As the speed, delivery, and capabilities of FinTech firms diverge from those of traditional financial services organizations, they must still adopt similar data security and data privacy measures in compliance with current regulations.
Legislation such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other U.S. state privacy laws have made privacy rights and data protection controls a chief concern of businesses and consumers alike. FinTech companies introducing and harnessing the power of new technologies like blockchain, artificial intelligence (AI), and cryptocurrencies (to name a few) can maintain a strong compliance posture and stay ahead of risk curves by implementing a few key principles outlined below.
Trust, Ethics, and Culture
Recent and upcoming privacy regulations provide consumers several rights related to their personal data that are rooted in trust. Under GDPR, for instance, consumers maintain the right to access, deletion, and transparency of their data. More broadly, trust is paired with ethical and cultural considerations in support of company objectives.
Below we’ll explore several tenets of making trust, ethics, and culture a central framework for the organization.
Do the Right Thing
As companies work to understand complicated regulations and implement processes to comply, a common theme of successful companies is simply “doing the right thing.”
Complying with current standards while forecasting emerging regulations expected to arrive in the coming years prompts many FinTech organizations to adopt data protection and privacy strategies that go beyond the bare minimum. Instilling a motto of “doing the right thing” into company culture guards against exposure to regulatory volatility, evolving consumer demands, and cyber risk.
Ultimately, customers want their data protected, so doing the right thing should be a no-brainer to maintain customer loyalty and satisfaction. Otherwise, get ready for savvy customers to flee to competitors.
Emphasize the ‘G’ in ESG
Environmental, social, and governance (ESG) standards are new focal points for businesses, again, as driven by consumer demands. Privacy and customer protection efforts can be viewed (and accounted for) as part of governance under the banner of ESG.
As ESG programs gain traction, proactively incorporating privacy and data protection concerns into these programs can centralize efforts and clearly articulate the business’s mission to the market, investors, customers, and employees.
Embed Privacy Awareness Into Business Norms
Employees must realize that privacy is non-negotiable. It’s not sensible or cost-efficient to compromise privacy in the name of other business pursuits, such as speed to market, faster product development, greater customer acquisition, larger deals, etc.
Privacy cannot sit opposite of company goals; it must be an innate value proposition in and of itself. A privacy-aware workforce is a starting point.
After baseline awareness, workforces must become privacy-committed. This may be a cultural shift for some organizations in the FinTech industry, especially those in early-stage growth without the necessary bandwidth to stand up and maintain unique security controls that satisfy local, national, and global regulation or, at minimum, industry best practices.
Moving forward, it will be table stakes.
It’s also important to note that consumers treat their financial information as the most sensitive kind of personal data – and they’re hyper-conscious of their financial details being mishandled by businesses or breached by cyber criminals. In fact, more than half of Americans decided not to use a product or service due to privacy concerns, Pew found.
As companies collect and share more user data, this hesitation will likely only increase unless companies build programs to proactively protect consumers and privacy, demonstrate proper data handling, and ultimately build customer trust.
Privacy by Design
Companies that build new applications and technologies in the FinTech space should weave the seven principles of privacy by design into their software development processes. Not only will this result in a strong privacy culture, but it will also make compliance with privacy regulation less strenuous.
The seven principles include:
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default Setting
- Privacy Embedded into Design
- Full Functionality – Positive-Sum not Zero-Sum
- End-to-End Security – Full Lifecycle Protection
- Visibility and Transparency – Keep it Open
- Respect for User Privacy – Keep it User-Centric
These privacy design principles can be brought to life and codified in a formal privacy and data protection program. Such programs identify, implement, and operate a right-sized array of technologies, processes, and people dedicated to protecting data, maintaining privacy, and staying compliant.
The drive to optimize data privacy is evidenced by the rapidly growing market for privacy-enhancing technologies (PET) – e.g., encryption, anonymization, federated learning, data minimization, etc. – which MIT noted is innovating faster than any other technology solution, at a rate of 178% annually.
The FinTech sector has been instrumental in advancing and building on these initiatives and will play a leading role in continuing conversations around financial institutions’ collection, usage, and protection of personal information.
Time to Act
Digital threats and risks aren’t going away, and the longer FinTech companies wait, the bigger the problem becomes. So the key is to take clear action now.
FinTechs depend on creating trusted, assured experiences for their customers. Cyber breaches, data losses, or missteps with regulators can be costly, including:
- Reputational damage and bad press.
- Fines and mandated remediations.
- Loss of investor confidence.
- Delays to IPOs.
- Customer abandonment.
These risks, though, are surmountable. To take pragmatic steps – without spending millions or bogging down the business – and provide significant gains in cybersecurity, privacy, and data protection, view the whitepaper below.