to support a $175 million acquisition became the basis of a wire fraud and bank fraud prosecution. DOJ alleged the company had fewer than 300,000 legitimate user accounts while claiming 4.25 million. No source-of-truth verification. No data-room governance.

Done / He & Brody Convicted

after trial, 2024 (U.S. v. He et

al., N.D. Cal.)

Telehealth platform scale, prescribing patterns, and revenue incentives were reconstructed as a conspiracy to unlawfully distribute controlled substances. Licensed professionals were present but not structurally independent from the revenue model. Clinical judgment was not protected from platform pressure.


Different industries. Different legal theories. The same structural lesson: when growth outpaces Control Architecture, the company may lose control over the meaning of its own record.


What Control Architecture Does


Control Architecture is not a compliance program. It is not a software platform. It is the advisory function that applies the criminal defense and appellate lens to a company’s growth record before that record is tested.


A Control Architecture review examines whether the company’s growth model, representations, controls, records, and operating behavior can withstand hostile reconstruction by a prosecutor, regulator, plaintiff attorney, investor, acquirer, sentencing court, or appellate court.


Control Architecture reviews whether the company can prove:


  • Financial controls protected customer funds and constrained founder discretion.

  • Data flows, AI usage, and sensitive information were governed at runtime.

  • Investor, customer, and partner-facing claims were verified before being made.

  • Legal and compliance functions had real authority — not merely advisory roles.

  • Metrics and data-room materials were supported by source-of-truth evidence.

  • U.S. market entry was preceded by jurisdictional exposure mapping.

  • Board reporting included risk — not only growth.

  • Regulated professional judgment was structurally independent from the revenue model.

  • Warnings were escalated and documented, not deferred.

  • The company’s record, reviewed adversarially, supports good faith — not recklessness


For Investors: The Question Traditional Diligence Does Not Ask


Traditional diligence confirms market opportunity, cap table, financials, contracts, intellectual property, and regulatory framework. It answers: Can the company grow?


It does not answer the deeper question:


Is this company building enterprise value — or is it building legal exposure that has not yet surfaced?

A company may be doing both simultaneously. Traditional diligence may not reveal that unless someone is specifically asking how the company’s conduct could later be reconstructed by a prosecutor, regulator, plaintiff attorney, or adverse investor.


Control Architecture is the advisory layer that answers that question — at pre-investment, at follow-on, at board participation, at acquisition, and at regulated-market expansion.


The Thesis


The purpose of Control Architecture is not to slow growth. It is to make growth defensible.

For founders: you may know your intent. But if the record does not support it, someone else may define it. Good faith must be documented, escalated, and built into the record in real time — not reconstructed after the fact.


For investors: the strongest time to protect the record is before the company is forced to explain it. Control Architecture gives investors and boards an early view of whether the company is building defensible growth — or accumulating exposure beneath it.


Growth creates the record. Control Architecture determines whether that record can be defended.

About the Author


Shan Potts is an attorney whose practice spans criminal defense, appellate advocacy, trial counsel, U.S. immigration, and crisis and regulated-risk advisory. His work sits at the intersection of prevention, exposure analysis, criminal defense, and appellate thinking. He advises founders, investors, and boards in regulated-scale environments on Control Architecture: building the record of responsible growth before an adversary defines it. He is currently involved in advisory work connected to a federal telehealth prosecution in the sentencing phase.


Founder & VC
$500.00
1h
Book Now

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page