Daniel J. Goldstein and Jason P. Boova
The emergence of FinTech offerings as an alternative to traditional banking services is resulting in a broad array of new choices for consumers. FinTech companies have moved quickly to bring their offerings to the market, putting new and innovative technologies in the hands of consumers to facilitate delivery of their services.
But as many FinTechs are starting to discover, businesses that rely heavily on the collection and processing of sensitive consumer personal information face a variety of rapidly evolving risks, perhaps, most significantly, the continual threat of cyberattacks. That threat is accompanied by the additional risk posed by regulator focus on the ability and effectiveness of FinTech companies to secure customer data.
Like banks and other financial institutions, FinTech companies represent an enticing target for cybercriminals. High-value data assets sought by cybercriminals are often stored, processed, and transferred to third parties as a matter of day-to-day business for FinTechs. Take, for example, alternative lenders. In order to apply for a loan, an individual typically must provide non-public personal financial information that may include a social security number or tax identification number, bank statements, paystubs, W2s, and even, in some instances, a bank account log-in and password in order to verify income.
Large US and multinational banks have discovered that cybercriminals are actively seeking a way to break through their network defenses and access this type of information nearly as soon as the latest, most technologically advanced security solution is in place For some of these institutions, cybersecurity is one budget line for which resources are nearly unlimited As FinTechs grow and their volume of high-value data surges, bad actors are certain to focus on gaining access to that data as well.
What Will the Regulators Do?
These risks have become all too real for financial institutions in recent years, and the Consumer Financial Protection Bureau (CFPB) has brought its first successful enforcement action in order to protect consumers against unauthorized access to, use of, or theft of information about them. The action against an online payment company requires it to fix its security practices, pay a $100,000 penalty, undergo twice annual security assessments, and complete an annual security audit The CFPB alleged that the company had misrepresented its data security practices and the safety of its systems FinTechs have come under increasing scrutiny from the CFPB in recent years, and, with this enforcement, the CFPB is seen by some as putting the emerging sector on notice of heightened oversight.
The CFPB's Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) authority under the Dodd-Frank Act provides it with a set of tools to protect consumers not only from intentional acts by FinTechs, such as misrepresenting the levels of data security provided in a publicly facing security policy (a deceptive act), but also unintentional acts or oversights that may be deemed as unfair With its first data security-focused enforcement action in the books, the CFPB can be expected to continue to pursue enforcement actions for alleged UDAAP data security practices. The action and order also indicate that the agency is focused on proactive security measures, given that the action was not prompted by a data breach
It is worth noting that the CFPB is a member of the Federal Financial Institutions Examination Council (FFIEC), which has put a sharp focus on the security of consumers' personal information in recent years In 2015 the FFIEC issued its Cybersecurity Assessment Tool, providing financial institutions with a set of controls against which to assess their existing cybersecurity measures as well as their preparedness to respond to cyber incidents The CFPB and other financial services enforcement agencies have established expectations that organizations within their jurisdiction, whether a traditional bank or a FinTech company, will have conducted cybersecurity assessments using the tool, in whole or in part.
In short, FinTechs should be particularly wary of potential UDAAP violations In the FinTech environment, the risks involved with data collection, processing, sharing, and storage must be well managed Protections appropriate to those risks must be implemented.
Gaining Board Awareness to Mitigate Data Risk
A FinTech company's Board of Directors, often comprised of representatives from venture capital firms, along with executive officers, is a key component in managing data risks. Particularly at young FinTech companies with immature data risk and cybersecurity programs, efforts should be taken to increase Board awareness of critical business processes that require sensitive consumer data and the need to mitigate the privacy and security risks. In fact, the CFPB's recent order requires timely reporting by management to the Board of Directors on the status of data security compliance obligations, placing ultimate responsibility for the data security program squarely on the Board.
A solid data and cybersecurity program starts at the top, with Board and C-level buy-in setting the tone, filtering down and throughout the organization, and leading to budget approvals necessary for program development and implementation. Public statements to consumers regarding security measures should be carefully vetted by Board members and/or appropriate executives to ensure accuracy and limit the risk of regulatory scrutiny for deceptive practices.
