The rapid evolution of financial technology (fintech) in recent years has positively disrupted the financial services industry in terms of how banks and other institutions, such as insurance and accounting companies, as well as stock brokerages, offer services and customer experience. As nearly all customer data is being transferred from file cabinets to digital vaults, the waters are muddied as to how fintech organizations are expected to maintain compliance.
With increasing calls from both industry professionals and regulators for clear, prescriptive controls to protect sensitive information and mitigate risks, let’s take a look at how fintech companies can navigate this uncertain landscape.
Growth and Challenges
A recent survey of financial service firms by Thomson Reuters, shows that from 2016-2017 the level of involvement in assessing the implications of fintech innovation grew by 18%. Additionally, the Office of the Comptroller of the Currency (OCC) published a white paper in March 2016 announcing its intention to support fintech innovation. However, innovation is not without its challenges.
The exponential growth of the fintech industry has made it difficult for regulatory agencies, including the SEC, FDIC, FFIEC, to keep pace. As a result, fintech companies are not yet directly supervised by federal banking regulatory agencies, although they are subject to federal regulations.
Without a Paddle
While the regulations by which fintech organizations will be governed by are still being hammered out, these firms are being held to the same standards as traditional financial service institutions (FS). With an abundance of overlapping requirements within the FS industry fintech professionals are faced with a myriad of regulatory hurdles to address and overcome. However, the current lack of formal requirements within the fintech industry does not mean regulatory agencies are not diligently working to implement strict compliance standards.
In the same white paper announcing the OCC’s support of fintech, it’s made clear that regulations to protect consumers are forthcoming. Currently, two of the most fintech-specific proposed regulations that are sure to impact the industry include:
- The Financial Services Innovation Act of 2016 – This bill, proposed in 2016, would require each regulatory agency to appoint a Financial Services Innovation Officer (FSIO) to promote financial innovations and assist fintech firms in better understanding regulatory standards.
- OCC’s call for national charter – For several reasons, including making the federal banking system stronger, the OCC argues it’s in the public’s interest to grant national bank charters, when appropriate, to fintech companies. According to the paper, if the OCC decides to grant a charter to a particular fintech organization, it would be held to the same rigorous standards of safety and soundness, fair access, and fair treatment of customers that applies to all national banks and federal savings associations.
Of course, just as any industry handling sensitive consumer and enterprise data, fintech firms are tasked with responsibly protecting the confidentiality, integrity and availability of customer information and protecting it against reasonably anticipated threats. In fact, this statement is at the heart of most existing security/compliance regulations. The question most firms face however, is how to do this. We’re all aware there’s no such thing as perfect security – something unpredictable will always arise. However, fintech organizations need to build a robust security program addressing the risks and threats identified based on how your organization handles sensitive information. This process starts with conducting a thorough risk assessment of how your organization handles its sensitive information. Identify how you acquire the information, what you do with it internally, and who and how you share it both internally and externally. Once you understand this it is easier to identify and document the risks.
Use the results of your risk assessment to identify the security controls you need to put in place to mitigate the risks to a level acceptable to the organization. Every organization’s needs and capabilities are different, and security is not one-size-fits-all. To implement the best security program for your environment and avoid hefty, potentially business-ending fines during uncertain regulatory times, fintech firms should apply security-first filters, aiming to uphold forthcoming compliance standards.
Apply controls at the highest requirement level.
For example, if one regulation requires a six-character password and another enforces 12 characters, set all your passwords to 12 characters (of course, not repeating credentials). Having one set of controls that meets the highest, most strenuous requirements necessary will ensure you’ve got the rest covered. Once you’ve done this, your biggest responsibility is how you justify to regulators how your security program meets the requirements.
Measure your program against existing regulatory standards for traditional FSIs.
If you’ve designed your security program around risk management, you should be taken care of, but evaluating your security program against the compliance frameworks you are subject to will allow you to recognize any holes that need to be filled, thus ensuring an even stronger environment.
Both start-ups and established FSI organizations are going to continue innovating new technology to meet customers where they are and create a more reliable, user-friendly experience. Now is the time for fintech companies to prepare for impending regulations as they continue to grow, as opposed to waiting until it’s too late.
Furthermore, as regulatory agencies are putting these requirements into place, companies should look at why they are doing so and how they can prepare. Considering regulations from a security perspective would ultimately lead to better outcomes, as firms would be more focused on enforcing robust security programs as opposed to chasing down different requirements to ensure compliance.