Compliance · The First Pillar of 3×3 OS

Compliance Systems for Service-Based Businesses Built to Hold Up Under Scrutiny.

A regulatory infrastructure approach for recruiting reps across states, preparing for audits, and reducing enforcement exposure. The first pillar of the 3×3 OS, configured around the realities of how regulators actually look at scaling service businesses.

Take the Compliance Spine See the framework
9
categories of compliance risk every scaling service business has to control
$2.5B+
in structured sales volume served under Paradigm-built compliance frameworks
200K+
distributors and reps operating under Paradigm-built compliance frameworks
The Problem

Every service business hits a compliance wall between $2M and $10M ARR.

Below $2M, you can run on intuition and a good attorney on speed dial. Above $10M, you cannot. Somewhere in between, the business changes shape, more reps, more states, more product lines, more eyes from regulators, and the same instincts that built the business start putting it at risk.

Three categories crush operators in this zone. Most founders only notice one of them, fix it badly, and get blindsided by the other two.

01 · Classification

Sales Rep Misclassification

1099 reps you treat like W-2 employees. State-by-state rules that contradict each other (California's AB5, Massachusetts' ABC test, Texas's IRS-based test). One state audit can cascade into every state you operate in, with publicly reported settlements ranging into the six and seven figures.

02 · Licensing

Multi-State Licensing Gaps

Foreign entity registration in every state you do business. Industry license (contractor, insurance producer, MLO, home care). Individual rep licensing in states like California, New York, and Florida. Miss one tier and the whole state becomes a liability.

03 · Federal

ROSCA & Federal Enforcement

The FTC's Restore Online Shoppers' Confidence Act now applies to any business taking digital payments with a recurring component, and that includes most service businesses with retainers, financing, or subscription tiers. The FTC publishes a per-violation civil penalty amount that is adjusted annually for inflation.

The Framework

The Compliance Spine: 9 categories of risk every service business has to control.

The Compliance Spine is the first pillar of Paradigm's 3×3 OS. Where traditional compliance is reactive (audit triggered → respond), the Spine is structural: a 3×3 matrix that maps your obligations across three layers (Federal, State, Operational) and three risk surfaces (Reps, Revenue, Records). You install it once. It works automatically as you scale.

Reps
Revenue
Records
Federal

IRS Worker Classification

20-factor test, Form SS-8, retroactive reclassification exposure. Sets the floor for every state test on top.

ROSCA / FTC Act §5

Disclosure, affirmative consent, easy cancellation. Applies to any recurring service charge.

DOL Recordkeeping

FLSA hours, wage statements, retention periods. The recordkeeping foundation any wage-and-hour review starts from.

State

State Classification Tests

California ABC (AB5), Massachusetts ABC, New Jersey ABC, IRS-based states. State-by-state matrix required.

State Licensing & Registration

Foreign entity registration, industry license, individual rep license. Sequenced for each expansion state.

State Privacy & Disclosure

CCPA, CPRA, state-specific disclosure forms, telemarketing rules. Vary by state, change yearly.

Operational

Onboarding & Training

Contractor agreements, training documentation, scripts, manager controls. The operational record that any control-test review relies on.

Disclosure Protocols

Pre-sale terms, recurring-billing notices, refund policies, financing disclosures. The operational layer that ROSCA compliance lives in.

Audit-Ready Documentation

Centralized contracts, signed disclosures, training logs, time records. Every artifact a regulator may request.

Common Questions

What service-business operators actually ask about compliance.

Direct answers based on what Paradigm has seen across engagements. The content on this page is informational only and is not legal, tax, or accounting advice; consult qualified counsel for advice specific to your business.

How do service-based businesses scale sales reps without misclassifying them?

Misclassification is the #1 compliance failure for scaling service businesses. The rule of thumb: if you control how, when, and where the rep works, they are likely W-2, not 1099, regardless of what their contract says. Each state applies a different test. California's ABC test under AB5 is the strictest (the rep must be free of control, perform work outside your usual business, and be independently engaged in that trade). Texas applies the IRS 20-factor test. Massachusetts and New Jersey use their own ABC variants. Paradigm's Compliance Spine installs a state-by-state classification matrix tied to your rep operating model, so you can scale across jurisdictions without inheriting back-tax exposure.

