Image Source: FreeImages
In the rapidly evolving landscape of financial technology (fintech), the delicate balance between innovation and risk management has been a topic of ongoing debate. While some view risk and compliance as potential roadblocks to innovation, others argue that effectively managing risk is essential for the safe and secure delivery of digital financial products. The fintech sector, with its proliferation of virtual banks and technology-driven business models, presents unique challenges where cyber and tech risks must be carefully addressed. In this article, we will explore practical steps for embedding cyber and tech risk practices into digital products while fostering innovation, ensuring regulatory compliance, and maintaining consumer trust. Know Your Environment
To effectively manage cyber and tech risks, organisations must first have a deep understanding of the environment in which they operate. This includes a thorough grasp of the business proposition and product features, relevant regulatory requirements, and the role of technology in delivering the digital product. Nonfinancial risks associated with business activities can arise from processes, people, and technology. Innovative products often have unique features compared to their conventional counterparts, including delivery channels and the use of emerging technologies. Creating a one-page product program that outlines the target customer segment, technology and operation model, regulatory requirements, and potential risks can provide a comprehensive overview of the innovation and its associated risks.
Establish Senior Management Buy-In
Regardless of whether an organization operates in the fintech or conventional financial sector, risk management is a top-down approach. It starts with the risk appetite set by the board of directors, followed by the leadership of the senior management team, and is executed by risk managers and process owners. A strong governance model is essential for navigating the uncertainties and risks associated with innovation. This includes board-level endorsement of risk frameworks and risk appetite statements, ongoing management reporting, and active engagement from board members. Setting the tone at the top is crucial for the success of any risk management program.
Set Clear Guiding Principles
In managing cybersecurity and technology risks, a principle-based approach is both effective and adaptable to digital innovation. Risk managers can refer to internationally recognized frameworks such as COBIT and the US National Institute of Standards and Technology (NIST) Risk Management Framework. These frameworks can be adapted to fit the organization's specific environment and gain senior management's endorsement. By translating key guiding principles into a concise control checklist that distinguishes between mandatory and desirable controls, risk managers can ensure that critical controls, such as customer data protection, are never compromised while aligning with industry best practices.
Utilize the Regulatory Environment
Contrary to popular belief, not all fintech organizations view regulations as obstacles to innovation. Progressive regulatory reforms have been introduced to support innovation in the financial industry. Regulatory bodies such as the UK Financial Conduct Authority, the Monetary Authority of Singapore, and the Hong Kong Monetary Authority have established regulatory sandboxes, allowing fintech start-ups to conduct live experiments under supervised conditions. These sandboxes provide a controlled environment where certain controls may be relaxed, facilitating innovation while still maintaining a level of oversight.
Adopt Agile Ways of Working
Agile methodologies, widely embraced in the software development world, offer valuable insights for managing cyber and tech risks in fintech. The agile delivery model allows for iterative enhancements based on feedback from working products, enabling rapid product development. This iterative approach should extend beyond technology delivery and encompass all processes, including operations, compliance, and cybersecurity. By continuously integrating cybersecurity and technology controls, organizations can ensure that their innovative digital products are optimized for performance, resilience, and security.
Perform Ongoing Risk and Control Assessments
The dynamic nature of the fintech landscape, particularly in the realm of virtual banks, necessitates regular risk and control assessments. These assessments should be conducted at different delivery phases to detect control breaks and ensure alignment with evolving requirements. Certain controls may be considered desirable during early delivery phases in a sandbox environment, while others, such as customer data protection, should always be treated as mandatory. As products move closer to public launch, the focus shifts to resilience controls, which become increasingly important.
Cultivate a Risk-Aware Culture
A risk-aware culture is essential for managing cyber and tech risks effectively. Organizations must foster a strong governance model supported by suitable risk frameworks and tools that permeate the risk language across the entire fintech organization. Employees should be educated about the potential risks they may encounter, such as falling victim to phishing attacks or social engineering scams that could compromise confidential data. Cultivating a risk-aware culture involves conducting simulations, such as red teaming exercises, providing interactive training, and implementing employee performance rewards. Ultimately, risk management becomes everyone's responsibility.
Conclusion
Finding the right balance between innovation and risk management is a critical challenge for fintech organizations. By following practical steps such as understanding the environment, gaining senior management buy-in, setting clear guiding principles, utilizing the regulatory environment, adopting agile ways of working, performing ongoing risk and control assessments, and cultivating a risk-aware culture, organizations can effectively embed cyber and tech risk practices into their digital products while fostering innovation. The ability to deliver safe and secure digital products is essential for building consumer trust and ensuring long-term success in the fintech industry.
For further insights on this topic, I recommend reading Donald Tse's recent Journal article, "Cybersecurity and Technology Risk in Virtual Banking," ISACA Journal, volume 1, 2022.