Anil Somani

The FinTech industry is booming globally, courtesy the exuberance of mobile and online access. People are in love with banking on their fingertips and financial organizations will do whatever it takes to make that experience more customized, and meaningful. The only way of making that happen is by collecting and analyzing ginormous amounts of data, which is always at risk of theft or breach. Data in the hands of Fintech is like the lamp of Aladdin that can unlock tremendous value, but if stolen, will raise havoc!

FinTechs started out with small, simple use cases. But very quickly they came under the scrutiny of regulatory compliance, with the rapid advancement of business models and financial products in the banking industry. Aggregating financial information, providing alternative lending mechanisms, verifying customer during account opening by screen scraping or facilitated login are a few such examples. Acquisition of a smaller FinTech by a larger one or an established financial institution brings to light immense scrutiny in a very short period of time. For example, Venmo by PayPal and most recently Plaid by Visa.

In short, the pressure on FinTechs is intense around the awareness and sensitivity of data privacy and usage, as the surface area of data breach has expanded exponentially. Regulatory compliance with new regulations such as GDPR and CCPA puts additional burden, albeit important.

FinTechs can mitigate these risks by addressing GRC requirements



FinTechs should adopt a GRC-first approach. GRC cannot be an afterthought and has to be baked into the product or service offering right from its inception.



An end-to-end view of GRC is important. This will help companies attain absolute clarity about the existing risks and compliance. Having an end-to-end approach also allows the company to have better visibility of accountability across the organization. Ultimately, implementing this approach will also help the management in decision-making. It can help the management pinpoint the weakest link in the chain and take steps to mitigate the associated risks. Some of the FinTechs started on this journey a few years ago focusing on data first. Having single source of truth and exposing data as service APIs. It not only helped them advance GRC in terms of regulatory compliance, but also serve as a business differentiator; by having better consistency and speed in launching products.



As technology develops, new regulations are launched in order to ensure customer safety and safe business practices. Hence, continued awareness, education and training are fundamental in order to keep up with the ever-changing global regulatory scene.



FinTech companies should think of GRC integration as an intelligent investment, as the cost of not having an overarching GRC program is much more than the cost of actually investing in one. Which is why sponsorship and commitment from the highest levels of the organization is critical for meaningful implementation of tools, processes and programs in order to avert and manage risk.



Proactive audit and monitoring with predictive and prescriptive analytics are critical to deal with a high volume of real-time events, identify anomalies and mitigate risks. One of the prominent global card networks, which initially embarked on sophisticated monitoring to mitigate fraud expanded the same mechanisms to risk and compliance.



As the FinTech industry continues to grow by leaps and bounds, the law is still catching up to keep the industry in check by launching new regulations. Thing is, customers like new experiences, but they like it more when they know their data is safe and protected. In our world today, a data breach is worse than plague. FinTechs need to do everything in their might to avoid falling into one of those death traps.



Lack of proper planning and governance to address the above risks definitely inhibits the revenue growth trajectory. Not doing so is not an option - both from regulatory compliance and brand risk perspective. There are several ways for FinTechs to get intelligent about addressing the GRC (Governance, Risk, and Compliance) requirements in the modern age.