The use of fintech – a catch-all term for any financial sector technology that’s used to digitize or streamline traditional financial services – is widespread today. Like most technologies, fintech introduces benefits through efficiency, but also creates potential operational risks at the same time.
Fintech concepts have been around for decades, but fintech as we know it today rose from the ashes of the 2008 economic meltdown. In the ensuing years, the world of fintech has grown rapidly and diversely. More recently, the COVID-19 pandemic has accelerated adoption of fintech, with an increased global reliance on seamless, contactless digital finance. According to a study led by the World Bank in December 2020, almost all types of fintech services (“lending” being the only exception) experienced strong growth through 2020. The forecast is sunny as well: according to a recent MarketWatch study, “the global financial technology market is expected to grow gradually and reach a market value of approximately $324 billion by 2026, growing at a compound annual rate of about 23.41% over the forecast period 2021-2026.”
As fintech adoption and markets expand, it is important to understand some of the challenges and risks faced by those delivering or adopting this technology:
Cloud Security: The speed, flexibility, and ease of using cloud technology has made it the preferred platform for delivering fintech services. Cloud has enabled existing financial institutions to innovate, and reduced the barriers to entry for new players who now offer services like digital wallets, integrated payment/billing systems, transaction gateways, and mobile access to hard currency and blockchain/cryptocurrency banking – just to name a few.
But cloud services do not come without risk. They must be monitored, protected, and well-secured. Cloud providers will recommend best practices and offer guidance, but the ultimate responsibility remains with the customer deploying fintech services on those platforms. Increasingly, fintech companies are using a multi-cloud strategy to provide optimized service delivery and reduced costs, using CASB technology to enforce security policies between cloud providers, users, and devices.
Security-by-Design and Privacy-by-Design: In the race to market, fintech-driven companies may be focused on pure technology and rapid innovation. To do this at expense of security- and privacy-by-design concepts is short-sighted. These fundamentals must be integrated into products, services, and processes right from the start. As regulatory environments become more demanding and customer expectations of security and data privacy increase, it’s essential to “build in” rather “bolt on” these essential consumer protections.
Cyber risks: Like any digital enterprise today, fintech companies and those using their services are exposed to a variety of cyber risks.
– Malware attack: Fintech virtual services face heightened interest from criminal elements, not merely through individual customer breaches, but through broader ransomware attacks that can compromise systems and exfiltrate data. Layered security approaches and solutions are vital to help mitigate these dangers.
– DDoS attack: Motivated hackers can disrupt access to service and hold businesses for ransom. In a competitive environment, availability and reliability are paramount. The risks can be mitigated through the use of DDoS protections through CDN services and smart web filtering.
– Application breaches: Fintechs appeal to the modern digital user, so multiple interfaces must be supported. Traditional websites and mobile apps, on a variety of platforms, must be maintained and rigorously tested from an application perspective. Aggressive penetration testing and ethical hacking exercises can expose potential vulnerabilities before hackers find them. Best practices on using and testing open-source code are particularly important in this inter-connected, multi-dependency fintech environments.
– Money Laundering: Fintechs, particularly those heavily involved with handling cryptocurrencies, are clear targets for money laundering. Illegal activities can be financed through the abuse of financial technology platforms; fintechs face the challenge of monitoring these often anonymous transactions. Sophisticated audit and transparency with business partners can help identify and prevent money-laundering for criminal and terrorist enterprise.
– Third-party Risks: Recent headlines have been filled with stories of third-party breaches that had serious impacts on otherwise secure organizations. Best practices on vendor management and service audit are essential to manage third-party risk. Zero-trust and least-privilege access approaches are key to minimize exposure.
Compliance Requirements: Early on, fintechs operated with minimal regulation, specifically positioning themselves as not being traditional financial institutions. Regulatory and compliance regimes are gradually catching up with technology advances, and fintechs are now under much closer scrutiny and are obliged to comply with GDPR, PCI DSS, and PSD2 frameworks, among others. A similar story has emerged in the world of cryptocurrency, where regulators are finally stepping in to bring order to the “wild west” of virtual money.
This business risk is substantial. Companies can face significant penalties for non-compliance, or choose to exit markets altogether. Binance, one of the biggest cryptocurrency exchanges in the world, simply announced they were suspending operations in Ontario, Canada rather than face the strict regulatory regime in the province.
Authentication: Financial institutions and fintechs have a constant challenge to authenticate the users and partners of their services, either directly or indirectly. Multi-factor authentication and biometrics are commonly used to establish and verify identity. More sophisticated solutions feature IAM systems that work across platforms, and AI that identifies and reacts to anomalous user behaviours. Looking ahead, passwordless authentication systems are gaining traction as well, blending security with ease of use.
The good news is that some fintechs are getting the security message. According to a recent KPMG report, the global investment by fintechs in cybersecurity quadrupled to $2B (USD) in 2020. It’s essential for all members in the value chain to do their part to secure their customers’ finances – and trust.
ISA Cybersecurity has an extensive range of cybersecurity advisory, assessment, and consulting services that can help guide your cybersecurity program, whether you represent a financial institution, a fintech startup, or simply communicate with them as a third-party. Contact us today to learn more about how we provide cybersecurity services and people you can trust.