Momentum Behind Third-Party Risk Oversight & Fintech

There is a good chance that you are reading this article on a tablet or smart phone. Perhaps, you're reading it even while traveling or waiting for your next meeting.

The fact is that we live, work and play in a digital age. Our digital footprints are littered everywhere, from geo tracking of your whereabouts to your favorite cute cat videos and your most detailed spending patterns.

These footprints are of huge value to financial institutions, auto loans, consumer finance and fintech firms offering online financing or those supporting other financial institutions who access NPPI data or consumer data with or without consent.

Financial Technology in High Demand

For those in the fintech space, the adoption of technology to create a more efficient financial transaction process is gaining momentum, and in an effort to get to an efficient process to move capital, firms are often forced to add increasing layers of technology to a process.

There isn’t a single solution of technology that streamlines application, processing, underwriting and other similar daily tasks. Firms are exploring point of sale solutions prior to data even being input into the loan origination or core processing system. For the consumer, the transaction is but the tip of the iceberg, whereas in third party risk management, many moving parts and vendors are hidden beneath the surface.

In my opinion, it doesn’t matter if you are a fintech vendor or a fintech lending institution, chances are that you are accessing consumer data. While fintech isn’t heavily regulated, there is a need for the fintech space in general to understand that the protection of consumer data needs to be protected and managed amongst the third and fourth party vendors which access it.

Fintech’s Regulatory Compliance Challenges

There's a fair amount of regulatory compliance uncertainty besieging the financial markets currently. With what seems like an apparent change of direction at the CFPB under the new leadership of Acting Director Mick Mulvaney, it would be remiss of any institution, company or vendor in the fintech space to dismiss the importance and severity of information security. With an alarming statistic that over 63% of known data breaches are linked to a third party vendor, your vendor relationships should be cause for concern.

None of the regulators, however, have indicated any less reduction in third party oversight requirements and guidance outside of the general regulatory compliance framework. In fact, if anything, third party oversight pressure is likely to increase. 

Forty-eight states now have data breach notification requirements and some states have even set up consumer portals to report suspected data breaches. That is telling.

Consumers are more likely to report such issues, but one study performed by The Ponemon Institute reported that there was a general high level of mistrust between financial institutions and their third party vendors regarding the notification of a data breach.

Fourth Party Oversight – Why It’s the KEY to Consumer Data Security

The Equifax breach is a good example of the delay in which the breach became public knowledge and overall reinforces the notion and level of mistrust behind lax consumer data protection.

The level of mistrust increased significantly between a financial institution and a fourth party simply because financial institutions aren’t always aware that their contracted third party is leveraging another vendor to fulfill a service.

Ultimately, being unaware of this is a reflection of a poor third party risk management program and should be revisited. Oversight into fourth party data security is seemingly a blind spot in third party risk management and is recognized as an issue which needs to be addressed.

In addition, the OCC refreshed it’s 2013 third party risk management guidance with an update with their OCC 2017–7 Bulletin. This expands the original requirements and goes into much more detail listing information surrounding the examination process and requirements. There has been an increased awareness of board oversight involvement in recent years and examiners may request board minutes on third party risk management issues. This really solidifies the fact that the board level need to be invested in third party risk management and the risk ramifications presented.  

Since fintech can easily cross boarders, there is also the concern and impact of the EU regulation, GDPR. The Global Data Protection Regulation is aimed at protecting European consumer data but will have a global impact. E-commerce and the storage and marketing of consumer data is the tip of the spear when it comes to protecting data. Knowing who and where your vendors operate should be high on the agenda for consideration.

How to Protect Your Company

As financial markets push to adopt technology, the risks increase as more players are added to a process.

Mapping out the consumer data lifecycle highlights the importance of adopting a robust third party risk management program to better manage risk and protect not only your consumer data but your own organization from risk. In doing so, you may be pleasantly surprised by how this is accepted as a value-add to your firm and offers up additional strategic advantages.

Knowing the CIA information security triad can help you improve upon your vendor's information security. Learn more by downloading our infographic.