Enterprise Risk Management for fintech: understanding – and Addressing – the key risk and compliance challenges
Gary Lynam, Director of ERM Advisory at Protecth
The fintech industry continues to grow at pace, with digitally agile firms harnessing the power of ever-evolving technology to deliver innovative services and seamless customer experiences. The dynamic nature of the sector, combined with a pressing need to stay on top of technology advancements, means that rapid evolutionary growth is very much the operational norm for start-ups as well as for more established players.
However, this constant cycle of change throws up some key risk and compliance management challenges. As a consequence, fintech firms need to ensure their internal risk management programmes can keep up with today’s fast changing organisational and regulatory landscape. Because any risk oversight will have a significant business and reputational impact down the line.
The collapse of the crypto exchange FTX Group and its affiliated crypto hedge fund Alameda Research highlights what can happen if the right risk management systems aren’t in place and the importance of implementing, from the get-go, a centralised enterprise risk management (ERM) strategy that can deliver an integrated view of risk across the business.
Let’s review some of the key risk areas fintech firms will need to ensure they can appropriately manage.
Cybersecurity risk
The exponential growth of the fintech industry has made it a top target for cybercriminals. Spreadsheets, emails, and documents on shared drives are all vulnerable to a wide range of cyberattacks that include ransomware. A cybersecurity breach means that data privacy may be compromised and sensitive information, such as a fintech’s risk management weak spots, exposed.
Firms must take steps to ensure they can adequately manage and contain IT and cybersecurity risks. That includes keeping track of software development controls and monitoring external suppliers.
Vendor and third-party risk management
With regulatory controls set to increase in the coming years, fintech will need to implement optimised processes for managing risk when engaging with supply chain partners.
The outsourcing of critical processes and services to external vendors, such as cloud providers, means robust rules need to be in place to ensure transparency, sovereignty, and interoperability across data and services as well as ensuring that data security is appropriately managed.
In many jurisdictions, regulations relating to third parties are changing fast. So fintech firms must be appropriately equipped to manage the increasing degree of complexity in this arena and to provide evidence of their compliance with changing requirements.
Evolving data governance standards
Data governance standards around the globe are rising and regulators are increasingly asking for clear indications of who ‘owns’ risk and compliance data.
While many fintechs boast exceptional business data management, many cannot yet claim the same with regard to their own risk management and compliance data. Fintechs must, as a top priority, get on board with the fact that data governance applies to their own risk management and compliance programmes too.
Compliance and audit risk
Meeting regulatory obligations is a legal requirement and that means there is an associated risk of non-compliance. For example, failing to meet all obligations or missing deadlines.
In addition to complying with regulations, businesses must also be able to show proof of compliance to regulators and any inability to do so represents a risk.
AML and CFT risk
Anti-money laundering (AML) and counter-terrorism financing (CFT) are a vital area for any financial services player to get right, especially those operating in the B2C/small business customer space. Challenger and innovative financial services offerings are particularly prone to infiltration by bad actors that find themselves cut off by more traditional financial service providers.
Failing at AML/CFT risk has huge potential consequences for fintechs that include loss of consumer confidence, steep fines, loss of licences to operate and even prosecution of the entity and its officers.
Operational resilience
Should disaster strike, firms need to be able to respond quickly to ensure that operations can be maintained. In addition to being able to withstand disruptive events, the ability to recover quickly and pivot fast is crucial for being able to perform in whatever the new normal looks like following a major disruption.
For example, during the pandemic, firms that were highly reliant on manual processes, such as spreadsheets, email and documents on shared drives, exhibited much lower levels of operational resilience.
Regulators now expect fintechs to prepare for disruption in highly exacting ways that include having operational resilience plans and governance in place, together with detailed record keeping on scenario testing plans and processes to capture and rectify any weaknesses detected during resilience tests.
On 31 March 22, the Financial Conduct Authority (FCA) in partnership with the Bank of England and the Prudential Regulation Authority formally finalised its new Operational Resilience Rules and a phased approach for tougher financial regulation that will for the first time punish financial institutions for potential risk of operational disruption by March 2025.
Fintechs and financial institutions must put operational resilience at the top of their agenda and step up their game in building accountability and tolerance against potential operational disruption.
Taking ownership of risk and compliance management
Despite the fact that companies in the fintech industry are typically digitally advanced, many still operate with manual or siloed risk management systems that have been developed from the bottom up by individual departments across the business. This piecemeal approach not only creates unclear accountabilities for risks and controls at each point of the process but also makes it impossible to gain a global view of organisational risk.
Instead, firms should be initiating a digitalised and automated Enterprise Risk Management (ERM) approach that ensures all risks are described and analysed in a consistent way and that central libraries are created to assure one single, secure and auditable source of truth that can be relied upon for all risk-related questions.
By doing so, fintechs will be able to manage all risks on a single platform in a consistent manner. Alongside initiating taxonomies for risk events, causes and controls, they will be able to dynamically link risks and controls to their incident and internal audit reporting process and gain real-time insights on their current risk profile. This in turn makes it possible to proactively address evolving and new risk challenges, while making it easier for all stakeholders to collaborate and take ownership of their risk accountabilities.
With the right ERM platform in place, fintechs will be able to undertake better decision-making where risk is concerned at both a strategic and tactical level, improve their risk and compliance management, and enhance their regulatory relationships.
Uma Rajagopal has been managing the posting of content for multiple platforms since 2021, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune. Her role ensures that content is published accurately and efficiently across these diverse publications.