Fintech: computer programs and other technology used to support or enable banking and financial services
Banking: a bank is a financial institution that accepts deposits from the public and creates credit. Due to their importance in financial stability of a country, banks are highly regulated in most countries.
HCM: Human Capital Management brings together payroll services, talent management, human resources management, time and labor management, and benefits administration.
(attribution for these definitions: google, the company that “does no harm”)
Regulation: a rule or directive employed in controlling, directing, or managing an activity, organization, or system, and maintained by an authority and having the force of law.
The three financial service segments listed above have many good and bad things in common. At their most basic level they all deal with third party flows of funds, and with important corporate and personal data through activities and systems which, if done well, bring great value to customers and providers alike. If done poorly, recklessly, and/or through fraud can destroy people, companies, and financial systems.
Banks have been regulated by societies for three thousand years; sometimes well and to the benefit of their citizens. Sometimes poorly to their citizen’s dismay and ruin.
Fintech and HCM will be regulated, but are not yet. Unregulated they run the risk through negligence, fraud, poor architecture, or insufficient protection (from attach, breech, and failure) to protect customers and third parties from harm and loss. In a civil world, much of the regulation would come from internal safe and sound policies and practices. We, unfortunately do not live in a civil world. Good behavior needs to be reinforced by a governing authority and the force of law.
Regulation will come, but you can and should prepare for it.
Great vision and values for a company are fundamental to self-regulation. No vision, no values. No values, no ethics. No ethics, no morals. No morals, no rules, no responsibility; everything is fair game. No responsibility, more regulation!
Great vision, values, strong internal business practice, and regulation by third parties takes some of the fear and threat out of business. Loose controls of customer tax and benefits payments add risk to service providers. Strong rules, controls, and audits decrease those risks to the provider and to the system of funds flows in the country. They decrease the possibility of errors and fraud. That’s good because to most fintech and HCM companies the flow of funds they handle vastly exceeds the capital owners, shareholders, and even their insurance companies have to deal with a major system failure.
Have I got your attention? If I have, send me an e-mail saying “you have my attention fear monger!”
My fear of inattention to cybersecurity threats is even greater than my fear of flow of funds risks outlined above. We know how we should control funds flows. We greatly underestimate the risks of gathering, storing, using, and protecting data and flows of data.
New York State is focusing on things that I fear in data flows and cybersecurity. They are passing banking regulations that frankly sound like good business practice, and which I hope will become the standard of care in the fintech and HCM world, and, your own company’s standard of care and good business practice. They are focusing on business (banks) and their owners (members of the Board of Directors and senior management). We can learn from their activities and focus. Some of the areas of focus:
- Written cybersecurity programs
- Written cybersecurity policies and incident response plans
- Continuously trained cybersecurity personnel
- Limited access privileges
Cybersecurity programs refer to: identification of cyber risks, policies and procedures to protect data, detection of cybersecurity events, responsiveness to events to mitigate fallout, recovery restoration of normal operations.
Cybersecurity policies and incident response plans include: information security policy, data governance rules, access controls, business continuity and disaster recovery plans and resources, capacity and performance planning, systems operations, systems and network security, systems and network monitoring, systems and application (including Report Writer) and quality assurance, physical security, customer data privacy, vendor and third- party service provider management (think API’s and third party software), risk assessments and incident response (internal and external).
Third Party personnel management programs include: identification and risk assessment of third-parties, third-party cybersecurity work and practice standards, due diligence processed used to evaluate the adequacy of third-party cybersecurity practices, and periodic assessment.
Additional requirements: annual penetration testing and vulnerability assessments, on-going existence of audit trail systems, limitations and review of access privileges, written application security procedures, annual risk assessment of the confidentially, integrity, and availability of information systems, adequacy of controls, and how identified risks will be mitigated or accepted, multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access, monitoring of authorized users, encryption of all nonpublic information held or transmitted.
The lists have been produced by Astech Consulting, a firm I have known, advised, used, and respected for years. You can review what they do for their clients and for you at www.astechconsulting.com.
The price for being prepared in terms of time, effort, and investment is moderate. The cost of neglecting these best practices can be the loss of your company and numbing lawsuits. The consequences of failure are so important to how we do business in the future is so high, that these financial services will be regulated.
Best to be ready. Best for your customers, for you and for your business.