Troy Fine, Director, Compliance Advisory Services at Drata
The traditional Financial sector has taken a major shift in recent years with new innovations that make banks and other financial institutions more efficient while facilitating the delivery of a range of convenient new services. The widespread adoption of technologies like blockchain, the cloud, mobile applications, big data, and analytics has propelled Fintech into playing a pivotal role within the highly regulated financial services sector.
Now, as regulators worldwide begin to evaluate new frameworks for fintechs to ensure that consumer protection and financial stability can be maintained, the need for effective and robust compliance is growing.
Balancing risk and regulation: the new imperative
The regulatory landscape for fintech is complex and constantly evolving. While many firms offer services that are not directly regulated, typically, they serve industries that are.
Responsible for dealing with significant financial transactions, payment initiation services and sensitive customer data, fintech leaders are starting to view compliance as a critical commercial objective. Particularly as authorities around the globe begin to pay much closer attention to managing Risk in the fintech industry.
In the US, the Department of the Treasury has recently called for greater oversight and regulation of fintech firms to protect consumers and market integrity better. Meanwhile, the Office of the Comptroller of the Currency will closely scrutinise bank-fintech relationships.
In Europe, fintechs already need to be cognisant of a gamut of regulations: GDPR, AMLD, PSD2, MiFID II and the e-money directive. More recently, new third-party risk management rules in the EU Digital Operational Resilience Act (DORA) mean that fintech companies must strengthen their cybersecurity practices.
Let’s look at the key areas where the growing enforcement of compliance is driving fintech firms to take action to ensure their operations are resilient and trustworthy.
Fintech cybersecurity risk
Fintech companies that store consumer financial data are a top target for organised cyber criminals, and those close to a country’s economic infrastructure are also in the sights of state-sponsored attackers looking to undermine a country’s interests.
Any disruption to the operations of institutional customers will result in considerable financial and reputational damage and is likely to have significant legal consequences. Staying compliant with regulatory standards is necessary, with one-in-four malware attacks targeting the financial services industry. It is no easy task for small fintech startups that may lack the resources or skills to secure their networks or address the third-party and supply chain risks that potentially expose their software to vulnerabilities.
Reliance on infrastructure service providers, third-party or open-source code, and more means that compliance with SOC 2 and other cyber risk management frameworks is becoming necessary for elevating the security posture of fintechs and their customers.
Fintech regulatory risk
In the US, multiple federal and state agencies oversee different aspects of the industry, and indications are that the appetite for more intense oversight and regulation is hardening.
Recently, federal regulators have taken assertive measures against various fintech firms. Most notably, this has taken the form of high-profile enforcement against cryptocurrency businesses that have strayed from compliance standards.
The current lack of uniform federal regulation in the US creates significant risk for companies looking to deliver services nationwide, and fintech firms will need to keep their finger on the pulse of a rapidly evolving regulatory environment to minimise their regulatory risk exposure.
In the EU, as we’ve seen, protecting consumer privacy and data has long been a top regulatory priority. Now, the EU and the UK are in the process of adding a new layer of regulation for technology providers to banks and other regulated financial services institutions.
Alongside an enhanced focus on AI and machine learning algorithms that can amplify prejudices built into training data sets, regulators’ key focus is the initiation of minimum operational resilience standards.
Fintech operational risk
Information and communications technology (ICT) risks challenge financial systems’ operational resilience and stability. Today’s financial service sector increasingly relies on implementing various technologies such as cloud hosting, digital operations, AI, chatbots, blockchain and outsourcing.
In the EU, DORA will impose obligations on firms to maintain internal governance and control frameworks that will effectively manage ICT risks and incidents. Any non-compliance will result in severe financial penalties.
Meanwhile, in the UK, the Financial Services and Markets Act 2023 similarly introduces new digital operational resilience standards to reduce the risk of systemic disruption and deliver better outcomes for consumers and businesses. A move that, as with DORA, will expose many fintechs to direct regulation for the first time and opens the door to regulating crypto-assets.
The value of building trust: adopting a compliance-centric approach
Given the dynamic operational conditions and unique risks they encounter, adopting a compliance-centric approach will be critical to the health and future success of existing and emerging fintech firms looking to thrive in what is becoming a more intensely regulated business environment.
In the face of increasing regulatory attention and the need to operate without impediment, implementing appropriate risk management controls will enable fintechs to compete more broadly and satisfy the elevated compliance expectations of customers and investors.
More than just a regulatory safeguard, proactive compliance strategies also lay the groundwork for establishing long-lasting and trusted relationships with customers across multiple jurisdictions and regions. In other words, adopting a compliance-centric approach will prove key for building the credibility and trust needed to facilitate future growth and cement market reputations.
The post Getting to grips with Fintech risk and compliance appeared first on Finance Derivative.
