Fintech Companies: Ignore Security- and Privacy-by-Design at Your Peril

February 10, 2017

By Dan Schroeder, partner-in-charge of Information Assurance Services

Heightened regulatory and industry scrutiny of data-security practices is elevating security-by-design and privacy-by-design to critical status for companies in the fintech ecosystem.

Fintech innovators that believe they can defer privacy and security risk management until the company is operating and profitable are in for a rude awakening. In addition to growing regulatory scrutiny, they also may be seen as toxic to potential bank customers and other trading partners.

Scrutiny of online payments company

In March 2016, the Consumer Financial Protection Bureau (CFPB) slapped online payments company Dwolla with a $100,000 civil penalty for misrepresenting its data-security practices. The CFPB also ordered Dwolla to adopt and implement reasonable and appropriate data-security measures to protect consumers’ personal information, train employees in data protection, and stop misrepresenting its data-security practices.

In addition to being the CFPB’s first data-security action, the regulatory action is notable because Dwolla had not reported, and the CFPB did not discover, any actual data breaches.

A National Law Review article noted, “The CFPB used Dwolla as a test case, (1) to provide guidelines to other companies on what it believes to be reasonable and appropriate in the arena of privacy protection, and (2) to warn other FinTech companies whose privacy practices may be non-compliant.”

The business impact of this judgment likely goes beyond the time and expense of complying with the requirements from the CFPB Consent Order. The reputational impact likely has already disrupted the company’s deal flow and sales pipeline. Prospective customers and business partners may reconsider the potential costs of doing business with an online payments company rebuked for “deceiving consumers about its data security practices.”

The case also could be a harbinger of what is to come as fintech comes under greater regulatory scrutiny. The overall cooling effect of regulatory compliance on fintech innovation is yet to be seen. However, big banks’ vendor management protocols already form brick walls that impede many fintech companies’ innovation cycles.

Faster time to cash flow

Emerging and established fintech companies can scale those walls more efficiently and effectively by adopting a security-by-design and privacy-by-design mindset.

While perhaps counterintuitive, taking the time to thoroughly assess and mitigate risks from the outset actually can accelerate time to market. As stated in the introduction to The Open Web Application Security Project’s Security Coding Practices Quick Reference Guide, “Generally, it is much less expensive to build secure software than to correct security issues after the software package has been completed, not to mention the costs that may be associated with a security breach.”

Even more important, clearing compliance and regulatory hurdles more quickly and easily translates into faster time to cash flow.

So how do you implement security-by-design and privacy-by-design? Rather than attempting to “bolt on” privacy and security controls at the point that the product comes up against a regulatory or compliance brick wall, you perform a thoughtful risk assessment during the architecture and design phase.

Imagine sitting down at the table with prospective financial institution buyers, investors or even financial regulators, already armed with assurance reporting that provides a high degree of transparency into your company’s security and privacy risk management practices. Rather than building a compliance program from scratch, you are empowered to show stakeholders that your organization understands the risks that it represents to them and takes the appropriate steps to manage those risks.

Not only do security- and privacy-by-design save time and money that otherwise would be spent retrofitting code later on, but these business practices also are becoming business imperatives in an industry that increasingly is under the regulatory and vendor management microscope.

For more information, contact Dan Schroeder at