FinTech and the Risk of Convenience

Financial Technology (FinTech) companies strive to work with financial institutions and consumers to provide the ability to conveniently access financial data, mobile banking and investment options. However, the opportunities for convenience open up opportunities for risk related to the sensitive data that is transferred among technologies.

Potential vulnerabilities in FinTech systems inherently exist between the API and the software systems they connect.

FinTech firms build Application Programming Interfaces (APIs) to connect to banking systems and provide the “seamless” and “convenient” experience. However, with no regulatory framework, FinTech firms are vulnerable to the potential for compromise of the personal data they process and maintain access to, as well as any security weaknesses and issues caused by incompatibilities or errors in the interaction with other financial institutional systems.

When connecting disparate systems that have disproportionate qualities, it’s often the case that the system engineers, and any third-party developers involved, do not have access to or the detailed knowledge and intricacies of how the other system(s) work.

As financial institutions continue to leverage FinTech firms for the enhancement of interface functionality and convenience, the rapid innovation exposes inherent risks – with little to no advancements to the regulatory and compliance requirements of these firms.

What to Do?

The best approach to secure systems and underlying data, across platforms, is to design and implement effective controls within the technology design phase. Embedding security-measures into the initial design phase will aid in reducing the number of vulnerabilities that exist due to cross-platform contamination risks.

To continue to ensure that systems are secure, risks assessments, and design and effectiveness testing, need to be performed regularly through compliance initiatives related to customer and consumer requirements, including the following:

• The Gramm-Leach-Bliley Act (GLBA)
• SOC 2®
• The General Data Protection Regulation (GDPR)
• The California Consumer Privacy Act (CCPA)
• Third-Party Risk Management
• Risk Assessment
• Payment Card Industry Data Security Standard (PCI DSS)
• The Health Insurance Portability and Accountability Act (HIPAA)
• The Federal Financial Institutions Examination Council (FFIEC)

Other compliance regulations or frameworks might also apply, depending on the specifics of the FinTech product, services and/or related industries being served.

The compliance process needs to be cyclical in nature to ensure that risks are identified and addressed on a regular basis, so that the control structure can thrive alongside the business.

Schneider Downs has helped FinTech firms through a number of the above compliance initiatives, and we would be happy to discuss any compliance concerns and issues you are encountering. Contact us at [email protected].