Financial technology or FinTech has experienced phenomenal growth in the past few years. It refers to technological innovation in the financial sector and includes both back-end and consumer-facing services. The rise of FinTech has given way to new opportunities and alternatives in areas that only a decade ago were monopolized by traditional banks and lenders. However, FInTech also presents an immense opportunity for the financial industry. But there is a key challenge that could threaten this momentum: cybersecurity. Simply put, given the growth, dynamism, and complexity of the digital financial ecosystem, it is inevitable that some solutions will be insufficiently secure against cyber attacks. And, it’s highly likely that those vulnerabilities will be found and exploited.
As more systems run by different entities become connected, more cyber vulnerabilities are likely to arise. A common source of such weaknesses include the interfaces between systems, because two systems that are not designed at the same time by the same developers often pose compatibility issues and challenges in security, especially given limitations of legacy technology. This poses a difficult problem for software engineers. When connecting two disparate systems, engineers from either side typically do not have access to how the other system works and vice versa, making it harder to thoroughly identify all potential sources of vulnerability.
The best way to overcome integration issues is to conduct thorough testing, integrate data closer, and clearly delineate areas of responsibilities between all parties. This will minimize the cybersecurity risks and compatibility issues during the integration process of interfaces between different digital financial systems. However, these processes are time-consuming and expensive.
One of the most remarkable feats of FinTech has been the progress toward financial inclusion and expanding access to financial services to previously unbanked populations around the world. According to the World Bank, the number of unbanked adults has decreased by 20 percent from 2.5 billion in 2011 to 2 billion in 2014, and FinTech is one of the main drivers for this decline. However, the expansion of financial services and fintech to this underserved population presents risks. Because it is often comprised of new technology users, this population typically has little or no knowledge of cybersecurity risks and is especially vulnerable to hacking if targeted. Many cybercriminals gain access to networks and accounts because of human error. Simple techniques that are often used include spear-phishing, where humans mistakenly open spam emails and download malicious attachments or enter confidential information into fake websites to which they are redirected. It is important to raise awareness of cybercriminal risks and educate the newly banked on digital and financial literacy to teach them best practices to ensure security when engaging in financial transactions online.
In addition to cybersecurity, the integration of new technology with traditional systems will raise concerns regarding data collection and data privacy. Fintech companies collect large amounts of data about their customers, including sensitive personal information and financial records. A growing share of FinTech firms are also beginning to harvest alternative data, essentially collecting data on a customer’s online spending behaviour and social media patterns to trace their digital footprint. The data collected is typically stored and used for analysis for the purposes of marketing, sales, and financial decision-making like generating a credit score to determine a customer’s risk profile.
This creates security concerns as growth in the integration of banks’ systems with FinTech firms’ software means that more third parties will have authorized access to customer data, despite the fact that they may have differing approaches to security and follow distinct regulations. Although FinTech firms in the US are subject to certain federal regulations, unlike banks, they are currently not regulated by a federal banking regulatory agency.
This collection of alternative data also poses legal questions as to whether customers are aware that their online behavioural data is being harvested. Did customers give consent and, more importantly, can they withdraw their consent at any time? It sparks legal questions related to data ownership and whether this data can be shared with third parties. Fintech firms must have comprehensive and adequate privacy terms to comply with current regulations and keep customers well-informed.
The presence of valuable personal information makes FinTech companies increasingly attractive targets for cybercriminals. Many FinTech firms understand the importance of cybersecurity, given that the uptake of this new technology relies heavily on customers’ trust in these firms to safeguard their data. However, the unfortunate truth is that the priority for nearly all FinTechstartups is on driving sales, and they have fewer resources available for secondary concerns like cybersecurity.
Regulators are experimenting with tools to oversee this new industry to ensure customer protection and cybersecurity without stifling innovation. They should pursue continuous and regular discussions with FinTech entrepreneurs, which is mutually beneficial to both sides. For regulators, they can gain a better understanding of the technology and new perspectives that can help them design adequate protection policies that are friendly to innovators, while entrepreneurs would become more attune to key concerns and issues, especially regarding consumer data protection and cybersecurity.
There are also new solutions emerging in this space, including “RegTech” or regulatory technology. This new technology uses data analytics to assess market risks and solve regulatory challenges to help businesses comply with regulations in a more cost-effective and efficient manner. In the first half of 2017, global investment in RegTechregtech firms totalled $591 million with 60 transactions and it is on track to surpass records from 2016.
The increasing reliance on automated and electronic systems in banks represents a risky venture because it requires them to be secure from cyberattacks. Financial information is a high-value target for many cybercriminals, and it’s imperative that both startups and established companies be bound to maintain a minimum level of security. Fintech firms are increasingly attractive targets and typically have fewer resources dedicated to cybersecurity, as they prioritize growth and product-market fit. Governments have to calibrate their policies and regulations to ensure an adequate level of cybersecurity and data privacy while encouraging innovation.
The mismatch between technology and regulation will grow
The gap between technology and regulation is acute in fintech and particularly so with respect to cybersecurity in the fintech context. This is the unavoidable result of mixing solutions that are evolving at a rapid pace with regulatory frameworks that change far more slowly. Faced with this gap, here’s something regulators should not do: rush in and implement hasty regulations that could end up impeding innovation. At the same time, that doesn’t mean regulators should do nothing at all. There should be a proactive, ongoing dialog between regulators and fintech entrepreneurs. That can help provide regulators with an improved level of understanding of the technology, giving them important perspectives that can help ensure that any new regulations are carefully designed and less likely to impose collateral damage to the innovation ecosystem. In addition, this engagement can benefit entrepreneurs by helping them better understand and anticipate key issues such as the need for consumer protection in relation to cybersecurity. This protection can include adding safeguards that can reduce the amount of consumer data at risk during breaches, as well as steps to minimize the damage when a breach is detected.