For a long time, FinTechs were commonly subject to regulatory requirements through the financial institutions that regulators oversee. That was when financial institutions only needed to ensure FinTechs complied with regulatory requirements before establishing third-party relationships. But it has gone a bit further, and there are more regulatory developments in the pipeline for FinTechs.
In recent years, federal and state regulators have increasingly imposed direct regulations on various FinTechs and their products. International standards are shaping up to further regulate and govern the operation of FinTechs in the global marketplace. Regardless of their complexities, these new regulations aim to improve consumer protection, increase transparency, and promote fair competition within the industry.
The guide for FinTech regulatory compliance in this article is adapted from a Deloitte publication and some recent developments mentioned in the current ICMA FinTech regulatory roadmap. It provides a framework for developing a broad-based risk management program that can be tailored to meet the unique needs of FinTech companies.
In our previous posts, we have explained the major regulations in the FinTech space and the importance of compliance planning to ensure adherence to these regulations. This guide builds upon that foundation and provides practical steps for FinTech companies to develop a comprehensive risk management program.
1. Define roles and responsibilities through a governance model
FinTechs cannot run successfully without people and processes dedicated to regularly evaluating risk appetites and establishing clear standards for regulatory compliance management. It’s the safety net for potential compliance logjams. For example, one of the reasons attributed to the recent collapse of the Silicon Valley Bank was the absence of a Chief Risk Officer for eight months. This gap in the bank’s leadership led to a lack of oversight and monitoring of risk management processes.
A governance model is expected to allow FinTechs to understand their level of risk tolerance and recognize the threshold at which some transactions or investments become unsustainable or unfavorable for the company to operate. This may sound like Compliance 101, but a well-constructed governance framework is more than a regulatory requirement. It serves as a valuable tool in ensuring the sustainable growth of FinTech firms because it helps build trust with stakeholders, including customers, investors, and regulators.
2. Understand applicable risks and rank them
The nature of FinTech offerings will always define the applicable risks and their order of importance. For example, those operating in the DeFi space are more likely to be vulnerable to sanctions and security risks than those operating as digital payments or online lending. As such, sanctions screening and investigation software are a priority.
In general, however, Fintechs must create a comprehensive technique to identify performance vulnerabilities and compliance standards. From credit to algorithmic, liquidity, and reputational risks, there should be metrics for measuring risk exposure across business operations.
3. Evaluate the controls environment
With a precise understanding of the level of risk exposure, it becomes easier to identify relevant controls to mitigate those risks. For example, risk and control self-assessment (RCSA) is widely used in the financial service industry to evaluate existing internal controls against possible deficiencies.
This process involves evaluating the control objectives and measures and determining their effectiveness in managing the identified risks. Based on this analysis, FinTechs can develop a comprehensive control framework that includes preventative, detective, and corrective controls. This assessment can also help recognize the strengths and weaknesses of existing rules.
4. Evaluate risk and response options
This evaluation process ensures that FinTech’s risk management strategy aligns with its overall business strategy. It’s about finding the most common risk exposures, identifying shifts in performance, and providing a direction for addressing them across the entire business operations.
At this point, risk professionals can use various techniques and tools to evaluate the risks and develop a range of response options. These may include scenario analysis, testing plans, or modeling techniques. For example, Swift’s decision to adopt the ISO 20022 messaging standard for payments in March 2023 was influenced by an analysis of its impact on CBPR+ timelines and global community requests. The Brussel-based utility firm’s decision shows the importance of evaluating risks and developing response options tailored to specific risk profiles and business objectives.
5. Consider the maturity level of risk and compliance
A FinTech’s level of risk and compliance maturity can be gauged based on three stages of development: basic, intermediate, and advanced. These are otherwise known as existing, evolving, and maturing, respectively.
A FinTech with an existing level of risk and compliance maturity has policies and procedures in place to manage risks and comply with regulatory requirements. However, a culture of risk awareness and management might be missing or too weak to rise to regulatory challenges. Here, there is also a lack of proper methods of risk categorization.
An evolving risk-compliant FinTech establishes standard risk classification to “enhance synergies between operations and risk functions.” This methodology is a preventative measure to quickly recognize and mitigate risks, as there are already some indicators to guide risk management.
To be categorized as “Mature risk-compliant FinTechs,” there should be “advanced oversight and execution processes, defined reliance models, and a clear vision and strategy embedded across the organization driven by measurable KRI results.” To reach this level, tools like Governance, Risk, and Compliance (GRC) software can be valuable.
6. Engage management through effective reporting and communication
The stability and resilience of a financial institution have so much to do with board and senior management oversight. In the financial sector, it’s extremely important for these entities to not only facilitate but also monitor the integration of regulatory obligations with old and new business practices. For this purpose, it’s usually recommended that risk experts are well-represented on the board of directors. If not for anything else, they would be better positioned to fully grasp the risk tolerance as reported or unintentionally underreported by the risk management team.
For FinTechs that thrive on applying new technologies, it’ll always be necessary to ask: “What parts of the business activities (or even the broad vision of the company) are no longer suitable for regulatory compliance?” To establish an oversight framework, the risk team, whether in-house or outsourced, must regularly report compliance status to management. The report must include the KRIs used to measure risk management practices. This can be valuable to stakeholders, especially regulators and investors, who need assurance that the business is operating within acceptable risk limits and complying with relevant regulations.
Talk to Us Today
RADD LLC can offer you a customized and strategic approach for your compliance strategies to align with your operations and regulatory requirements. You will have access to a team of professionals with over 250 years of combined experience in fintech regulatory compliance. Explore our full suite of FinTech services and checklists now to find what you currently need and how we can help.