How to Address 6 Major Fintech Security and Compliance Risks

Compliance has become table stakes for fintech. Here are six ways continuous fintech compliance programs address security and compliance risks.
Troy Fine

by Troy Fine

March 02, 2023
Fintech Risks

Bringing fintech risks under control is daunting for startups and large enterprises alike. In our previous article, we reviewed the unique sources of risk the fintech industry faces. A focused, continuous compliance program lets you manage those risks—and reduce the impact of compliance on your operations.

This article will explain how compliance addresses six aspects of fintech risk.

1. Cyber Attacks and Vulnerabilities

Security breaches are not exclusive to the fintech industry. Hackers and advanced persistent threats can exploit any company’s weaknesses. However, fintech companies often face greater risk because they work with sensitive financial data.

Any security breach could have devastating consequences.

In the past year, cybercriminals breached the defenses of several fintech firms, including:

  • Revolut: A targeted attack compromised the personal data of more than 50,000 consumers—almost half of them Europeans.

  • BankingLab: Supply-chain attacks compromised the banking services platform, opening pathways into other fintech companies.

  • Cash App: A former employee accessed as many as 8.2 million brokerage accounts.

Preventing breaches like these has always been the goal of cybersecurity. A compliance program can make cybersecurity strategies more effective.

Addressing Cybersecurity Issues

Modern security frameworks such as SOC 2 and PCI DSS help fintech companies identify and close the gaps in their defenses.

But that is not enough.

Consider the three examples above. Revolut was directly attacked. BankingLab’s software dependencies compromised its customers’ defenses. And Cash App forgot to deactivate a former employee’s credentials.

Vulnerabilities and breaches can happen anywhere, anytime.

A compliance program goes beyond meeting a security framework’s requirements. Continuously monitoring compliance lets you identify and close new security gaps before their impact can spread.

2. Crypto-Asset and Other Fintech Regulation

Fintech companies operate in a regulatory grey area. In some cases, they may not be subject to a regulation that applies to their customers. In others, regulators are slow to apply existing rules to a young, innovative industry.

Things have changed over the past few years. Regulators are paying closer attention to fintech in several areas:

  • Due diligence and know your customer (KYC): Britain’s Financial Conduct Authority (FCA) found that many challenger banks failed to meet due diligence standards.

  • Anti-money laundering (AML): Acting FinCEN director Himamauli Das recently admitted that fintech payment services operate under decade-old AML regulations that do not reflect the state of today’s industry.

  • Asset markets: Commodity Futures Trading Commission (CFTC) Chairman Rostin Behnam discussed the risks of digital asset markets and ways the CFTC plans to regulate the digital asset industry.

As regulators focus on fintech, companies in the industry must get their compliance programs in order.

Addressing Fintech Regulation Issues

Fintech companies must understand the regulatory landscape—the rules that apply today and how regulations will change in the future.

That way, decision-makers have a foundation for evaluating regulatory risks and developing appropriate policies and controls.

A compliance program gives you real-time visibility of these controls while making your organization more responsive to queries from regulators and auditors.

3. Data Privacy

Policymakers worldwide are responding to concerns about data theft and the use of personally identifiable information. While the European Union’s efforts are the most prominent, privacy regulations everywhere are getting stricter.

That does not mean privacy regulations are getting more consistent.

The General Data Protection Regulation (GDPR) only applies within the European Union. The UK has its own version while the United States has no national privacy law. Companies instead navigate a patchwork of state-level regulations.

With their cloud-first development strategies, fintech companies can serve customers anywhere. That competitive advantage gets overwhelmed by the complexity of data privacy compliance.

Addressing Privacy Issues

While each jurisdiction’s regulatory frameworks are different, they do rhyme. A GDPR compliance control does not guarantee CCPA compliance. That doesn’t mean you must duplicate compliance efforts for every framework.

Use a privacy risk assessment to:

  • Identify applicable regulations for your current and future business.

  • Map similar requirements and develop appropriate controls.

