February 22, 2018

Regulating Fintech: Addressing Challenges in Cybersecurity and Data Privacy

smartphone paying with google wallet

Financial technology, or fintech, has experienced phenomenal growth in the past few years. It refers to technological innovation in the financial sector and includes both back-end and consumer-facing services, such as cryptocurrencies like Bitcoin to peer-to-peer lending sites. In the first half of 2017, global investment in fintech companies reached 293 transactions totaling $8.4 billion. The rise of fintech has given way to new opportunities and alternatives in areas that only a decade ago were monopolized by traditional banks and lenders.

However, fintech also presents an immense opportunity for the financial industry. Financial institutions can leverage this new technology to improve their own efficiency, lower operating costs, and offer a wider range of products. In the near future, we will see growing interaction between fintech startups and traditional financial institutions. PwC’s “Global FinTech Report 2017” reveals that 82 percent of financial institutions expect to increase their partnerships with fintech firms within the next five years. While this is likely to result in greater convenience and cost savings to customers, it is not without risks.


As more systems run by different entities become connected, more cyber vulnerabilities are likely to arise. A common source of such weaknesses include the interfaces between systems, because two systems that are not designed at the same time by the same developers often pose compatibility issues and challenges in security, especially given limitations of legacy technology. This poses a difficult problem for software engineers. When connecting two disparate systems, engineers from either side typically do not have access to how the other system works and vice versa, making it harder to thoroughly identify all potential sources of vulnerability.

The best way to overcome integration issues is to conduct thorough testing, integrate data closer, and clearly delineate areas of responsibilities between all parties. This will minimize the cybersecurity risks and compatibility issues during the integration process of interfaces between different digital financial systems. However, these processes are time-consuming and expensive.

One of the most remarkable feats of fintech has been the progress toward financial inclusion and expanding access to financial services to previously unbanked populations around the world. According to the World Bank, the number of unbanked adults has decreased by 20 percent from 2.5 billion in 2011 to 2 billion in 2014, and fintech is one of the main drivers for this decline. However, the expansion of financial services and fintech to this underserved population presents risks. Because it is often comprised of new technology users, this population typically has little or no knowledge of cybersecurity risks and is especially vulnerable to hacking if targeted. Many cybercriminals gain access to networks and accounts because of human error. Simple techniques that are often used include spear-phishing, where humans mistakenly open spam emails and download malicious attachments or enter confidential information into fake websites to which they are redirected. It is important to raise awareness of cybercriminal risks and educate the newly banked on digital and financial literacy to teach them best practices to ensure security when engaging in financial transactions online.

Data privacy

In addition to cybersecurity, the integration of new technology with traditional systems will raise concerns regarding data collection and data privacy. Fintech companies collect large amounts of data about their customers, including sensitive personal information and financial records. A growing share of fintech firms are also beginning to harvest alternative data, essentially collecting data on a customer’s online spending behavior and social media patterns to trace their digital footprint. The data collected is typically stored and used for analysis for the purposes of marketing, sales, and financial decision-making like generating a credit score to determine a customer’s risk profile.

This creates security concerns as a growth in the integration of banks’ systems with fintech firms’ software means that more third parties will have authorized access to customer data, despite the fact that they may have differing approaches to security and follow distinct regulations. Although fintech firms in the US are subject to certain federal regulations, unlike banks, they are currently not regulated by a federal banking regulatory agency.

This collection of alternative data also poses legal questions as to whether customers are aware that their online behavioral data is being harvested. Did customers give consent and, more importantly, can they withdraw their consent at any time? It sparks legal questions related to data ownership and whether this data can be shared with third parties. Fintech firms must have comprehensive and adequate privacy terms to comply with current regulations and keep customers well-informed.

The presence of valuable personal information makes fintech companies increasingly attractive targets for cybercriminals. Many fintech firms understand the importance of cybersecurity, given that the uptake of this new technology relies heavily on customers’ trust in these firms to safeguard their data. However, the unfortunate truth is that the priority for nearly all fintech startups is on driving sales, and they have fewer resources available for secondary concerns like cybersecurity.

