Supplier Assurance – FinTech’s route to well managed regulation

By Stuart Jubb, head of consulting at Crossword Cybersecurity, looks at how fintech start-ups can maintain their agility while reducing risk with supplier assurance

The bar of entry to becoming an operator in the financial services industry is understandably high as it is necessarily heavily regulated.  The UK financial sector has evolved rapidly over the last five years with the growth of fintech businesses looking to drive innovation into the banking industry.  As well as developing technology, new entrants must pay great attention to meeting the requirements of the regulators as well as ensuring that a ‘privacy by design’ approach is taken from the outset.  There is a risk that founders might focus all of their energy into the development of innovative and cutting-edge technology offerings, but at the detriment of meeting the demands of the regulator and broader privacy requirements.

Exciting growth that must be regulated

One of the key catalysts for the growth in the Fintech industry has been the Payment Services Directive 2 (PSD2), also known as Open Banking.  PSD2 regulations ensure that banks create mechanisms to enable third-party providers to work securely, reliably and rapidly with the bank’s services and data on behalf and with the consent of their customers.

The FCA has been pioneering in encouraging the growth of the fintech sector in London through their regulatory sandbox programme.  Since its launch in 2016, 89 firms have so far been accepted to test innovative products and services.  The combination of this programme with the PSD2 legislation has seen huge growth in the UK’s fintech sector with investments growing 38% from 2018 to 2019 to a massive $4.9 billion of investments.  The development of new and innovative applications and services is great for consumers, businesses and the banking sector as a whole, but each of those groups must protected with the same gusto that the sector is known for.  Regulation and legislation in the sector remains far reaching and for new entrants can be complicated to navigate, particularly as they are typically fast-moving start-ups used to working with agile methodologies and utilising a range of open source and third party technology providers to bring their service to market rapidly.  This kind of technology supply chain comes with risks that need closely managed, and as we’ll come on to supplier assurance has a key role to play here.

FinTech’s and cyber security

Unsurprisingly, information and cyber security feature heavily across much of the existing legislation that firms will need to consider. Legislation exists in all jurisdictions and the more regions a firm operates in, the more legislation they will need to comply with. In the UK the FCA’s handbook raises security in the section focussed on Processes and Systems (13.7) that in turn is concerned with operational risk. Generally, there is an ongoing focus on Operational Resilience in the UK financial regulatory environment also seen in the Operational Resilience consultation launched by the Prudential Regulatory Authority (PRA) in December 2019.

The services a fintech business is offering and where it operates will define the security regulations it will be required to meet. PSD2, for example, has robust security measures within the legislation.  Controls are mandated with organisations having to implement “an effective operational and security risk management framework” and the “framework should focus on security measures to mitigate operational and security risks.” The framework must also encompass outsourcing arrangements where appropriate so if a company outsources any of their service provision to a third party – this supply chain risk must be understood and monitored as well.  The framework needs to cover a broad range of security considerations including Risk Assessment, Protection (including Data Systems Integrity, Access Control, Physical Security), Detection, Business Continuity and Testing of Security Measures.

The security themes that we have spoken about so far are part of a number of regulatory standards including, the Payment Card Industry Data Security Standard (PCI DSS) if card data is processed, stored or transmitted by the service.  FintTech startups, as well as established firms, must also consider local differences in legislation.  For example, those operating out of New York State, must consider the New York State Department of Financial Services 500 series on Cyber Security (NYDFS 500).

There are common themes across all of these requirements because after all, their intent is much the same, to ensure that firms operating in the financial services industry are taking the right approach to reduce the risks of doing business.  Firms should look at adopting an industry standard as a baseline to begin to satisfy all the areas of legislation that may apply to them.  Many of these regulations draw upon standards such as ISO27001 and if this is used as a baseline, the controls in ISO27002 can be mapped across all the requirements that are applicable to the firm.  Fintech businesses are often building APIs and as such must enter the market with the European Union General Data Protection Regulation (GDPR) ‘Privacy by Design’ principle at the heart of what they do.

As an example, from the cyber security specialist perspective, they typically approach these responsibilities as short-term, single-moment-in-time, instant assessments – often required on top of their day job of protecting the organisation’s IT assets and systems.  It’s also common that technical cyber specialists are asked about assessing standards, cyber controls and governance – an area in which they may well have no experience.  They’ll carry out these tasks as best they can, but won’t always see them as strategically important.

FinTech needs supplier assurance

The key point is that firms need to be thinking about how they build in supplier assurance as part of meeting these security and broader regulatory requirements from the outset, because the problem gets bigger and harder as companies increase their involvement with third parties up- and down-stream in the supply chain.

Technology can automate the supplier assurance process, making it much easier to regularly review that all parties meet the necessary requirements and demonstrate due diligence.  Doing so, means companies are not only compliant, but mitigate security risks.  It also proves to parties, that systems and data can be connected, to either expand the service, in the case of a technology provider or as a customer of the service.  Additionally, when raising funds for expansion and growth, investors are highly likely to undertake due diligence, and an established third-party assurance process can greatly simplify this.

Remember too that good software assurance practices do not just allow you to ensure that your suppliers meet the requirements set by you and your industry.  They make it possible for other companies to rapidly have confidence in your organisation, when they are considering a partnership that will make you part of their supply chain.

Third-party assurance matters, and it’s better to start while small using processes and tools that will scale with your fintech aspirations.  Growth can be rapid in the sector, with small companies far more agile and able to jump on new opportunity.  The trick is to may sure that the processes are in place to ensure that ability to ride the wave does not become your undoing.