The stakes are high, including risk to FinTech companies' valuations. Equity stakeholders need only to look at recent data breaches at large financial institutions and well-known retailers to understand the possible impact of a data breach in terms of direct costs to control and remediate incidents along with loss of shareholder value, damage to reputation with customers, and scrutiny from regulators. In some high-profile cases, C-leveI executives were held accountable and lost their jobs.
Tailoring Data Risk Governance to the FinTech Environment
In a FinTech business environment that favors speed and agility in getting to market, the need for a data governance strategy and program tailored to a FinTech's unique environment may be overlooked or inadequately developed. However, going to market with an inadequate data governance program can turn out to be a costly move.
FinTech companies should assess their current data security governance and organizational responsibilities to determine their adequacy, relative to inherent data and cybersecurity risks. An executive officer or sponsor should maintain oversight of the program, or, in the absence of any governance program, lead its development. In addition to technical controls, such as encryption, where appropriate, the program should incorporate well-documented policies and procedures along with training and ongoing communication to ensure the program is driven out to-and adopted by-employees and third parties who process data.
Data governance programs should be structured to facilitate continuous improvement and further optimization of the FinTech's data security and cybersecurity, amid ongoing product and service innovation. Tailored monitoring, testing, reporting, corrective action, and remediation processes that sufficiently account for the risk and complexity of the company's operations are critical to maintaining a strong data security program. The program should proactively incorporate ongoing analysis and reporting to the Board and executive management, with corresponding reporting of corrective actions and program improvements.
Particularly important for FinTech companies is ensuring these activities evolve and strengthen to account for growth in a rapidly evolving business sector. Such growth often results in new systems (or increased demands on existing systems) and an increase in the use of third-party vendors. The data governance program must include a process to track and address the data risks that accompany growth.
Managing Third-Party Data Risk
FinTech companies of all sizes and at every stage of the growth curve leverage the use of third parties to complete various application, underwriting, funding, and servicing processes. The use of a third party at any stage of the product life cycle means trusting those parties with varying degrees of sensitive customer data while remaining accountable for the security and integrity of that data.
In order to manage the risks posed by entrusting high value data to a third-party ecosystem, FinTech companies should conduct thorough due diligence on a potential vendor's data security prior to engaging that party and sharing consumer data. That diligence should focus on the vendor's technical security, its data security governance, and, critically, its ability to respond to a cyberattack quickly and effectively in order to safeguard the data assets with which it has been entrusted.
In addition, once engaged, third-party vendors must be subject to assessment or audit of their data security programs by the FinTech (tailored according to various factors, such as geography, data type, type of processing, and whether there is sub-processing taking place). The results should be reported to the Board and executive management so that they remain aware of current risks, actions being taken to control those risks, and additional funding required for ongoing data security and cybersecurity improvements.
In an emerging marketplace experiencing unprecedented growth, the development of FinTech companies' products and services can easily outpace the attention given to the security of highly sensitive and valuable customer personal information-and the regulatory requirements surrounding that data. As the rapid growth of the FinTech space continues, cybercriminals and regulators alike are sharpening their focus on the effectiveness of FinTechs' efforts to safeguard this data. The CFPB in particular can be expected to be active in seeking to protect consumers from the risks posed by the inadequate safeguarding of their data.
FinTechs should consider assessing the maturity and effectiveness of their data security programs using the FFIEC Cybersecurity Assessment Tool or other available data/cybersecurity frameworks such as those published by the National Institute of Standards and Technology (NIST) or International Organization for Standardization (ISO).
While cybercriminals are counting on inadequate protections and the availability of the data they so actively seek, consumers and regulators fully expect that proper protections will be in place.
Treliant Risk Advisors, Compliance, Risk Management, and Strategic Advisors to the Financial Services Industry, brings to you New Coordinates, a quarterly newsletter offering insights and information regarding pertinent issues affecting the financial services industry. This article appeared in its entirety in the 2016 Outlook issue. To subscribe to our quarterly newsletter, please Contact Us.