Home
Story
How fintech’s meteoric rise has resulted in society trading security for convenience.
How fintech’s meteoric rise has resulted in society trading security for convenience.
By the CyberWire staff with the Finance & Accounting Technology Expo
Jul 31, 2024

How fintech’s meteoric rise has resulted in society trading security for convenience.

Key Insights.

  1. Fintech’s role in society. Fintech has revolutionized financial services for businesses and individuals, offering rapid and convenient solutions.
  2. Insecure products. Despite their convenience, many fintech products are plagued by security concerns, including risks of cyberattacks and data breaches.
  3. Securing yourself. Users can enhance their security by adopting robust security measures and working with trusted third-party providers.
  4. Lack of regulation. The confusing and ineffective regulatory environment contributes to fintech’s lack of security, highlighting the need for stronger oversight.
  5. Continue the conversation. Attend the Finance & Accounting Technology Expo in New York City from October 29-30, 2024, free for N2K CyberWire members. Learn how to register at the bottom of this article.

Fintech and its role in society.

Financial technology (fintech) has revolutionized the financial world for businesses and individuals alike by digitizing and accelerating financial services. However, while fintech offers unparalleled convenience, it also raises significant security and regulatory concerns. While fintech is a blanket term, the concept refers to technology that is used to deliver financial services. Fintech’s notable security and regulatory concerns are numerous as reports have emerged detailing how regulators have found that a notable group of major banks “have an inadequate grasp of a broad swath of potential risks from cyber attacks.” Other research has echoed these findings, as a survey conducted by E&Y found that over seventy percent of fintech adopters expressed concerns related to their personal data when dealing with companies online. As fintech continues to proliferate, many individuals and corporations have little choice but to use these services despite the inherent risks.

Insecure fintech.

Given fintech’s deep entrenchment in society, avoiding its services is unrealistic. Rather, organizations need to understand how to harness fintech to leverage its benefits while taking the necessary steps to avoid unnecessary exposure. Researchers and regulators are already working to address these anxieties and discover ways to mitigate the risks without compromising fintech’s promises. A 2023 study identified the most common and destructive attacks against fintech, including malware, DDoS, and social engineering attacks. The finance and insurance sector ranked second among industries most targeted by cybercriminals globally since 2018, just behind manufacturing. From February to April 2020 alone, attacks on the financial sector surged by 238% globally, with 80% of financial institutions reporting an increase in cyberattacks.

Securing the insecure.

Organizations partnering with fintech service providers or financial institutions can implement strategies that will better guarantee security measures. One of the most sound methods to prioritize fintech security is through adequately designed and routinely audited service-level agreements (SLAs). Through these agreements, organizations can work with fintech providers to clearly define key requirements, such as access control systems, security awareness training, blockchain-enabled systems, and money transfer securities. 

However, these measures alone are insufficient. While businesses can and should mandate these security measures, these security solutions cannot be seen as the only method to manage the risks introduced by the fintech industry. A cultural shift within fintech development is necessary to ensure that services are delivered without sacrificing security. This shift must be supported both internally by businesses and externally through effective government regulation.

The need for oversight.

Fintech has consistently represented a gray area in developing and mandating regulations. Each US state and the federal government maintains its own set of rules, making it increasingly difficult for authorities to create consistent regulations that align with other standards and keep pace with the rapidly evolving fintech industry.

For example, fintech services include:

  • Bank partnerships
  • Commercial financing
  • Early wage access programs
  • Lending programs
  • “Buy now and pay later” products
  • Cryptocurrencies

Each of these services presents a different regulatory challenge, leading to inconsistencies. Depending on the state in which a fintech service operates, different privacy regimes may apply. Additionally, federal regulations can vary based on the partnerships of the fintech provider. This dynamic has resulted in significant regulatory arbitrage as discussed in the 2017 paper from the FDIC, “Fintech, Regulatory Arbitrage, and the Rise of Shadow Banks.” Shadow banks – a financial intermediary that engages in activities similar to traditional banks – operate outside the conventional banking regulatory framework. These institutions do not accept traditional bank deposits and therefore are not subject to the same regulations and oversight as traditional banks. Instead, they often rely on other forms of short-term funding and are involved in activities such as lending and credit creation. Examples include entities like Quicken Loans “Rocket Mortgage” that provide home loans but are not traditional banks. The market share of shadow banks in residential lending nearly doubled from 30% in 2007 to 50% in 2015. Shadow banks accounted for 75% of all FHA loan originations by 2015, dominating in areas with less creditworthy borrowers.

