Fintechs are quickly expanding to all industries and their products and services will continue to permeate most businesses regardless of size. It is abundantly clear that fintech is no longer an innovation reserved only for financial services. In fact, almost all organisations will become fintechs in some way, in the near future. For example, Verizon and other retailers are creating “neobanks” that will allow customers to open a bank account, while smaller companies are partnering with payment processors to give their customers mobile payment options.
With the global fintech market anticipated to grow at a Compound Annual Growth Rate (CAGR) of nearly 20% in the next four years, we should anticipate that most organisations will soon have fintech product offerings of some kind. Innovation and customer adoption will drive this growth, but accompanying this new technology will be increased regulatory scrutiny and compliance pressure, which can be overwhelming for compliance departments that are already overworked and understaffed.
As it is said, with great growth comes great responsibility. Fintechs will need robust compliance departments in place to both anticipate new regulations and address them as they are instituted. Fortunately, you don’t have to start from scratch. There are adjustments you can make to existing compliance practices that will address fintech risks without having to create new compliance programmes within the organisation. Fintech compliance requires a focused and thoughtful approach but does not necessitate a complete overhaul of compliance functions that are already in place.
These are 4 key areas of your compliance programme to prioritise for success in the fintech future.
1. Enhance Data Privacy and Data Security Measures
Data privacy and data security are already an important component of all compliance programmes, but to address fintech risks, those existing measures should be enhanced. For example, most privacy compliance programmes already ensure consumer data processed directly by the organisation is adequately protected. Those controls will also need to be applied to evaluating third-party fintech organisations. This should verify that the same privacy protections exist when fintechs process consumer data.
Also, consider how your collection and/or use of Personally Identifiable Information (PII) may change with your fintech products and/or services. You may need to update your Privacy Policy and Privacy Notice accordingly and tighten your privacy controls. It is a good idea to conduct penetration testing to identify technical vulnerabilities that you can address and resolve from the start. Enhancing your existing information security control measures (e.g., access controls and encryption standards) is also valuable.
Inherently, fintech increases data privacy and data security risks, and boosting these protections in your compliance programme will be time and money well-spent.
2. Expand Risk Assessments
Compliance departments already use risk assessments as their primary tool to identify, capture, and control enterprise risks.
To address fintech risk, update the risk categories and/or questions to capture new products and services and add new processes and applications that may be involved. What new regulations might be impacted by your organisation’s fintech? An updated risk assessment should include references to those as well.
3. Assess Compliance Budgets and Resources
It has long been conventional wisdom that organisations prioritising compliance functions are less likely to face punitive action. In a recent keynote address at Compliance Week’s National Conference, Kenneth Polite Jr., assistant attorney general and head of the Department of Justice’s Criminal Division (and a former chief compliance officer), underscored that point by stating, “companies that make a serious investment in improving their compliance programmes and internal controls will be viewed in a better light by the Department of Justice and by my Criminal Division.”
In the case of fintechs specifically, compliance officers should ask a few additional questions: Does your organisation have the right people in place to triage compliance risks related to this burgeoning technology? Do you have individuals with a working knowledge of financial technology and/or are adept at tracking new regulations and requirements? Have you assigned enough budget to build out new internal controls (the need for which may have been identified by your updated risk assessment)?
These types of questions and the conversations they elicit are typical for compliance officers but should be expanded to include fintech risks. As such, compliance officers should determine whether the appropriate number of individuals are on staff and adequate budget is devoted to compliance efforts.
4. Consider Strategic Partnerships
There are a host of tools available to compliance officers to manage the compliance programme. Determining the value of these tools – and how to integrate them into current processes – has always been the domain of the chief compliance officer and his/her team. Assessing whether regulatory technology (regtech), a class of software applications for managing regulatory compliance, can assist with fintech compliance is no different.