Turn IT compliance into recurring revenue

Highly regulated industries such as manufacturing, healthcare and financial services must maintain strict compliance standards in order to operate. But many businesses take a “check-the-box” approach, doing only what is necessary to meet minimum requirements rather than building systems that can prove their compliance if questioned.

That approach can create serious risk. If regulators, auditors or law enforcement request documentation, companies must be able to demonstrate that their IT systems and internal controls meet all required standards.

Eugene Rutberg, managing partner at Ketra Group, helps companies build defensible IT controls while creating a recurring revenue opportunity for agents and ISO partners. Below, Rutberg discusses the risks of minimal compliance, how his firm helps companies strengthen their IT infrastructure, and how referral partners can benefit.

Why is a "check-the-box" approach to compliance risky?

The path of least resistance is to just check the box and keep your fingers crossed that the auditor doesn't discover something. And if they do find something, the attitude becomes - what's the minimum I can do to close out that finding? That's not a compliance posture. That's a gamble. The standards are written in a way where as long as you say you're doing something, it's generally accepted. But saying you're doing something and actually proving it are two very different things. When something goes wrong and someone asks for that data, are you able to provide it? That's the real test.

What kinds of problems can arise when companies only meet minimum compliance requirements?

The biggest problem is being unable to substantiate your compliance posture when it matters most. Auditors are there to verify that your controls actually work. But if law enforcement shows up because an incident was traced to your facility and they need logs for a specific date range showing who was signed into which workstations and when - that's a very different conversation. Minimum compliance gives you a passing grade on paper. It doesn't give you a defensible position when the stakes are real.

How does Ketra Group help companies move from basic compliance to building defensible IT controls?

What we do is make sure organizations are audit-ready at any point - not just when an audit is scheduled six months out. If an auditor shows up tomorrow, you should have the proof that you're doing the work you're supposed to be doing at the required intervals. The feedback we consistently get from auditors is, wow, we don't really expect any of this. But it's amazing because it actually proves you're doing the work. That's what sets us apart. We're not just advising - we go in and implement the tools and systems that make that posture real and sustainable.

What types of systems or documentation do companies need in order to prove compliance if they are audited or investigated?

At a minimum, organizations need reliable logging and monitoring systems that give you a clear view of your environment and critical events. But equally important is documented evidence that required checks are being performed on a regular, verifiable schedule — not just written into a policy that nobody looks at. The auditor may not be able to consistently verify what you say you're doing. We make sure you can prove it.

Beyond compliance support, what other IT services does Ketra Group provide?

Ketra Group was built specifically around compliance, but we bring over 27 years of IT consulting and implementation experience to every engagement. That means we don't just tell you what needs to be done — we can go in and do it. We're exclusively focused on IT. We're not going to fix your financial problems or your physical security concerns. But when it comes to IT controls - consulting, building, and maintaining the systems that keep you compliant and operationally sound - that's exactly what we do.

How do your services complement the work merchant services agents and ISOs are already doing with their clients?

Many agents and ISOs are already working with clients in finance, healthcare, and other regulated industries where compliance isn't optional - it's mandatory. These clients trust their agents. What we offer is a natural extension of that relationship. When a compliance or IT controls challenge comes up that the agent isn't positioned to solve, they introduce us. The agent strengthens their relationship with their client, and they create an additional recurring revenue stream without taking on any of the work themselves.

What does the referral partnership look like for agents and ISOs?

It's pretty straightforward. Agents refer clients to us, we handle everything on the compliance and IT side, and the referring partner earns a share of the recurring revenue for as long as that client is with us. We don't have a single customer in our portfolio where we bill per hour - that model doesn't work for what we do. Everything is recurring. So the referral revenue isn't a one-time thing. It continues for the life of the client relationship.

What type of recurring revenue share do you offer referral partners?

I'm happy to talk specific numbers directly with anyone who's interested. What I can tell you is these are not services where you walk away with a hundred dollars a month from your referral. There are good dollars behind it, and those dollars keep coming for as long as the client stays with us.

What kind of feedback have you received from agents who refer clients to you?

Referrals are an integral part of Ketra Group, and we retain every client we bring on - many of them for decades. That's not something that happens by accident. Referral partners can count on happy customers and a revenue stream that doesn't disappear after the first invoice. When you refer a client to us, you're not just solving a problem for them once. You're building something that pays you back for years.

Expand beyond payments

Agents today are increasingly looking for ways to expand beyond payments while continuing to provide value to their merchant clients. IT compliance and security services represent one potential avenue, particularly for businesses operating in regulated industries.

For agents interested in creating additional recurring revenue while helping clients strengthen their IT infrastructure, referral partnerships with technical specialists such as Ketra Group may offer a compelling opportunity.

For more information, email partners@greensheet.com and use promo code Green Sheet for a 25% first-time referral bonus.

---

Turn IT compliance into recurring revenue - Apr 23rd, 2026