The lack of regulatory oversight means that these sorts of institutions do not fall under the same stringent regulatory frameworks as traditional banks. This minimal supervision can lead to inadequate security measures, making them more susceptible to cyberattacks and fraud. Additionally, the varied standards and practices across fintech organizations result in inconsistent security protocols, increasing the risk of security breaches. Without consistent regulatory pressure, organizations do not invest sufficiently in robust cybersecurity measures, leaving sensitive customer data vulnerable to breaches. Systemic risk and financial stability are at stake because fintech organizations are now deeply integrated with traditional financial systems through complex financial products and services. A security breach at a fintech company can have cascading effects on the broader financial system. The opacity of fintech operations further complicates accurate risk assessment by regulators and stakeholders, increasing the potential for undetected vulnerabilities. The rapid growth and significant financial activities of fintech companies make them attractive targets for cybercriminals for sophisticated cyberattacks, such as ransomware, phishing, and other forms of cyber intrusion.

Slow and steady progress.

Progress in regulating the complex fintech industry is being made, though slowly. On July 19th, the Consumer Financial Protection Bureau (CFPB) proposed a new rule to regulate early wage access programs by classifying them as consumer loans. This reclassification would make these programs subject to the Truth in Lending Act (TILA), requiring additional disclosures to consumers and the expression of fees as annual percentage rates (APR), similar to credit card disclosures. A CFPB spokesperson noted that these fees can amount to a 109.5% APR, despite services being advertised as “free or low-cost.”

While these actions represent progress, the regulatory efforts face significant pushback. Critics argue that these programs are akin to ATM withdrawals since users are accessing wages they have already earned. The Financial Technology Association has stated that the rule could harm millions of workers who rely on these services to manage their expenses without waiting for traditional pay periods. This debate underscores the broader regulatory challenges in managing fintech offerings, including data privacy and security issues. Currently, the only major standard universally applicable to fintech servicers is the Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) Act, which regulates the actions of those offering financial services to consumers. However, there are no major industry-wide regulations mandating specific security measures or robust risk management programs, which poses a significant risk for organizations partnering with or utilizing fintech services.

Managing fintech.

Fintech’s relationship with businesses is, at best, volatile. On one hand, these services can greatly accelerate a business’s ability to engage with financial institutions and utilize their services; however, on the other hand, this relationship also introduces significant risks. While individuals and organizations can take measures to protect themselves by implementing stronger documentation or ensuring that partnered providers can be held accountable under existing regulations, these measures are at best only patchwork solutions. Until an industry-wide change occurs that addresses fintech’s lack of consistent security measures, these services will continually introduce risk. 

For now, businesses should take an overly conservative approach when utilizing fintech. While these services are almost impossible to fully avoid, businesses should be careful when it comes to selecting the services they need. By treating fintech services as luxuries rather than necessities, businesses can minimize some of the inherent risks. Additionally, through comprehensive risk assessments and robust documentation, businesses can work to fully understand the associated risks when working with a given provider and determine if said risks are too concerning.

Next steps.

N2K has partnered with the CFO Leadership Council to drive innovation in cybersecurity and privacy for fintech. As part of this partnership, we're excited to offer FREE registration to the upcoming Finance & Accounting Technology Expo in New York City from October 29-30, 2024 (a $295 value). If you work at the intersection of cybersecurity and finance, accounting, or banking, this conference is for you.

Date: October 29-30, 2024

Location: Javits Convention Center, New York City, NY

At a glance: The Finance & Accounting Technology Expo (FATE) is the premier event for finance technology professionals, bringing together industry leaders, innovators, and experts to explore the latest advancements in finance and accounting technology. Attendees will have the opportunity to participate in informative sessions, network with peers, and gain insights into cutting-edge tools and strategies that are shaping the future of the industry.

How to Register:

  1. Visit the event website: https://strategiccfo360.com/fate/ 
  2. Click on the "Register" button.
  3. At checkout, enter the exclusive code "wko735" to drop the registration price to $0.

Register before August 15 to take advantage of this offer.