Regulatory challenges

Regulators are experimenting with tools to oversee this new industry to ensure customer protection and cybersecurity without stifling innovation. They should pursue continuous and regular discussions with fintech entrepreneurs, which is mutually beneficial to both sides. For regulators, they can gain a better understanding of the technology and new perspectives that can help them design adequate protection policies that are friendly to innovators, while entrepreneurs would become more attune to key concerns and issues, especially regarding consumer data protection and cybersecurity. 

In 2015, the UK pioneered the regulatory sandbox concept to encourage fintech innovation and ease regulatory burdens while ensuring adequate customer protection. The sandbox involves a temporary relaxation of certain regulatory requirements to allow early-stage startups to test their products for a limited period of time without having to obtain a full license and regulatory permissions, effectively reducing the barriers to entry and costs for startups. This temporary adjustment of regulatory requirements allow startups to conduct real-world tests to improve their products based on customer feedback.

Regulatory sandboxes have now taken hold in locations around the world including Abu Dhabi (UAE), Australia, Canada, Hong Kong, Malaysia, Singapore, Switzerland, and Thailand, among others. US Congressman Patrick McHenry introduced the regulatory sandbox to the House of Representatives as part of the Innovation Initiative in September 2016, but it has yet to pass. It is considerably more difficult to set up a sandbox in the US because of the diverse range and sheer quantity of regulatory agencies that would have to be involved, and they all interpret this issue from distinct jurisdictional perspectives. Examples of stakeholder US agencies include the Commodity Futures Trading Commission, Office of the Comptroller of the Currency, Securities and Exchange Commission, Financial Industry Regulatory Authority, Federal Deposit Insurance Corporation, and more.

There are also new solutions emerging in this space, including “regtech” or regulatory technology. This new technology uses data analytics to assess market risks and solve regulatory challenges to help businesses comply with regulations in a more cost-effective and efficient manner. In the first half of 2017, global investment in regtech firms totaled $591 million with 60 transactions and it is on track to surpass records from 2016.

Another area of particular interest to regulators is blockchain, which is a decentralized and open digital ledger that creates a real-time chain of encrypted blocks of all past transactions. Compared to the traditional front-, middle-, and back-office functions in financial institutions, blockchain is faster, more transparent, and efficient. The invariability, transparency, and instantaneity embedded in this technology can pave the way for less costly financial transactions. There is a potential for significant back-office cost savings with blockchain and the transparency it offers is very suitable for regulation and auditing purposes.

Banks facing increasing pressure to adopt and integrate growing technology to offer cheaper and faster services, such as peer-to-peer (P2P) low-cost online lending services, P2P transfers to replace hefty wire transfer fees, and robo-advisor investment management services. Banks are actively considering applications of blockchain in trade finance and supply chain management, given that the technology can improve information security and help to better predict, identify, and analyze fraud.

Nonetheless, there are weaknesses of a decentralized system that regulators must grapple with. P2P lending presents higher default risks, greater cybersecurity risks, and P2P lenders have been exploited by terrorists, money-launderers, and fictitious companies. A decentralized system with tightly integrated digital transactions could mean that a breakdown in one area of the financial system could spread in a matter of seconds to other financial markets.

The increasing reliance on automated and electronic systems in banks represents a risky venture because it requires them to be secure from cyberattacks. Financial information is a high-value target for many cybercriminals, and it's imperative that both startups and established companies be bound to maintain a minimum level of security. Fintech firms are increasingly attractive targets and typically have fewer resources dedicated to cybersecurity, as they prioritize growth and product-market fit. Governments have to calibrate their policies and regulations to ensure an adequate level of cybersecurity and data privacy while encouraging innovation. 

Discussion Policy

2 Reader Comments

Nice post thank you
Eyal Nachum (Fintech expert) agrees with your post. Fintech companies have to plan and build in effective ways from starting to address cybersecurity, data security, and privacy protection. This is important because these meticulous threats are propagating and thus create a growing danger to fintech companies and the clientele who use their services.

The views expressed in the Government Innovators Network blog are those of the individual author(s) and do not necessarily reflect those of the Ash Center for Democratic Governance and Innovation, the John F. Kennedy School of Government, or of Harvard University.

Related Topics

Related Topics