Fintech has transformed people's connections with money in many ways. It has brought access to financial services into corners of the world previously unserved or under connected to even basic banking. It's the star use case for fintech companies, and they call it "banking the unbanked". For proof, they point to the fact that the Council of Europe estimated that in 2019, 520 million Africans had registered mobile money accounts utilizing mobile phone apps. That's a lot of accounts - and a lot of personal data.
This data trend strengthens when you look at the developed world, at "banking the banked", so to speak, where fintech companies such as Revolut and Paypal have revolutionized payments and collected even more data on their users. As a result, data security for fintech companies, both in regulation and in practice, is equally revolutionary.
One definition of fintech is that of "smaller companies using technology to secure:
- Improvements in the customer experience;
- Disruption to business models, changing the competitive picture for firms."
At Proxet, we have financial enterprises of all sizes among our clients. But they all have in common the desire to improve customer experience, and if not disrupt the industry, to at least gain an edge over their competitors.
Our projects have covered a variety of facets of financial services as well as privacy and data and network security. In this post, we'd like to share a bit about how we see data security for fintech companies and network security from the data privacy, legal and network coherence points of view. How do their customer experience improvements and competitor disruptions also co-exist with data security requirements? How should they handle the possibility of a data or operations technology breach?
Fintech Sector
Ask about fintech privacy types, and the first thing that comes to mind is often General Data Privacy Regulation (GDPR). The European Commission passed GDPR in 2016. The move was a landmark for data protection, and though it needed tweaking, the general idea was strong enough to handle backlashes from industry lobbies and governments alike.
The transformation that GDPR brought as a data security requirement was sweeping. Because GDPR touched on the data of EU citizens wherever they (meaning both citizens and data) were in the world, companies everywhere had to begin seeing privacy and security in a new light. The EC gave the world two years to prepare, and began ramping up enforcement just as the COVID pandemic forced a rethink on the balance between privacy and public need.
Privacy realization examples both good and bad still highlight the fintech sector, despite the obvious and appropriate focus on medical records since the pandemic hit. As the scope of what is possible technologically expands, the consequences for privacy and data handling become more vivid as well. For example, Revolut can share your location with other Revolut users, which might be handy if you're trying to settle a bar tab quickly. but is only part of the data it collects, and was sharing with Facebook in 2020, at least. GDPR and regulation like it is supposed to drive companies away from sharing data without the individual's knowledge, and it has had some success. However, the responsibilities of the companies that hold your data go beyond privacy
Fintech Risks
Because fintech companies are engaged with clients' money, the risks they need to take into account are considerable. Data security methods have to take into account data network security and the rise of hacking. But there are other considerations.
One of the most contentious issues with financial institutions is the increasing need to ensure that the money involved wasn't obtained illegally and isn't being used for harmful purposes. As fintech companies become more like traditional financial sector companies, the rules regarding money sources and flows are more likely to be applied to them. With increasing regulation comes increasing amounts of client data. Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations stipulate that various types of data must be collected, stored, and when required, shared with the authorities.
The risk of facilitating the flow of illicitly-obtained money had been used by financial industry conservatives as a reason for keeping fintech development at a slow pace, but incidents such as the Danske Bank scandal of 2017-2018, which made public money laundering to the tune of 200 billion euro, brought that rationale into question. But as fintech's possibilities become mainstream, the banks' missteps are increasing scrutiny on their actions as well. Companies need to take this into consideration before they end up attracting regulators' attention.
Payments services and alternative lending platforms have also partnered with other tech companies in order to smoothen their business protocols. Revolut, as mentioned above, partnered with Facebook, Google and others in order to improve its KYC handling in order to prevent fraud, ostensibly. Tying user applications to social media accounts helps make sure that the applicant is actually that person, but it also connects social and private data in a way that creates a huge risk if there's a data breach.
“Fintech data security risk has accelerated with the increasing power of the tools and available. The consequences of a hack are only growing, and the legal complexities can make data and network security a nightmare for firms lacking experience. Partnering with a data engineering firm that has experience in specific regulations, especially GDPR, doesn't just smooth the way. It can be the difference between a barely viable product and something robust enough to survive in the real world.”— Vlad Medvedovsky, CEO at Proxet (ex - Rails Reactor) - a custom software development company.
Financial Data Security Methods
The basic data security methods are straightforward. It's the implementation, from correctly understanding your company's needs and the threats to it, to reducing the possibility - and consequences - of human error, to keeping tabs on trends in cyber threats, that makes data and network security difficult. In each phase of the process, having an experienced partner in both the technical and regulatory aspects of the process is a vital element of success. The first issue, understanding your company's needs, must cover both cyber threats and regulatory requirements. Though it is outside of the scope of this post, understanding the reporting requirements to customers and partners as well as to regulators once a data breach has been detected should be included in this discovery phase.
Engineering a solution for data security for fintech companies, especially for those trying to disrupt part of the market, is the next step, and it needs to be tailored to the threats and concerns uncovered in the first stage. Knowing whether an off-the-shelf solution will be sufficient takes an understanding of the field. It's a step that needs attention, because without it, you could be dealing with the best customer support team in the world - with the wrong product for your needs. Implementation itself could be a plug-and-play affair, or a constant tweaking based on your company's technology stack and business goals.
In the end, though, the best solution is only as good as the humans clicking on emails. Education starts in the C-suite and the decisions made by the company, and it includes an understanding of the importance of both data security requirements and how to bring this to the attention of employees. A data privacy and security engineering partner should be able to bring experience in education to the table as well as IT and OT solutions.
Data Security and Management
Data security for companies in fintech is no small matter, and the figures for 2021 are only bigger than ever. According to fintechnews.org, data breaches are up 17% over 2017. Data breaches are becoming more expensive as well, with the average cost of one rising to over $4 million per incident.
Writ broadly, the problem extends past the customer data that GDPR covers. Over 2019-2021, 83% of organizations responding to a survey had been affected by an operational technologies (OT) attack, such as ransomware affecting virtual machines. One such example from 2020 highlights the issue. Diebold Nixdorf, which has a share of more than one third of the worldwide ATM and payments software market, was hit in an OT attack in 2020. When it comes to virtual machines, the lines between data and operations become blurred, and the VMs become vulnerable in the same manner as data; from a network security point of view, they're another bit of code to protect. When it comes to protecting VMs, data security in networking now includes the network itself.
Conclusion
Data security for fintech companies small and large covers a range of data and data infrastructure requirements more than ever. At Proxet, pushing innovation in fintech while keeping data safe and private is one of our primary directions. Our experience with the financial industry, from retail banking to e-commerce can help your company navigate this complex environment.
