It’s clear that today’s operating environment is changing at a very rapid pace, which means the risks are evolving fast, too. In this blog, we explore five key risk and compliance challenges which, if not managed correctly, could derail the ability of FinTechs to meet their strategic goals for the year.
FinTechs should consider how these issues might impact them, and ways in which they might mitigate that impact in a way that is sustainable over the medium and long-term. The key challenges are:
1. Regulatory Change
In the UK, both the UK Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) are either putting in place regimes specifically for FinTechs and/or they are applying existing rules on a “same activity, same treatment” basis.
A good example of this is digital assets, to which existing financial services compliance obligations are being applied wherever possible. Also, in general the pace of regulatory change is accelerating, so FinTechs have additional complexity to manage.
For example, both the PRA and FCA are exploring artificial intelligence, machine learning, and initiatives such as Open Finance to better understand how to protect financial stability and deliver fair outcomes for consumers. One area regulators are interested in is the culture within FinTech firms, and in particular signs that firms may be focusing on growth instead of profitability, or that their strategic risk work isn’t robust enough to manage new unproven models or technology.
However, regulation doesn’t always mean more red tape – some of the new regulation may help FinTechs. The World Bank has created a database of FinTech regulations in some 200 countries. Some of these regulations are “enabling”, meaning that they help FinTechs achieve their business goals. Once again, digital assets are a good example – new rules which take into account their unique qualities can make these investments easier and safer to invest in, helping the industry to grow.
FinTech firms can evolve at a very fast rate, and so it’s important that their risk and compliance programmes keep up. They need to ensure they have robust processes in place to actively manage existing regulatory change risk and compliance risk, and that they regularly scan the horizon for emerging risks in these areas at every stage of their development process. Moreover, these firms always need to be sure they can quickly and easily provide evidence of their regulatory change processes as well as their overall compliance to stakeholders such as the board and regulators.
2. Growing awareness of Third Party Risk
US, UK and EU regulators have been voicing their concerns about third party risk for some time. Some FinTechs are financial services providers, with third party relationships. Other FinTechs provide software solutions to traditional financial firms, which means they are third parties, and will also have their own third parties.
Many jurisdictions are in the process of enhancing their rules around engagement with third parties and fourth parties. A good example is the concern regulators have about concentration risk around cloud providers. The EU has put in place a robust regulatory framework to manage these risks, and the financial industry has responded with the Gaia-X project, which “aims to implement a common set of rules that can be applied to any existing cloud technologies to obtain transparency, sovereignty, and interoperability across data and services.”
FinTechs can expect other jurisdictions to increase third party regulation over the next few years. This will mean managing significant complexity, while at the same time having the agility to provide evidence of compliance to clients and potential clients.
3. Evolving Data Governance Standards
The traditional financial services industry has woken up to the importance of data governance, and is in the process of implementing data governance frameworks and standards across their businesses. While FinTechs may have a business advantage here – most were founded with a “data first” strategy – many don’t realise that data governance should apply to their risk management and compliance programmes too.
Increasingly, regulators are asking who owns risk and compliance data, the journey it’s travelled, how timely it is, how well it represents what it is supposed to represent, and other data governance questions.
FinTechs need to be able to answer these questions with the same confidence that they would be able to answer them for their business data.
4. Increasing Operational Resilience Demands
Financial regulators are also ratcheting up their operational resilience requirements in light of lessons learned during the Covid-19 pandemic.
While FinTechs without bricks-and-mortar branches to worry about may feel they have an advantage, the reality may be that they face different challenges. For example, a traditional financial firm may be able to send its customers to those branches in the event that online services break down, while a FinTech may not have that option. Or, during a crisis, incumbents may have access to a depth of resources that FinTechs do not, including compliance and risk expertise.
In addition, some regulators, such as the UK FCA, are asking firms to consider the experience of vulnerable customers within operational resilience plans – some FinTechs may not have taken this into account. During the pandemic, regulators also became aware that many risk management and compliance programmes that relied on manual processes, including spreadsheets, email, and documents on shared drives had less operational resilience.
Going forward, both FinTechs and traditional financial firms can expect significant focus on the resilience of their second line of defence.
5. Rising Cybersecurity Threats
As FinTechs gain more attention in the media and from their customers, so too their profile increases among cyber criminals. One example of this is Finastra, a FinTech with $2 billion in revenues that provides a range of services to financial firms. It suffered a ransomware attack in March 2020 as it was moving its employees to remote working at the beginning of the Covid-19 pandemic.
FinTechs are spending vast sums ensuring their technology and their customers’ data is protected, but how well are they protecting their risk management and compliance data? Spreadsheets, email, and documents on shared drives can all be vulnerable to the wide range of cyberattacks that are out there. The firm’s risk and compliance data may be compromised or corrupted, data privacy may be breached, and sensitive information such as the FinTech’s risk management weak spots exposed. Working with risk and compliance data within a GRC solution can add an extra layer of cybersecurity.
In summary, the risk and compliance challenges facing FinTech firms this year are very demanding. It’s clear that using manual methods to try and meet them could wind up creating even more risks, such as the inability to adapt to regulatory change, poor data governance, and increased cyber risk. To meet these challenges successfully, FinTech firms should consider taking a more strategic approach by investing in a GRC solution.