Sean Arrowsmith explores the importance of a ‘privacy by design’ approach from the outset for new entrant banks and fintechs in the Open Banking era.
The bar of entry to becoming an operator in the financial services industry is understandably high as it is necessarily heavily regulated. The UK financial services sector has evolved rapidly over the last five years with Open Banking enabling fintech businesses and banks to work together to drive innovation into the banking industry.
However, there is a risk that founders might focus all of their energy into the development of innovative and cutting-edge technology offerings, at the detriment of meeting the demands of the regulator and broader privacy requirements.
One of the key catalysts for growth in the Fintech industry has been the Payment Services Directive 2 (PSD2), also known as Open Banking. PSD2 enables financial institutions and third party technology companies to use APIs to connect and build new banking applications and services for their customers. PSD2 regulations ensure that banks create mechanisms to enable third-party providers to work securely, reliably and rapidly with the bank’s services and data on behalf and with the consent of their customers.
Unsurprisingly, information and cyber security feature heavily across much of the existing legislation that firms will need to consider when partnering with third parties in this way.
Legislation exists in all jurisdictions and the more regions a firm operates in, the more legislation they will need to comply with.
Outside of PSD2 there is a general ongoing focus on Operational Resilience in the UK financial regulatory environment also seen in the Operational Resilience consultation launched by the Prudential Regulatory Authority (PRA) in December 2019. Here, organisations are required to implement “an effective operational and security risk management framework” and the “framework should focus on security measures to mitigate operational and security risks.”
The framework must encompass outsourcing arrangements where appropriate so if a company outsources any of their service provision to a third party – this supply chain risk must be understood and monitored as well. The framework needs to cover a broad range of security considerations including Risk Assessment, Protection (including Data Systems Integrity, Access Control, Physical Security), Detection, Business Continuity and Testing of Security Measures.
Security themes also exist in other relevant financial services standards such as the Payment Card Industry Data Security Standard (PCI DSS) if card data is processed, stored or transmitted by the service. Jurisdictionally, the firm may need to consider local legislation such as those operating from New York State, which must consider the New York State Department of Financial Services 500 series on Cyber Security (NYDFS 500).
There are common themes across all of these requirements because after all, their intent is much the same. They are there to ensure that firms operating in the financial services industry are taking the right approach to reduce the risks of doing business.
In order to do this firms need to be thinking about how they build in supplier assurance as part of meeting these security requirements from the outset. If they don’t, the problem just gets bigger and harder as companies increase their involvement with third parties up- and down-stream in the supply chain.
The key is to have the technology in place to automate this process. This makes it much easier to regularly review that all parties meet the necessary requirements and demonstrate due diligence. Doing so, means companies are not only compliant, but mitigate security risks.
Third-party assurance matters, and it’s better to start while small using processes and tools that will scale with your fintech aspirations.
Learn more about third party assurance here.