• Gary Lynam, Director of ERM Advisory at Protecht


• 03.04.2023 06:30 pm
#fintech

The fintech landscape continues to offer huge opportunities for growth and innovation, but the risk environment while pursuing these objectives is more challenging than ever before.

Not only is there fierce competition in this space, but technology is evolving at breakneck speed and the need to ensure customer-centricity is becoming non-negotiable. New risks are constantly emerging, existing ones are changing, and regulatory requirements around risk, compliance, audit, data governance and operational resilience are continually evolving – which grows even more complex as businesses increasingly operate across national borders.

As a result fintech firms need to ensure their internal risk management programmes can keep up with today’s ever evolving organisational and regulatory landscape. Because any risk oversight will have a significant business and reputational impact down the line.

The sudden collapse of Silicon Valley Bank is a stark reminder of the volatility and instability of the global financial system and the urgent need for financial institutions to build a risk framework to withstand any potential operational disruption.

With that in mind, what are the key risk management challenges that fintechs need to address, regardless of the size of the organisation, in order to avoid potential pitfalls and reach their full potential? 

Third-party risk management

Regulatory controls are due to increase in the coming years, which means fintechs will need to implement optimised processes for managing risk when engaging with supply chain partners. 

The outsourcing of critical processes and services to external vendors, such as cloud providers, means robust rules need to be in place to ensure transparency, sovereignty, and interoperability across data and services as well as ensuring that data security is appropriately managed.

In many jurisdictions, regulations relating to third parties are changing fast. So fintech firms must be appropriately equipped to manage the increasing degree of complexity in this arena and to provide evidence of their compliance with changing requirements.

Data governance risk

Data governance standards worldwide are rising and regulators are asking for clear indications of who ‘owns’ risk and compliance data. 

While many fintechs boast exceptional business data management, many cannot yet claim the same with regard to their own risk management and compliance data. As a top priority, fintechs must get on board with the fact that data governance applies to their own risk management and compliance programmes.

Cybersecurity risk

The exponential growth of the fintech industry has made it a top target for cybercriminals. Spreadsheets, email, and documents on shared drives are all vulnerable to a wide range of cyberattacks that include ransomware. A cybersecurity breach means that data privacy may be compromised and sensitive information, such as a fintech’s risk management weak spots, exposed.

Firms must take steps to ensure they can adequately manage and contain IT and cybersecurity risk. That includes keeping track of software development controls and monitoring external suppliers.

Compliance and audit risk

Meeting regulatory obligations is a legal requirement and that means there is an associated risk of non-compliance. For example, failing to meet all obligations or missing deadlines.

In addition to complying with regulations, businesses must also be able to show proof of compliance to regulators and any inability to do so represents a risk.

Anti-money laundering/counter-terrorism financing risk 

Anti-money laundering (AML) and counter-terrorism financing (CTF) are a vital area for any financial services player to get right, especially those operating in the B2C/small business customer space. Challenger and innovative financial services offerings are particularly prone to infiltration by bad actors that find themselves cut off by more traditional financial service providers.

Failing at AML/CFT risk has huge potential consequences for fintechs that include loss of consumer confidence, steep fines, loss of licences to operate and even prosecution of the entity and its officers.

Building operational resilience

In the event that disaster does strike, firms must be able to respond quickly to ensure that operations can be maintained. The ability to recover quickly is crucial for being able to perform in whatever the new normal looks like following a major disruption.

For example, during the pandemic, firms that were highly reliant on manual processes, such as spreadsheets, email and documents on shared drives, exhibited much lower levels of operational resilience.

Regulators now expect fintechs to prepare for disruption in highly exacting ways that include having operational resilience plans and governance in place, together with detailed record keeping on scenario testing plans and processes to capture and rectify any weaknesses detected during resilience tests.

Last year, the Financial Conduct Authority in partnership with the Bank of England and the Prudential Regulation Authority formally finalised its new Operational Resilience Rules for tougher financial regulation. By March 2025, financial institutions will face punishment for the first time for potential risk of operational disruption.

Making risk and compliance management a priority

Fintechs and financial institutions must put operational resilience at the top of their agenda and step up their game in building accountability and tolerance against potential operational disruption.  Although companies in the fintech industry are typically digitally advanced, many still operate with manual or siloed risk management systems that have been developed from the bottom up by individual departments across the business. This unsystematic approach creates unclear accountabilities for risks and controls at each point of the process but also makes it impossible to gain a global view of organisational risk.

By initiating a digitalised and automated Enterprise Risk Management (ERM) approach, firms ensure all risks are described and analysed in a consistent way and that central libraries are created to create one single, secure and auditable source of truth that can be relied upon for all risk-related questions.

This approach allows fintechs to manage all risks on a single platform in a consistent manner. Alongside initiating taxonomies for risk events, causes and controls, they will be able to dynamically link risks and controls to their incident and internal audit reporting process and gain real-time insights on their current risk profile. This makes it possible to proactively address evolving and new risk challenges, while making it easier for all stakeholders to collaborate and take ownership of their risk accountabilities.

By having the right ERM platform in place, fintechs can undertake better decision-making where risk is concerned at both a strategic and tactical level, which will improve their risk and compliance management, and enhance their regulatory relationships.