Skip Ribbon Commands
Skip to main content

Managing Risk in a Fintech Relationship

21/11/2017


​​By Doug Macdonald

​Partnerships with financial technology (fintech) providers have emerged as effective tools for bringing new products and services to market. By offering convenience and reducing operating costs, fintech partners can offer new ways to process invoices, provide financing, simplify payments and more.

However, the flexibility, functionality and convenience fintech providers offer may come at the expense of effective risk management. Fintechs that lack adequate controls can put your business at risk.

Prioritize data and transaction security

Despite growing awareness of cyber risks, the current regulatory environment for fintech providers is not consistent and adherence to security best practices varies significantly across the sector.

“It doesn’t matter if your supplier is the party at fault in a data breach,” says Danny Timmins, MNP’s national leader for cybersecurity. “Your customers trust you with their information, and you will ultimately be held accountable.

“If your fintech partner isn’t providing the appropriate assurances or doesn’t understand cybersecurity, you’re putting your business at risk.”

Effective due diligence depends on two key questions:

​Who owns the customer data?

Clearly define what each party can do with customer information (e.g., you may be willing to let your fintech provide aggregate customer data for analysis, but you don’t want them selling your clients’ information to a third party).

How is that data being protected?

Understand what controls and processes are in place to prevent your customers’ data from theft or misuse.

Strong fintech providers will understand the need to protect customer information and privacy. Potential partners should be able to confidently explain their security measures and be willing to demonstrate these controls. Providers that fail to demonstrate effective risk management will not be successful – and that is not a relationship you can afford to enter.

What to Look For

The benefits to partnering with a fintech should never take precedence over information security. Before agreeing to any business relationship, you should ensure your partners are compliant with standards and controls such as:

  • PCI / Interac: Any organization handling payment information such as credit or debit card numbers must comply with payment card industry (PCI) and/or Interac standards for security and privacy.
  • FINTRAC: An organization processing large payments may be required to register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) for anti-money laundering. Organizations must report all large-value or suspicious transactions or risk large fines.
  • Maturity and threat analysis: An independent assessment and prioritization of cyber risks to ensure that security protocols are focused on the right areas. A reputable partner should be able to supply you with a report that demonstrates effective cyber-risk management.
  • ISO 27001 / 27002: International standards for information security covering activities such as software development, physical security and supplier relationship. Certification is via a controls audit performed by an independent reviewer.
  • SOC 2 and SOC 3: American auditing standard for outsourcing providers that focuses on effective risk management. Your fintech partner should be able to provide an SOC 2 or SOC 3 report demonstrating effective risk management and security processes.

Above and beyond these standards, all parties in a fintech relationship should consult with their advisers to ensure the right controls are in place and the right reports and certifications are used to demonstrate compliance. By building risk management and compliance into your partnerships from the beginning, you’ll ensure your customers are protected and have the peace of mind to focus on growing your business.

​The rise of new and innovative technologies is breaking new ground in the financial services sector. But regardless of the benefits new tools and services can offer, the first question you should always ask is, “How are my business and my customers protected?”

Contact Doug Macdonald, Regional Financial Services Leader, at 647.220.1086 or [email protected]. ​