What is Fintech Compliance? + Its Major Risks
Fintech has brought a refreshing breath of innovation to the traditionally conservative finance industry. From digital-first business models to more accessible cloud applications, fintech has made banks and other financial institutions more efficient while giving consumers convenient new services.
But those benefits come with risks—not least to fintech companies themselves.
Many offer services that, while not directly regulated, serve heavily-regulated financial institutions. Others operate in gray areas where regulators have been slow to enter.
Unaddressed fintech risks caused cryptocurrency exchange FTX’s collapse and the $140 million civil penalty imposed on USAA Federal Savings Bank. As a result, regulators are paying closer attention to risk in the fintech industry:
Acting Comptroller of the Currency Michael J. Hsu recently explained how his office will scrutinize bank-fintech relationships.
The US Department of the Treasury recommends more robust regulation and oversight of fintech services.
New third-party risk management rules in the EU Digital Operational Resilience Act (DORA) will require fintech companies to strengthen their cybersecurity practices.
Whether due to direct regulation or closer scrutiny from customers, compliance is becoming a critical objective for fintech businesses worldwide.
This article will introduce the major risks fintech firms will need to address through improved compliance programs.
What is Fintech Risk and Compliance?
From cloud-based, mobile-first payment services to innovative blockchain applications, financial technologies (fintech) play several roles in today’s financial industries.
Innovators: Fintech companies leverage the tech industry’s innovation engine to bring new services to market faster than traditional firms.
Disruptors: Rapidly-iterating technology companies disrupt established competitors by offering more convenient and efficient services or reaching untapped markets.
Partners: Financial firms routinely outsource back-end functions to fintech companies that natively understand cloud, mobile, and machine learning technologies.
These companies share the standard risks that any business faces, from cash flow to credit. At the same time, fintech companies must address unique risks created by the nature of their industry.
Compliance mitigates these risks.
Some companies have no choice. New regulations will demand compliance. Or the financial institutions they serve will require it to support their own compliance programs.
Other companies will choose a voluntary compliance journey. Farsighted fintech leaders understand that reassuring institutional or retail customers through compliance creates a competitive advantage.
No matter where the pressure for compliance comes from, fintech companies must address a host of risks.
4 Major Risks in Fintech
Fintech companies face unique risks in four primary areas: regulation, cybersecurity, financial and business, and reputation.
1. Fintech Regulatory Risk
Unlike their traditional counterparts, fintech companies operate in a more fragmented and uncertain regulatory environment.
In some ways, federal regulators in the US were slow to regulate the fintech industry. At first, this was due to the lack of institutional expertise in emerging technologies. They were also reluctant to impose regulations that could throttle a young industry.
In other ways, federal regulators have aggressively pursued fintech companies. The Securities and Exchange Commission is particularly active against crypto companies that cross the line between asset classes and securities.
Some state regulators were more proactive. New York’s Department of Financial Services introduced regulations covering cryptocurrencies and crypto exchanges. California’s Consumer Financial Protection Law brought new financial service providers under state oversight.
Without unifying federal regulation, state-by-state variation creates more risk for companies delivering nationwide services.
The same is true globally. Different countries have different regulatory priorities. Preserving innovation may be important in the US, for example, but protecting consumer privacy takes precedence in the EU.
Fintech companies must navigate this complex regulatory environment and anticipate change to minimize their regulatory risk exposure.
2. Fintech Cybersecurity Risk
Cybersecurity is a challenge every business must meet. For the fintech industry, cyber risks are more severe. Breaches could disrupt institutional customers’ operations or compromise retail customers’ finances. Either case is traumatic and could end a young fintech company’s existence.
The closer a company is to the country’s financial infrastructure, the greater the threat from state-sponsored advanced persistent threats.
Fintech companies that store consumer financial data become targets for organized cyber criminals. Even unsophisticated hackers can launch devastating attacks thanks to malware-as-a-service providers.
Complicating matters, fast-growing fintech startups have less time, experience, or resources to secure their infrastructure. Hardware and software vulnerabilities can appear at any time. Social engineering can breach defenses with a simple click on a link.
As software innovators, fintech companies are particularly vulnerable to third-party and supply chain risks. Cloud computing and X-as-a-Service providers let startups piece together enterprise-grade operations. Fintech developers rely on repositories of third-party code to simplify and shorten project lifecycles, exposing their software to supply chain attacks.
These third-party relationships can create significant risk.
A fintech company’s cybersecurity is entangled with its service providers’ security practices. Without careful controls, code dependencies can open attack vectors into a fintech company’s systems—and allow hackers into its customers’ systems.
Compliance with SOC 2 and other cyber risk management frameworks can make fintech companies—and their customers—more secure.
3. Fintech Financial and Business Risk
With proper funding, early-stage technology companies are agile and risk-tolerant. They quickly bring advanced technologies to market, pivot to seize new opportunities, and rapidly iterate in response to customer demand.
A fintech company’s greatest strength is also a significant source of risk.
The problem with moving fast and breaking things is that you break things.
That might be fine in social media, but not when you handle credit card data or process a bank’s transactions. Fintech companies must balance innovation against operational risks.
At the same time, fintech depends on technology-driven business models with inherent risks. For example, artificial intelligence and machine learning algorithms can amplify the prejudices built into training data sets.
Fintech scales quickly by making sophisticated financial services more accessible to a broader range of consumers. However, selling to more people means selling to more financially naive people.
Consumers who do not understand a financial service and its risks can get burned even if a fintech company does nothing wrong.
If something does go wrong, impacting thousands of consumers, a fintech company could face a business-ending backlash.
Venture capital funds and other tech investors willingly place long-term bets that fund fintech innovation. That model works well as long as investor optimism remains strong.
Recession, geopolitical uncertainty, and other factors can undermine that optimism. As VC firms become pickier about their investments, fintech companies could lose the funding they need to survive.
4. Fintech Reputational Risk
The whole point of financial regulation is to preserve confidence in the financial industry. For all the technological innovation fintech brings to market, reputation still matters.
A significant cyber incident or the collapse of a funding round will damage a fintech company’s reputation. Consumers will flee to more reliable competitors. Banks will question the value of the firm’s services.
Companies that manage their business well can still suffer from the mistakes of their competitors. For example, failed crypto exchanges create distrust in companies building blockchain solutions.
Compliance programs that keep other risks under control go a long way toward avoiding these reputational risks.
Compliance-Centric Fintech Companies Bring Risks Under Control
Risk management is part of any business. Fintech companies operate in more dynamic conditions that create unique risks.
For the fintech industry, compliance is essential to bringing these risks under control.
An effective compliance control does more than help the company follow regulations. Demonstrating compliance reassures business and retail customers and gives fintech companies a competitive advantage.
To get articles on fintech compliance, risk management, and more be sure to subscribe to Trusted, Drata's bi-weekly newsletter.