The bar of entry to becoming an operator in the financial services industry is understandably high as it is necessarily heavily regulated. The UK financial sector has evolved rapidly over the last five years with the growth of fintech businesses looking to drive innovation into the banking industry. As well as developing technology, new entrants must pay great attention to meeting the requirements of the regulators as well as ensuring that a ‘privacy by design’ approach is taken from the outset. There is a risk that founders might focus all of their energy into the development of innovative and cutting-edge technology offerings, but at the detriment of meeting the demands of the regulator and broader privacy requirements.
One of the key catalysts for the growth in the Fintech industry has been the Payment Services Directive 2 (PSD2), also known as Open Banking. PSD2 regulations ensure that banks create mechanisms to enable third-party providers to work securely, reliably and rapidly with the bank’s services and data on behalf and with the consent of their customers.
The FCA has been pioneering in encouraging the growth of the fintech sector in London through their regulatory sandbox programme. Since its launch in 2016, 89 firms have so far been accepted to test innovative products and services. The combination of this programme with the PSD2 legislation has seen huge growth in the UK’s fintech sector with investments growing 38% from 2018 to 2019 to a massive $4.9 billion of investments.
Unsurprisingly, information and cyber security feature heavily across much of the existing legislation that firms will need to consider. Legislation exists in all jurisdictions and the more regions a firm operates in, the more legislation they will need to comply with. In the UK the FCA’s handbook raises security in the section focussed on Processes and Systems (13.7) that in turn is concerned with operational risk. Generally, there is an ongoing focus on Operational Resilience in the UK financial regulatory environment also seen in the Operational Resilience consultation launched by the Prudential Regulatory Authority (PRA) in December 2019.
The services a fintech business is offering and where it operates will define the security regulations it will be required to meet. PSD2, for example, has robust security measures within the legislation. Controls are mandated with organisations having to implement “an effective operational and security risk management framework” and the “framework should focus on security measures to mitigate operational and security risks.” The framework must also encompass outsourcing arrangements where appropriate so if a company outsources any of their service provision to a third party – this supply chain risk must be understood and monitored as well. The framework needs to cover a broad range of security considerations including Risk Assessment, Protection (including Data Systems Integrity, Access Control, Physical Security), Detection, Business Continuity and Testing of Security Measures.
Security themes such as those touched on above, also exist in other relevant standards that may apply such as the Payment Card Industry Data Security Standard (PCI DSS) if card data is processed, stored or transmitted by the service. Jurisdictionally, the firm may need to consider local legislation such as those operating from New York State, which must consider the New York State Department of Financial Services 500 series on Cyber Security (NYDFS 500).
There are common themes across all of these requirements because after all, their intent is much the same, to ensure that firms operating in the financial services industry are taking the right approach to reduce the risks of doing business. Firms should look at adopting an industry standard as a baseline to begin to satisfy all the areas of legislation that may apply to them. Many of these regulations draw upon standards such as ISO27001 and if this is used as a baseline, the controls in ISO27002 can be mapped across all the requirements that are applicable to the firm. Fintech businesses are often building APIs and as such must enter the market with the European Union General Data Protection Regulation (GDPR) ‘Privacy by Design’ principle at the heart of what they do.
The key point is that firms need to be thinking about how they build in supplier assurance as part of meeting these security requirements from the outset, because the problem gets bigger and harder as companies increase their involvement with third parties up- and down-stream in the supply chain. Technology can automate this process, making it much easier to regularly review that all parties meet the necessary requirements and demonstrate due diligence. Doing so, means companies are not only compliant, but mitigate security risks. It also proves to parties, that systems and data can be connected, to either expand the service, in the case of a technology provider, or as a customer of the service. Additionally, when raising funds for expansion and growth, investors are highly likely to undertake due diligence, and an established third-party assurance process can greatly simplify this. Third-party assurance matters, and it’s better to start while small using processes and tools that will scale with your fintech aspirations.
Sean Arrowsmith, Director at Crossword Cybersecurity