What licensing does a multi-state service business need?

Multi-state licensing follows three predictable tiers: (1) Entity registration as a foreign corporation in every state you do business. (2) Industry license, contractor license for trades (varies by state), producer license for insurance (NIPR-administered), MLO for finance (NMLS), home care license for caregivers (state DOH). (3) Individual licensing for each rep where required, insurance is the highest-friction example, where every rep needs an individual state license before selling. Paradigm builds a state expansion playbook that sequences these correctly so revenue is never blocked by paperwork.

What is ROSCA compliance and which service businesses need it?

ROSCA (Restore Online Shoppers' Confidence Act) is the federal law governing how businesses sell online subscription and recurring-billing products. It applies to any business taking digital payments with a recurring component, which now includes most service businesses with monthly retainers, financing programs, or subscription tiers. The FTC has expanded ROSCA enforcement in recent years, with active enforcement against several major online retailers. ROSCA compliance generally requires clear disclosure of all material terms before payment, affirmative consent (no pre-checked boxes), and easy cancellation. The FTC publishes a per-violation civil penalty amount that is adjusted annually for inflation, and a single non-compliant flow can produce many separate violations.

How much can a single compliance violation cost a service business?

Costs vary significantly by case but are routinely large enough to threaten the business. Publicly reported misclassification settlements at service businesses have ranged into the six and seven figures, driven by rep count, years of exposure, and the specific state. FTC ROSCA enforcement actions against mid-market service businesses have reached multiple millions in civil penalties plus restitution. State licensing fines stack per violation, per state, and add up quickly when multiple expansion states are involved. The cost of installing a compliance system before scaling is typically a small fraction of the cost of remediating an enforcement action after it lands.

When does a service business need to install a compliance system?

The compliance wall hits between $2M and $10M ARR. Specific triggers that mean you've already waited too long: hiring your 10th sales rep, entering your 3rd state, taking on institutional capital, or any complaint filed with a state regulator. By the time a complaint lands, you need the system in place already. Paradigm installs compliance infrastructure as a 90-day engagement; remediation under enforcement takes 12+ months and costs 5–10× more.

Is compliance the same as having a good lawyer on retainer?

No. A lawyer responds to incidents. A compliance system prevents them. Most service businesses pay $50,000–$200,000 per year for outside counsel that only activates when something goes wrong, by then, the back-tax clock has been running for years. Paradigm's Compliance Spine is the operating infrastructure that keeps your business inside the lines automatically: classification matrices, state licensing trackers, rep onboarding checklists, FTC/ROSCA disclosure protocols, audit-ready documentation. You still need a lawyer. You shouldn't need one every week.

Can AI or software replace a compliance team?

Not the judgment layer, but it can replace 80% of the manual work. Paradigm's Technology Systems pillar installs agentic workflows that monitor regulatory changes, generate state-specific disclosures, track license renewals, and surface anomalies before they become violations. The human compliance lead reviews exceptions, not documents. For a mid-market service business, this typically replaces 1.5 FTE of paralegal/admin work and reduces missed deadlines to near zero.

By Industry

Where the compliance wall hits hardest, and what each industry actually needs to install.

The Compliance Spine is industry-agnostic, but each industry has a primary failure mode. The order Paradigm sequences installations differs by vertical.

Insurance & Financial Services

The highest-friction industry for scaling, every rep needs an individual state producer license, and every cross-state sale triggers nexus rules. Recent FINRA and state insurance department actions have raised the floor on supervision and disclosure.

  • Primary risk: individual rep licensing gaps across states
  • Federal layer: SEC, FINRA, AML / KYC, ROSCA
  • State layer: insurance department supervision, anti-rebating, replacement disclosure

Read the insurance deep-dive →

Solar & Home Services

Door-to-door sales, TPO/lease financing, and FTC scrutiny on solar claims have made this the most enforcement-targeted service industry of the last 3 years. Rep churn rates above 60% make documentation discipline non-negotiable.

