FinTech is an exciting opportunity for banks and FinTechs, alike. Providing the infrastructure and technology necessary for FinTechs to securely deliver financial products to their end customers, FinTech Banking supports banks and FinTechs in managing risk and compliance commitments.
While effective risk management for FinTechs requires close coordination between them and their Sponsor Bank, there are specific responsibilities borne by the FinTech that must also be incorporated. This blog post examines the top six risk management responsibilities for FinTechs when partnering with banks.
1. Manage risk across all aspects of the business
Understanding, tracking, and mitigating risk is imperative to the success of a FinTech. Below are three categories of FinTech risk management that need to be top of mind:
Regulatory & Compliance Risk
Requirements within established areas of oversight such as:
- Anti-money laundering (AML)
- Know your customer (KYC)
- Know your business (KYB)
- Office of Foreign Assets Control (OFAC)
Application & Data Security Risk
Risks associated with:
- Software development lifecycle (SDLC)
- Data management
- Information technology
- Information security
- Access controls
- Data handling
- Patch and security management
- Vulnerability management
- Penetration testing
Operational Risk
- Human resources
- Employee training
- Third-party outsourcing
- Any other risks presented by people, businesses, and processes
The risk landscape is further complicated based on the specific industry in which the FinTech participates. For example, high-risk verticals like real-money gaming, alcohol, cannabis, or online pharma have their own distinct regulatory overviews that must be understood and supported.
2. Business continuity planning
A business outage can catch organizations off guard, with detrimental results. According to a report from the Federal Emergency Management Agency (FEMA), 40% of businesses do not reopen following a disaster. Another 25% fail within one year.
Business outages can be prevented with adequate planning. A business continuity plan will help FinTechs to prepare for such events. For Sponsor Banks and regulatory bodies, areas of focus include:
- Continued business operations
- Formally documented business continuity plans
- Risk assessment programs
A good resource is ready.gov, a national public service campaign to help people prepare for, respond to, and mitigate emergencies. The service provides details on how to establish and perform a business impact analysis (BIA), risk assessment, and testing program.
We recommend performing a BIA and risk assessment internally versus outsourcing these activities. This evaluation reflects the internal risk of an organization, which internal resources would know best.
By developing a BIA and risk assessment program internally, business continuity, information technology, and information security teams can conduct deep dives into their programs, identifying gaps, and addressing how to bridge them. These internal resources can speak intelligently to a FinTech's risk management processes, which is precisely what the regulators want.
3. Business resiliency in the face of outages and failures
Significant interruptions can be reduced by ensuring the FinTech is operating efficiently and is well-prepared in the event of a system outage that may require a quick failover.
In the event of a disaster, the FinTech must be able to recover lost data and/or transactions from its internal operation, as well as from any dependent tools, systems, and third parties. In the event of data loss, the FinTech must work with its partners to gather the last replication event and recover any data the FinTech is responsible for managing. One important advantage about working with a partner like Synctera is that all of the system of record information is stored in our cloud at Google and replicated to a second location.
Business resiliency is strengthened when utilizing cloud-based, highly redundant environments based on multiple data centers, with high-availability modes with active/active service deployments. Industry-leading cloud service providers include Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. We strongly recommend that you build on one of these platforms and that you set up a real-time replica to another geography.
4. Document everything
Similar to the procedures banks rely upon, a FinTech must also formalize the workflows and processes that support its business. This includes robust and formally documented policies, procedures, and processes.
Regulators of the Sponsor Bank will expect the same strong risk management controls to be in place at the bank and any of their FinTech partners. This means that you will be required to have securely designed application and support systems, documented, approved, and implemented programs for risk, compliance, information security, and business resiliency, and other processes.
5. Test, test, then test again
Prior to launch, a Sponsor Bank and its associated regulatory bodies must ensure that adequate testing has been performed. All appropriate bodies must sign off on the programs and processes of the FinTech before going live.
For example, penetration testing and regular vulnerability scans must be performed pre-launch. This is particularly important as a separate and/or integrated application, system, or platform will be used to facilitate transactions, trades, as well as the interfacing with customer, client, or prospect data gathered by the Fintech. There are many providers of these services and we at Synctera are happy to refer you to some of our partners.
6. Third-party risk management
The risk management responsibilities outlined above are not just applicable to the FinTechs and their Sponsor Banks, but extend to any of your strategic third parties and partners as well. As a result, third-party risk management (TPRM) and oversight is a growing area of focus for regulators and banks alike.
It’s almost impossible to build a FinTech solution that is completely under your control. Therefore TPRM exists to measure and assess the risks associated with the partners you pick. Some risks are very manageable - it’s unlikely Google Cloud will fail, but a small startup with 1 engineer has a very different profile.
Understanding the potential risks associated with using a third party will help all organizations minimize negative outcomes whether strategic, reputational, financial, regulatory, or from a cybersecurity perspective. Remember that your partners are also motivated to proactively manage risk as they face the same detrimental outcomes as the FinTech and the Sponsor Bank if risk is not managed properly.
Active and ongoing oversight of third-party risk by FinTechs, whether in the past, today, or in the future is imperative.
Along with insight into how the partner is performing its services, the FinTech must also:
- understand the history of services and any prior issues,
- all aspects of how the services are performed, and
- how data are used throughout the lifecycle (created, stored, transferred).
Oversight must also include how your data is administered, monitored, restricted, and terminated.
Close relationships with partners, including frequent and ongoing communication, will ensure a thorough understanding of the services provided. Know the primary points of contact for each partner and work to build healthy relationships. Be sure to interact with partners on a regular basis, not just during times of duress or at contract renewal.
Here at Synctera, we consider ourselves a trusted advisor in this area and in fact, do much of this work on behalf of our FinTechs by conducting TPRM on our all vendor partners. Additionally, we provide robust operational support to our FinTechs at launch and beyond, to ease the burden of these requirements and help navigate this space.
If you’re interested in learning more about Risk Management responsibilities for FinTechs or have any other questions about Synctera - we’d love to hear from you.
<div class="rt-btn-wrap"><a href="https://synctera.com/contact-us" class="button yellow w-button">Have questions? Let's connect.</a></div>
