Banks and credit unions increasingly recognize fintech companies not as competitors, but as strategic partners to drive business forward. While banks’ openness to technological innovation grows, their regulatory, cybersecurity, and risk management obligations remain. Fintechs looking to partner with financial institutions should understand these requirements before attempting to establish a partnership.
We recently spoke at the Bank Directors’ FinXTech event, analyzing cybersecurity concerns when partnering with a fintech. Here are some of the key points fintechs should be aware of from our discussion with the banks:
1. Banks Have Strict Vendor Due Diligence and Monitoring Requirements You Need to Comply With
Our banking clients usually have many questions regarding vendor due diligence and monitoring surrounding fintech providers. Financial institutions have existed for centuries in a highly regulated environment, which sets the tone for their risk management strategies, internal control posture, and cybersecurity operations. Depending on the nature of your services, they’ll likely expect a similarly robust risk management structure from you, and you’ll need to provide assurance on the controls you’ve implemented.
You’ll be asked for financial statements, SOC reports, extensive security questionnaires, business continuity plans, certifications such as a PCI ROC or ISO 27001, and more. But what if these aren’t available? Banks aren’t likely to place much reliance on your word alone. If they can’t get solid, independent assurance over your security controls, they’ll consider the lack of information a liability. It’s not necessarily a deal-breaker, but it can significantly complicate the sales process. Getting your arms around the types of data and assurance required as early as possible will help the process move smoothly and separate you from your competitors.
Recent guidance from the Office of the Comptroller of the Currency (OCC) details banks’ vendor monitoring requirements, including use of fintech providers.
If you’re considering a SOC report for your company, we’ve detailed everything you can expect from the process.
2. Apply Secure Coding Practices and Test Your Product Thoroughly
Don’t let the need for rapid development and innovation overshadow a secure development methodology. While they may slow you down, formalized processes around change requests, independent review and testing, logical access to staging and production, and segregation of duties will reduce the risk of accidental or intentional security issues. Don’t focus solely on the technical security of the code—holistic design of the product is just as important. As we all know, security should be baked-in and never bolted-on.
You should also consider penetration testing of the product to identify any weaknesses you may have overlooked in the design and coding. A good penetration tester may come up with creative attack vectors that you might have never considered.
3. APIs Can Represent Concentrated Risk
Many fintechs utilize application programming interfaces (APIs) to integrate with customer systems. The greater the level of access to these APIs, the greater the impact any weakness would have. Any vulnerability related to customer data access or monetary transactions could be catastrophic.
Also be aware that many financial services companies have very old legacy systems on their backend that could create unexpected complications with any integration. Open APIs should be thoroughly tested via coding design and live penetration testing before moving to production.
4. Perform Your Own Vendor Due Diligence Over Cloud Providers
Your products most likely live in the cloud. Banks will extend their vendor security requirements to any cloud providers involved in the delivery of your product. You should perform your own due diligence on your cloud provider so you’re prepared to give your banking customers assurance. This could include a review of the cloud provider’s SOC reports, Cloud Security Alliance (CSA) STAR certification (or other industry-recognized certifications), and any other oversight that’s relevant to your service.
Keep in mind that many controls in a cloud environment are still your responsibility as the user. The CSA has a Cloud Controls Matrix that will guide you in assessing all relevant controls surrounding the cloud implementation.
Conclusion
The potential for fintech and bank partnerships is vast, but the culture surrounding their internal controls may not naturally mesh. Don’t be caught unprepared when faced with the security and risk management requirements of the banking industry.
