fbpx

No industry could compete with wealth management and Fintech in regard to accountability. Every step one takes in the field is highly regulated and is subject to legal prosecution, in spite of the fact that one may have no knowledge of it.

Sometimes, when we have a conversation with early-stage startups or companies that have never outsourced development, it turns out that their executives know little about how processes should be organized to comply with the law. When conversations come to this point, they provide us access to sensitive areas that, by law, shouldn’t be exposed to us. Of course, they experienced no negative consequences because we knew about what we could and could not do in this regard. Additionally, because we reacted immediately and explained every aspect of data protection law to them, we ensured the security of the system was maintained.

In this post, we’ll try to outline the basics that every WealthTech executive should be aware of. We will describe the main regulations and bodies to deal with to start a new business, what activities one should do repeatedly to stay compliant, and what types of responsibility breakdown exist for cloud adopters.

What is necessary to start a robo-advisor?

The journey of a WealthTech startup begins with the US Securities and Exchange Commission (the SEC) and Financial Industry Regulatory Authority (FINRA). These organizations aim to protect investors from fraud and misbehavior, so they check all the aspects of a new startup before it starts serving clients. Therefore, the first step to registering a robo-advisor is the submission of Form ADV to the SEC. This form includes a summary of material changes within the firm. It can be supplemented with a brochure describing who will actually serve the investment advisor. For example, on-premises products should also be used in compliance with rule SEC 17a-4, so there are particular laws to comply with based on the system specifics.

Every robo-advisor should be able to explain to regulators how the tool works and how it complies with regulatory requirements. This is to ensure that the outputs the system provides to its customers don’t mislead investors in their financial decisions. In this update on the FINRA’s “Report on Digital Investment Advice,” one can find the best practices of how to validate one’s platform for regulators.

FINRA is the best known nongovernmental organization that manages broker–dealer industry risks and monitors companies that provide investment advice. It encourages investors to check the filings and backgrounds of every firm or professional before starting a collaboration. Thus, it’s crucial for startups to become members of FINRA or some other self-regulatory organization before beginning operations.

Obviously, this list of submissions and partnerships isn’t complete, but at least it can give insight into how much work should be preceding the launching of the platform. More details on the topic are gathered in our new white paper: Fintech Regulatory Aspects and Adopting Cloud.

Personally identifiable information: what does it mean for WealthTechs?

WealthTech aggregates tons of personally identifiable information (PII) data, which requires harder scrutiny on the part of controlling authorities. For example, last year’s GDPR law became one of the top policies with which startups needed to align their services. It obliged companies to provide users with access to and control over their personal data. Additionally, Regulation S-P and the Red Flags Rule regulate customer data protection and help prevent identity theft.

In large enterprises, often there are departments tailored exclusively to ensuring compliance, monitoring the data flow, and safeguarding security. Still, given the end-to-end integrations number that’s required to provide competitive services today, PII security is a problem.

Additionally, existing regulations complicate the way companies can transfer clients’ business data outside of the United States, which deters them from hiring talent or working with vendors abroad. However, it’s not the location that defines the vendor’s safety but a solid knowledge of secure development process organization.

Here is a checklist to help with quickly examining whether your company or your vendors have secure processes:

  • Do you have background checks for employees? The security begins with your physical office. Pass-entry system and background checks are a must.
  • Who can access client data and why? Use an access level system to restrict unintended data exposure. Remember the similar cases of Redtail, Fiserv, BlackRock, and Voya.
  • Do you use a VPN and multiple internet connectivity channels? Clients’ access to their data should be reliable and secure as well. In addition, it’s worth monitoring who accesses the data in real time.
  • Can you provide masked data or a staging environment? Some vendors can access production data via a staging machine only, which enables them to work with obfuscated data as if they’re real.
  • Have your employees passed any security certifications or training? Building secure software means keeping up with new threats. Exchanging experiences and self-development are a must for security professionals.

Of course, these are not all the regulations that comprise data security. For more information, download our Fintech Regulatory Aspects and Adopting Cloud white paper, which contains meticulous descriptions on the subject.

Cloud providers and shared responsibility model

High security standards and client demand make cloud adoption imperative. The shared responsibility model establishes high-level delineation of security responsibilities between the customer and the cloud service provider (CSP). If you don’t know that delineation, this may cause a security breach.

The responsibility breakdown is dependent on the CSP you want to partner with. The information about what responsibilities each cloud provider will have when you start collaborating with them can be found on their websites. For example, Microsoft Azure outlines that the customer always takes responsibility for data, accounts, accesses, and endpoints. Besides that, other responsibilities are dependent on the type of deployment: on-premises, infrastructure-as-a-service, platform-as-a-service, and software-as-a-service. The picture above illustrates the responsibility areas of each side for every deployment type.

Information on other popular CSPs, their shared responsibility delineations, and comparisons among them can be found on the pages of our Fintech Regulatory Aspects and Adopting Cloud white paper.

Takeaways

It’s impossible to operate in WealthTech without a clear understanding of the regulatory aspects. The intricate rules and shared responsibility areas give rise to potential data security risks. To mitigate them, companies need a robust and comprehensive guide with explanations, comparisons, and best practices. Download our free white paper Fintech Regulatory Aspects and Adopting Cloud to obtain more detail about this subject and help your startup combat threats before they happen.

Cloud Security in FinTech. What to Consider?

Cloud Security in FinTech. What to Consider?

For the financial industry, information security is crucial. Even a single data leak can cost billions, not to mention lost resources on fixing the flaw and the company’s reputation. In…

How to Win Advisors’ Loyalty and not Break the System?

How to Win Advisors’ Loyalty and not Break the System?

How to build efficient and useful WealthTech software? Should you add as many features as possible or add every feature requested by clients? Do financial advisors need a whole bunch…

Bridging Product and Engineering Teams in WealthTech

Bridging Product and Engineering Teams in WealthTech

The WealthTech industry evolves much more dynamically compared to other areas. What should teams do to efficiently collect all necessary information about their tasks and stay in sync with the…

A Moment Away From 2019: WealthTech Flashbacks

A Moment Away From 2019: WealthTech Flashbacks

This year was full of great moments, meetings, partnerships, and breakthrough insights. Before we close this chapter and start the new one, it’s worth looking back at 2018 from the…

Open APIs as the Key to Growth in WealthTech

Open APIs as the Key to Growth in WealthTech

Open APIs are having a significant impact upon the entire wealth management industry. With leaders of DriveWealth, MyVest, Trizic, Vestwell, Folio Institutional, Hydrogen, we discussed the API landscape and the…

Big Data Analytics and Artificial Intelligence in WealthTech Software

Big Data Analytics and Artificial Intelligence in WealthTech Software

Will wealth managers be able to find financial decisions that are most appropriate to their customers? We have spoken to a number of industry experts and gained an insight into…

Digital and Robo in Wealth Management: What’s the Difference?

Digital and Robo in Wealth Management: What’s the Difference?

During our ongoing discussions with top-notch industry leaders who are reshaping the wealth management landscape, we often touch on digital advice. Here, we present some of our picks in terms…

Wealth Management: Looking into the Industry’s Future

Wealth Management: Looking into the Industry’s Future

We continue to explore the changing landscape of wealth management by gathering opinions of industry influencers regarding the future of the WealthTech sector. What will the industry look like in…