Embedding Digital Trust in Fintech: Seven Practical Steps

Donald Tse
Author: Donald Tse, CISA, CISM, CDPSE, CPA
Date Published: 11 March 2022

There has long been debate about whether innovation and risk management can coexist. For some digital pioneers, risk and compliance are synonymous with being a roadblock to innovation. For some risk managers, introducing an innovative change is like flying blind, while focusing on ensuring cyber and technology risk elements are properly addressed is like a speedometer steering the safe and secure delivery of a digital financial product.

This is specifically true in the fintech section. The fintech sector has been gaining a lot of traction in recent years, including the proliferation of virtual banks. These virtual banks are innovative, but because there is no brick-and-mortar presence, any cyberattack or system instability can cause a greater impact to the technology-driven business models.

There are seven practical steps for embedding cyber and tech risk practices into the digital products while facilitating innovation:

  1. Know the environment—An organization should know what value is being delivered to the customers. This includes a thorough understanding of the business proposition and product features, relevant regulatory requirements and how technology is used in delivering the digital product. At the end of the day, the nonfinancial risk associated with a business activity comes from the process, people and technology. An innovative product usually has unique features compared to its conventional counterpart, ranging from its feature and delivery channel to the emerging technology used. Adding the details into a one-page product program will provide a birds-eye view of the target customer segment, technology and operation model, regulatory requirements and potential risk in its innovation.
  1. Establish senior management buy-in—Regardless of whether in a fintech or conventional financial institution, risk management is a top-down approach activity stemming from the risk appetite set by the board of directors, followed by the leadership of the senior management team and executed by risk managers and process owners in accordance to their roles and responsibilities. A strong governance model steers the innovative digital delivery against the headwind in the uncertainties of and risk arising from innovation. This typically includes the board-level endorsement of the risk frameworks and risk appetite statements, ongoing management reporting and challenges from the board members. Setting the tone at the top is crucial for every risk management program.
  1. Set clear guiding principles—Every innovation come in a different form; however, there is not a new risk type being introduced for each form. That said, the principle-based approach to manage cybersecurity and technology risk will continue to be suitable for digital innovation. Risk managers should reference existing internationally recognized frameworks such as COBIT and the US National Institute of Standards and Technology (NIST) Risk Management Framework Special Publication 800-53. Risk managers should choose the appropriate frameworks, adapt them to fit the organization’s environment and obtain senior management’s endorsement. To embed these frameworks as part of the innovation process, the key guiding principles can be translated into a concise control checklist, with mandatory versus desirable controls. Mandatory controls, such as customer data protection, should never be compromised, where desirable controls are aligned to industry best practices.
  1. Utilize the regulatory environment—Not all fintech organizations hate regulations. There are progressive regulatory reforms that support innovation in the financial industry. Although some of the regulations may have been published more than a decade ago, financial regulators have continuously provided additional guidance to support financial institutions, both incumbents and fintech organizations, in promoting innovation and elevating cybersecurity maturity. Many financial regulators, such as the UK Financial Conduct Authority, Monetary Authority of Singapore and Hong Kong Monetary Authority, provide a regulatory sandbox to allow fintech start-ups to conduct live experiments in a controlled environment under a regulator’s supervision. Given a smaller population for the sandbox environment, certain controls could be relaxed (e.g., certain outage times would be more acceptable).
  1. Adopt agile ways of working—The agile delivery methodology allows iterative enhancements to be made to an innovative concept based on a working product in each sprint cycle. This model follows the spirit of innovation—start small, fail fast—and enables the rapid delivery of products. The agile way of working does not stop at technology delivery but encompasses all processes such as operations, compliance and, of course, cybersecurity. An agile cybersecurity practice includes alignment of the security patching schedule and the review of security configurations. Cybersecurity and technology controls should also be integrated continuously to ensure an innovative digital product with optimized performance, resilience and security.
  1. Perform ongoing risk and control assessments—Given the more dynamic environment of fintech, including virtual banks, more regular assessments should be conducted to detect any control breaks in alignment to delivery phases. Mandatory and desirable controls may change at different delivery phases. For example, in the early delivery phase in a sandbox environment, rainy day controls such as disaster recovery could be considered desirable controls, whereas all customer data protection controls including data encryption are mandatory regardless of the situation. When a risk manager is assessing for the product launch to the public, the resilience control will become more important and be considered mandatory.
  1. Cultivate a risk-aware culture—A strong governance model supported by a suitable risk framework and risk tooling permeates the risk language across a fintech organization. Something as simple as clicking on a phishing email or answering a social engineering call could compromise confidential data. Cultivating a risk-aware culture includes simulations such as red teaming, interactive training and employee performance rewards. Ultimately, risk management is everyone’s responsibility.

Exploring the fine line between digital innovation and managing its associated risks requires the hands of a craftsman. There is no one-size-fits-all approach to risk management as it requires thorough understanding of the business and operating model, technology used and people involved. Only with a fit-for-purpose risk management model can the innovation DNA in an organization be unleashed to deliver safe and secure digital products.

Editor’s note: For further insights on this topic, read Donald Tse’s recent Journal article, “Cybersecurity and Technology Risk in Virtual Banking,” ISACA Journal, volume 1, 2022.

ISACA Journal Turns 50 This Year! Celebrate with us—and don’t forget you can still receive the print copy by visiting your preference center and opting in!

ISACA Journal