  • Primary risk: FTC enforcement on financing disclosures and sales claims
  • Federal layer: FTC Act §5, ROSCA, Truth in Lending
  • State layer: contractor licensing, AB5 (CA), door-to-door rules

Read the solar deep-dive →

Plumbing, HVAC & Trades

State-by-state contractor licensing is the foundation, but the real exposure is on the rep model, service techs who quote and sell are often misclassified as 1099 when their behavior pattern is W-2. EPA 608 certification and OSHA records compound the audit surface.

  • Primary risk: technician classification and overtime exposure
  • Federal layer: EPA 608, OSHA, DOL wage-and-hour
  • State layer: contractor license boards, mechanical contractor rules

Read the HVAC and trades deep-dive →

Home Care & Caregivers

The single most-audited service category for misclassification, caregivers are almost always W-2 by behavior, even when paid 1099. State home-care licensing and Medicaid waiver compliance add another full layer above worker classification.

  • Primary risk: caregiver misclassification + FLSA overtime claims
  • Federal layer: FLSA, HIPAA, Medicare/Medicaid billing rules
  • State layer: home care license, EVV (electronic visit verification), background check rules

Network Marketing & Direct Sales

The FTC's expanded scrutiny of MLM income claims, state Anti-Pyramid statutes, and DSA standards mean direct sales operations need both a classification system (most distributors are legitimately 1099) AND a defensible income disclosure framework. Paradigm has structured frameworks for 200,000+ distributors.

  • Primary risk: FTC and state Attorney General income claim enforcement
  • Federal layer: FTC Business Opportunity Rule, SEC if equity-linked, ROSCA
  • State layer: state pyramid statutes, business opportunity registration

Read the direct sales deep-dive →

Blue-Collar & Specialty Trades

Roofers, painters, landscapers, electricians, mechanical contractors. The pattern: rapid scaling on subcontractor labor, then a single state audit cascading into the whole operation. Most have no central compliance function; the Spine becomes that function.

  • Primary risk: subcontractor-vs-employee classification, workers' comp evasion claims
  • Federal layer: OSHA, IRS classification, EPA where applicable
  • State layer: contractor license, workers' comp, prevailing wage on public projects

IT Services & MSPs

The compliance burden shifts from licensing to data. SOC 2, HIPAA, ISO 27001, state breach notification, and increasingly state privacy laws. Reps are usually inside sales (W-2) but contractor delivery teams are often misclassified.

  • Primary risk: data-handling compliance (client-facing) + contractor classification (delivery)
  • Federal layer: HIPAA where applicable, FTC Safeguards Rule, sectoral privacy
  • State layer: CCPA / state privacy laws, state breach notification
How Paradigm Builds It

Audit. Architect. Install.

Three phases over 90 days. Not a deck. Not a recommendation memo. A working compliance operating structure that runs inside your business after we leave.

01

Audit

We map your current obligations against the Compliance Spine matrix. Every state you operate in, every rep model you run, every product line. Gaps surfaced and ranked by financial exposure.

02

Architect

We design the systems: classification matrix, state licensing tracker, disclosure protocols, onboarding checklists, audit-ready documentation. Built around your operating model, not a generic template.

03

Install

We embed the systems into your tooling, train your operators, and validate against live conditions. When we leave, the compliance function runs without us, and without founder dependency.

Ari Barton, COO and Compliance Lead at Paradigm Consulting

Ari Barton

COO & Compliance Lead

Ari leads Paradigm's compliance engagements. ROSCA framework specialist, multi-state licensing architect, and the operator who has structured compliance for $2.5B+ in sales volume across insurance, direct sales, and service-business categories.

Read full bio →

5-minute diagnostic

Know whether you have the system, or just the lawyer.

The Compliance Spine Assessment maps your business against the 9-category framework above and returns a prioritized risk profile. No pitch. No commitment.

Take the Compliance Spine