No industry could compete with wealth management and Fintech in regard to accountability. Every step one takes in the field is highly regulated and is subject to legal prosecution, in spite of the fact that one may have no knowledge of it.
Sometimes, when we have a conversation with early-stage startups or companies that have never outsourced development, it turns out that their executives know little about how processes should be organized to comply with the law. When conversations come to this point, they provide us access to sensitive areas that, by law, shouldn’t be exposed to us. Of course, they experienced no negative consequences because we knew about what we could and could not do in this regard. Additionally, because we reacted immediately and explained every aspect of data protection law to them, we ensured the security of the system was maintained.
In this post, we’ll try to outline the basics that every WealthTech executive should be aware of. We will describe the main regulations and bodies to deal with to start a new business, what activities one should do repeatedly to stay compliant, and what types of responsibility breakdown exist for cloud adopters.
What is necessary to start a robo-advisor?
The journey of a WealthTech startup begins with the US Securities and Exchange Commission (the SEC) and Financial Industry Regulatory Authority (FINRA). These organizations aim to protect investors from fraud and misbehavior, so they check all the aspects of a new startup before it starts serving clients. Therefore, the first step to registering a robo-advisor is the submission of Form ADV to the SEC. This form includes a summary of material changes within the firm. It can be supplemented with a brochure describing who will actually serve the investment advisor. For example, on-premises products should also be used in compliance with rule SEC 17a-4, so there are particular laws to comply with based on the system specifics.
Every robo-advisor should be able to explain to regulators how the tool works and how it complies with regulatory requirements. This is to ensure that the outputs the system provides to its customers don’t mislead investors in their financial decisions. In this update on the FINRA’s “Report on Digital Investment Advice,” one can find the best practices of how to validate one’s platform for regulators.
FINRA is the best known nongovernmental organization that manages broker–dealer industry risks and monitors companies that provide investment advice. It encourages investors to check the filings and backgrounds of every firm or professional before starting a collaboration. Thus, it’s crucial for startups to become members of FINRA or some other self-regulatory organization before beginning operations.
Obviously, this list of submissions and partnerships isn’t complete, but at least it can give insight into how much work should be preceding the launching of the platform. More details on the topic are gathered in our new white paper: Fintech Regulatory Aspects and Adopting Cloud.
Personally identifiable information: what does it mean for WealthTechs?
WealthTech aggregates tons of personally identifiable information (PII) data, which requires harder scrutiny on the part of controlling authorities. For example, last year’s GDPR law became one of the top policies with which startups needed to align their services. It obliged companies to provide users with access to and control over their personal data. Additionally, Regulation S-P and the Red Flags Rule regulate customer data protection and help prevent identity theft.
In large enterprises, often there are departments tailored exclusively to ensuring compliance, monitoring the data flow, and safeguarding security. Still, given the end-to-end integrations number that’s required to provide competitive services today, PII security is a problem.
Additionally, existing regulations complicate the way companies can transfer clients’ business data outside of the United States, which deters them from hiring talent or working with vendors abroad. However, it’s not the location that defines the vendor’s safety but a solid knowledge of secure development process organization.
Here is a checklist to help with quickly examining whether your company or your vendors have secure processes:
- Do you have background checks for employees? The security begins with your physical office. Pass-entry system and background checks are a must.
- Who can access client data and why? Use an access level system to restrict unintended data exposure. Remember the similar cases of Redtail, Fiserv, BlackRock, and Voya.
- Do you use a VPN and multiple internet connectivity channels? Clients’ access to their data should be reliable and secure as well. In addition, it’s worth monitoring who accesses the data in real time.
- Can you provide masked data or a staging environment? Some vendors can access production data via a staging machine only, which enables them to work with obfuscated data as if they’re real.
- Have your employees passed any security certifications or training? Building secure software means keeping up with new threats. Exchanging experiences and self-development are a must for security professionals.
Of course, these are not all the regulations that comprise data security. For more information, download our Fintech Regulatory Aspects and Adopting Cloud white paper, which contains meticulous descriptions on the subject.
Cloud providers and shared responsibility model
High security standards and client demand make cloud adoption imperative. The shared responsibility model establishes high-level delineation of security responsibilities between the customer and the cloud service provider (CSP). If you don’t know that delineation, this may cause a security breach.
The responsibility breakdown is dependent on the CSP you want to partner with. The information about what responsibilities each cloud provider will have when you start collaborating with them can be found on their websites. For example, Microsoft Azure outlines that the customer always takes responsibility for data, accounts, accesses, and endpoints. Besides that, other responsibilities are dependent on the type of deployment: on-premises, infrastructure-as-a-service, platform-as-a-service, and software-as-a-service. The picture above illustrates the responsibility areas of each side for every deployment type.
Information on other popular CSPs, their shared responsibility delineations, and comparisons among them can be found on the pages of our Fintech Regulatory Aspects and Adopting Cloud white paper.
It’s impossible to operate in WealthTech without a clear understanding of the regulatory aspects. The intricate rules and shared responsibility areas give rise to potential data security risks. To mitigate them, companies need a robust and comprehensive guide with explanations, comparisons, and best practices. Download our free white paper Fintech Regulatory Aspects and Adopting Cloud to obtain more detail about this subject and help your startup combat threats before they happen.