Fintech startups are increasingly competing with incumbent banks, insurers, and financial management firms in the areas of lending, payments, financial management, and various forms of insurance.
The fintech industry has a number of advantages over financial service incumbents, including speed, low cost, and ease of use. They also lack the heavy staffing and legacy facilities of existing financial services organizations.
Take a look at bitcoin as an example of innovation growing out of the fintech industry. Blockchain technology gives consumers the ability to jump step over the banking industry. Investors were initially hesitant about blockchain technology because it was so far removed from traditional banking, but now the growth is real and sustainable, at least into the near future.
The Inevitability of Fintech Regulation
Fintech services also escape many of the financial regulations placed on banks and other financial organizations. Fintech companies sometimes regard themselves as software companies, rather than financial services companies, with all the differences in mindset and behavior that that implies.
However, once a fintech provides financial services to an individual, it moves from the free and easy world of software to the highly regulated world of consumer finance much like any other financial institution—and needs to plan for that transition. Data security and privacy become key.
Unfortunately, planning for the consequences is not as straightforward as it might be. Data privacy and security are regulated by a vast alphabet soup of federal agencies, including the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Federal Trade Commission (FTC), among others. There is no single national authority on data security and privacy.
Most states also have laws covering data privacy. And don’t forget the threat of class action lawsuits.
The Consequences of Data Breaches Are Increasing
By their nature, financial organizations, whether legacy or fintech, are responsible for a vast amount of sensitive data, including SSNs, bank account numbers, passwords, and PINs, and are thus more intimately involved in the lives of consumers.
And the number of such data breaches in financial services is rising. According to the Verizon 2017 Data Breach Investigations Report, nearly half of all security incidents in financial services are web attacks (the high number partly due to a particular malware, Dridex)—a much higher percentage than in any other industry—while DoS attacks represented about a third of all incidents.
According to the IBM-sponsored 2017 Ponemon Cost of Data Breach Study, the average cost of a data breach worldwide is $3.6 million, down a bit from the previous year because of a stronger dollar. On average, each lost or stolen record cost $141.
Fintech Concern for Data Security Has To Come First
The Consumer Finance Protection Bureau (CFPB) has joined the data protection fray, and recently successfully pursued cases against fintechs LendUp and Dwolla, imposing fines.
The important thing about both these cases is that the CFPB went back to activities the companies engaged in from their first day of operation in making their case. This means that fintechs have to take security and privacy issues into account from the start, not waiting until some degree of success or prominence to take care them.
The problem is made worse by the variety of state laws financial services companies need to comply with. A website that promises a service that is only available in a selection of states without making that limitation clear, or implies that a service under development is already available, can lead to an enforcement action.
The activity of the CFPB must have been an unwelcome surprise to LendUp and Dwolla—it is new to the area of data security (and may well face cutbacks in the future, as Dodd-Frank financial reforms face opposition and possible rollback in the new Congress), joining the various agencies already mentioned above.
Time Traveling Regulations?
Fintechs thus face an unpleasant reality. Regulation can seemingly time travel from their successful future to punish them for actions in their scrappy, high-burn-rate past. It can also be seen as a cap on fintech innovation. Companies can either spend scarce capital on ensuring against future legal actions, or put the money into service development and accept the risk of future lawsuits or legal actions.
For many such companies, going out of business without ever marketing a successful product is probably seen as a greater risk than possible future fines from a government agency. But the future will inevitably arrive, and regulation will just as inevitably come with it.