Financial technology firms (Fintechs) are transforming financial markets through innovation and moving faster than the traditional financial sector. While this is their main success factor, risk management practices often fail to keep pace, putting the businesses' success at risk.
Fintech companies often outgrow their own operational capacity and fail to standardise new operations procedures. They tend to, for example, hire compliance officers very late in the start-up process, and if a Fintech business falls short of compliance requirements it may face heavy fines, resulting in reputational loss in the market as well as a loss of customers and revenues.
A case in point is N26, a popular German mobile phone-based bank that has gained seven million customers since its foundation in Berlin in 2013 by offering an easier and quicker way to open a bank account than brick and mortar banks. However, because the client acquisition process did not include enough background checks against the risk of money laundering, according to the German regulator Bafin, the authority has threatened to issue a ban for new client acquisition. The news hit the market at an unfortunate time for N26 as the company was in the process of conducting a new financing round. Eight years after its foundation, N26 has now decided to create a group chief risk officer role.
Oversight issues are symptomatic of rapidly growing Fintechs. Areas of particular concern in the Fintech space include:
- Fintech operator fraud or misconduct
- Platform/technology unreliability or vulnerability
- Inadequate consumer disclosure and transparency in a digital context
- Product unsuitability for client base
- Conflicted Fintech business models misaligned with client interests
- Algorithmic decision-making leading to potentially unfair outcomes for clients
Like other investments, effective risk and compliance management spend involves a cost-benefit analysis; however, regulatory compliance is sometimes hard to measure until non-compliance becomes apparent to the public and regulators. But when risk and compliance programmes are effected correctly, they can be a revenue enabler and may put the business in an advantageous position to collaborate with banks and other traditional financial service institutions who are required to have robust risk management practices in place.
Regulation and compliance
Regulators will expect Fintech firms to have a risk and compliance framework that sufficiently addresses their inherent risks as generated by their book of business. In general, some of these risks would include but would not be limited to anti–money laundering for marketplace firms, or the potential for misrepresentation in disclosures and marketing materials for lending and wealth service firms.
Negligent advice and failings in client services are common risks for any company providing financial services, especially Fintechs who offer innovative financial products through new distribution models and customers that may struggle with a platform's functionalities. Fintechs may also rely on third-party contractors, adding an extra liability risk due to third-party negligence. Further, the majority of Fintechs deal with high frequency of funds movement, leaving them vulnerable to theft and fraud.
The financial services sector is highly regulated. While the rules may not apply directly to many Fintech verticals, they may do so indirectly when start-ups offer their services to established financial institutions. Further, rules like the General Data Protection Regulation (GDPR) and the Payment Services Directive (PSD2) establish clear requirements for protecting data and securing system infrastructures. National jurisdictions often impose additional regulatory layers that apply to Fintechs. However, regulatory requirements can change rapidly as regulators try to catch up with technological change, making the standardisation of compliance processes quite difficult. As Fintechs expand internationally, they may also have to consider differing regulations in multiple territories.
Weak spots
Established financial institutions will want reassurance that Fintech applications connected to their systems do not introduce new vulnerabilities to cyber-attacks. Any new connection offers a potential entry point for hackers. While having the right security assets in place may reduce the risk of a cyber-attack being successful, these will not make platforms immune to attacks. Fintech firms therefore need to have emergency plans for a cyber event to control the damage and protect a company's reputation. Any cyber threat will require a fast, calculated response and errors made in the process may cause additional losses.
Digital innovation relies heavily on technology infrastructure, making firms not only vulnerable to cyber-attacks but also to technology failures. If customers are unable to access services this is likely to result in loss of income and/or customers.
These threats will necessitate consideration of cyber insurance, extending to third party liability cover, business interruption and reputational damage cover, as well as a robust incident breach response process.
Unpredictable market events are also a major operational risk for Fintechs. Robinhood, a US trading platform recently sparked outrage when it limited trading in Gamestop shares following a surge in trading. The decision prompted congressional hearings, regulatory interest and a major federal lawsuit in Florida consolidating 50 class actions from thousands of aggrieved US retail investors. Fintech firms need to be prepared for unforeseeable market events with operations and customer support teams capable of developing and issuing rapid responses.
Recommendations for a risk & compliance programme framework
- Set up risk management as a strategic advisory function to the business, management, and board on the strategy
- Align the risk and compliance management programme with the company culture and the business' strategy
- Operationalise the risk and compliance management programme to meet regulatory and industry expectations
- Introduce clear roles, responsibilities, and decision rights that support the risk culture and strategy
- Establish committees with defined mandate of advising and/or decision responsibilities
- Create and implement a clear policy framework aligned to culture, strategy, regulatory requirements, and sound risk management practices
- Conduct regular risk assessments, continually monitor regulatory changes and establish a change process
- Continuously capture, measure and report risk related data management to the board
- Establish a clear issues solving process for identification, escalation, and remediation
- Introduce a training programme that includes risk management
- Create communication channels with regulators that consistently and accurately reflect business and risk performance and strategy execution
- Develop capabilities for ready responsiveness to regulatory exams and requests
- Identify and assess the remaining risk exposure
Because Fintech products and services are innovative, the related risks are often unclear, exposing businesses even more to negligence claims, service errors, fraud claims, and several other common risks associated with financial services.
Fintech businesses have a unique combination of exposures that are not covered by traditional financial institutions insurance products. The main risks Fintech firms face and for which insurers can offer protection include professional liability, the regulatory environment, theft of funds, cyber events, as well as technology failure.
For further information, please contact:
Rush Amaratunga, Account Executive Global Financial Institutions Insurance
E Rush.Amaratunga@lockton.com
T +442079331279
Andrew Potapa, Account Executive Global Financial Institutions Insurance
E Andrew.Potapa@uk.lockton.com
T +442079332786