Compliance: Mortal Enemy of Fintech Innovation?
February 10, 2017
By Dan Schroeder, partner-in-charge, Information Assurance Services
PSA for fintech innovators: If you haven’t already, you will soon run into a brick wall ominously known as “vendor management.”
Anyone with even a modicum of experience in the fintech space knows about the onerous process of becoming a vetted and approved vendor of financial institutions.
The onboarding process that larger financial institutions require for fintech firms can take six months to a year or more. That process often requires fintech firms to produce multiple independent assurance reports, such as the AICPA’s Service Organization Control (SOC) reports, a PCI Report on Compliance, or an ISO 27001 certification.
On top of those independent assurance reports, banks almost always perform their own intensive due diligence—all of which costs the fintech provider countless hours of internal meeting and documentation time and thousands of dollars in fees.
High cost of due diligence
This time-consuming and resource-intensive compliance regimen didn’t spring up out of nowhere. Banks are justifiably paranoid. As regulators have gotten wise to the role vendors have played as the entry point for breaches of larger institutions, they have demanded that banks scrutinize the data security practices of their supply chain partners as closely as they do their own operations.
“FinTechs face tougher penalties for data breach, in part, because they typically collect and retain the most personal data about a large group of consumers…Consumers and agencies justifiably expect the highest level of protection from the FinTech industry because of the special relationship of trust.” – Privacy and security attorneys in a National Law Review article
Rather than carefully assess the real risks that a vendor poses to an institution and its customers, most banks throw a one-size-fits-all blanket of compliance over every potential vendor. This creates a tremendous overhead burden on what are typically lean organizations.
This phenomenon is slowing the wheels of fintech innovation. As stated in a recent American Banker article, “The U.S. fintech sector is in danger. There is a real risk that financial innovation will fall between the cracks of what is already a convoluted system of regulation in this country.”
OCC seeks to foster ‘responsible innovation’
The good news is that the Office of the Comptroller of the Currency (OCC), which has made recent moves to claim the fintech regulatory space, recognizes the need to foster “responsible innovation” in the financial sector.
In a March white paper outlining the agency’s vision for responsible innovation in the federal banking system, Comptroller Thomas Curry stated, “Innovation is not free from risk, but when managed appropriately, risk should not impede progress. Indeed, effective risk management is essential to responsible innovation.”
“[M]any startups have the challenge of defining a complex regulatory compliance model with a very small or thin team…They have to spend a lot of cycles figuring out what they need to be in compliance with and then build and institutionalize their program.” – Chief digital officer with Silicon Valley Bank in an interview with The Wall Street Journal
The phrase “effective risk management” has become ubiquitous in government and industry. Yet achieving it remains elusive for most organizations—from fintech startups to highly regulated financial institutions to the very governmental agencies that regulate them.
Organizations that assess and manage security and privacy risks early in the technology design process will be empowered to more effectively and efficiently scale the regulatory and vendor management walls that would otherwise block their path, thereby fostering greater innovation and stronger competitive advantage in this vital sector.