  • Implement and monitor privacy controls.

With the right monitoring system, you can reduce redundancy and make privacy compliance more efficient.

4. Compliance & Non-Compliance Costs

Achieving compliance in the previous three areas has a cost. In a recent survey, more than half of financial services companies expected to increase compliance spending in 2022, with nearly 20% of respondents planning a significant increase.

Growth-driven startups may be reluctant to divert resources to support compliance, but not doing anything carries significant costs.

Besides the risk of regulatory violations and fines, non-compliance introduces opportunity costs.

As far as the US Treasury Department is concerned, banks are “ultimately responsible” for their fintech partners’ activities. Fintech companies that can’t pass a compliance audit should not expect much business from highly-regulated banks.

Addressing Compliance Costs

A good compliance program starts with a risk assessment that prioritizes risks, and lets business leaders decide which to address and which to accept.

Compliance frameworks often make this prioritization easier by requiring “reasonable and appropriate” measures rather than one-size-fits-all procedures.

Small startups will not need the expensive controls of a large enterprise. On the other hand, a rapidly-growing company could find that last year’s measures have become inadequate.

5. Updating Your Compliance Program With New Features & Products

Rapidly-iterating technology companies can fall out of compliance without knowing it. A simple product update could open a security vulnerability or expose users’ personal information.

At best, checking code for compliance before it goes to production is inefficient. At worst, the review misses issues to create new compliance gaps.

Addressing Product Development

Security, privacy, and other compliance issues must happen early in development. Compliance by design embeds best practices into software development that reduce risk and make compliance more efficient.

Shifting compliance to the left also instills a compliance culture in your development teams. Compliance becomes everyone’s responsibility.

6. Proactive Compliance

Reactive approaches to compliance are expensive and disruptive. In fact, 87% of organizations with a reactive compliance approach faced negative consequences as a result. Everyone in the organization scrambles to get ready for the audit. People drop everything to close newly discovered compliance gaps. Analysts spend days querying and collating data to meet auditors’ requests.

Doing compliance this way disrupts operations and creates a false impression that everything is fine.

That’s a mistake. A successful audit only tells you that you complied. You may not be compliant anymore.

Addressing Compliance Proactively

An audit only gives you a baseline. The only way to know that you are still compliant is by continuously monitoring your compliance status.

You can’t hire enough people to do that manually.

Systems that automate compliance monitoring let you prioritize your compliance efforts. Automations can resolve minor issues while flagging those that require human decision-making.

Proactive compliance identifies and addresses gaps faster while making audit requests easier to meet.

Fintech’s success has put the industry under the spotlight. Regulators are paying closer attention to fintech compliance. In traditional finance, companies minimizing their third-party risk are demanding proof of compliance from their fintech partners.

Proactive compliance that uses automation to continuously address security, regulatory, privacy, and other risks is the only way to ensure compliance in a competitive fintech industry. Book a demo with our team today, and see how Drata can help you achieve continuous compliance.

Trusted Newsletter
Resources for you
Momentum Blog Thumb

Reflecting on FY24: Resilient Growth and Leadership in Compliance Automation

Biden's executive order on AI

What the Biden Administration’s New Executive Order on AI Will Mean for Cybersecurity

Launch Alliance Program Allbound Banner

Introducing our New Partner Program: Launch—The Drata Alliance Program

Troy Fine
Troy Fine
Troy Fine is a 10-year former auditor, now Director of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.

Put Security & Compliance on Autopilot®

Close more sales and build trust faster while eliminating hundreds of hours of manual work to maintain compliance.

Related Resources
GRC Maturity: Manual Risk Management Programs Fall Behind

GRC Maturity: Manual Risk Management Programs Fall Behind

Asset - Podcast Episode 13

Compliance Uncomplicated Episode 13: Cloud Compliance and Startups

DDRR Recap

A Recap of Drataverse Digital: Risk and Reward

NIST AI RMF

Drata's New NIST AI RMF: A Game-Changer for AI Risk Management