The role of banks and other financial institutions (FIs) as repositories for large amounts of money has made them prime targets for fraudulent activity over the years. As a result of this, a wide range of laws and regulations have been created governing the activities of FIs with the objective of helping to protect consumers from fraud—whether it’s from the inside or outside. In recent years the question of fraud involving banks and other FIs has arisen again in a new context. Innovations in financial technology have raised questions as to whether banks or the fintech firms developing and operating such technology are responsible when its use exposes banks and their consumers to fraud.
Fintech has changed the way financial firms do business in a variety of areas including investment management, loan sourcing and data aggregation. Along with the ability to more proactively manage customer financial affairs and data through the use of technology has come an increased threat of cyberattacks. These types of attacks give malicious outsiders access to sensitive consumer data. A recent example involved two fintech lenders that were defrauded by a man who misrepresented his financial situation to cheat them out of more than $100,000 in total. He was convicted in Tennessee on six counts of fraud stemming from his actions.
The newness of the fintech revolution means that current laws and regulations, for the most part, do not clearly specify who is responsible for fraudulent activity that occurs in conjunction with processes involving both banks and fintech firms. This is likely to change over time as the courts more clearly apportion responsibility between banks and fintech firms in specific instances of fraud. However, when it comes to the regulatory treatment of the two types of institutions, the situation is much clearer; banks face stringent anti-fraud regulatory requirements governing their activities, whether using traditional banking methods or innovative financial technology, while fintech firms are not subject to the same requirements.
This disparity has not gone unnoticed, with leading financial institutions commenting on the danger posed to them by potentially risky fintech practices such as scraping bank websites to collect consumer financial data. At the same time, industry participants and regulators around the world have noted that they are aware of the regulatory discrepancy and that actions may need to be taken to help level the playing field.
Peter Misek, a partner at the Business Development Bank of Canada’s Venture IT Fund, recently opined that Canada’s emergence as a top five global fintech hub poses major risks due to an inadequate legal framework for dealing with fintech-related issues such as identity theft and fraud. He states that, in this regard, “Canada’s structures, rules and laws are antiquated and, in many cases, actually harmful.” Misek would like to see “innovative solutions to this problem” from tech companies, and wrote that his fund is willing “to put real dollars behind the effort.”
Addressing similar issues, the director and general counsel of Malaysia’s Securities Commission (SC), Foo Lei Mei, warned that digitalization in the financial services industry brings with it increased risk of fraud. In an article in Digital News Asia, Mei said that the SC planned to issue regulatory guidance regarding engaging with industry firms about the issue. “Discussions and focused group meetings have provided invaluable feedback to the SC in designing the regulatory framework for P2P lending in the capital market,” she was quoted as saying.
In the United States, the Federal Reserve Board has weighed in on the risks facing banks when outsourcing risk, such as using third party firms to provide data aggregation or digital wealth advisory services. The Fed’s letter on the matter includes commentary on various issues associated with working with fintech companies. In an article by Robert Canova, senior S&R financial/policy analyst at the Federal Reserve Bank of Atlanta, Canova states that, with the increase in data breaches, website attacks and wire transfer fraud schemes, “Banks will need to become more sensitive to safeguarding any systems containing customer data that their digital vendors have access to, given the fact that hackers are getting increasingly sophisticated at breaking those systems down.”
Canova writes that as competition between fintech firms and banks increases, the former are likely to become subject to increased scrutiny. He cites a consultative paper by the Bank for International Settlement’s Committee on Payments and Market Infrastructures which calls for greater regulation of fintech companies as evidence of this, along with a whitepaper by the Clearing House (a trade association consisting of the 24 largest banks) that discusses “the absence of a level regulatory playing field.”
With fintech innovations becoming increasingly embedded in the fabric of banking operations, the potential for fraudulent use of banking infrastructure involving such technology grows accordingly. With banks and other FIs currently subject to strict anti-fraud regulations, they are unlikely to outpace less regulated fintech companies when it comes to technological innovation in the sector. As banks and fintechs become increasingly intertwined due to mergers, partnerships or head-to-head competition, it becomes more and more likely that regulators will take steps to address this dichotomy going forward.