When looking at the new competition arising from fintech companies, many bankers understandably feel that they are at an unfair disadvantage. Banks must deal with a constricting regulatory environment, but regulators don’t always apply the same standards to fintech companies. So bankers have lobbied regulators to take a more aggressive stance towards their new competitors. [Editor’s note: The Consumer Financial Protection Bureau recently fined payment startup Dwolla $100,000 for “deceiving” customers about its security practices.]
Bankers are right to push regulators on this issue. Regulators must take a closer look at the growing fintech sector, create new standards and coordinate their efforts across multiple enforcement agencies.
The purpose of these oversight efforts should not be leveling the playing field between banks and new entrants. Instead, the purpose should be protecting customer data and keeping customers informed about how their information is used. Regulation that properly incentivizes innovation and benefits consumers needs to focus on security, privacy and transparency.
The Clearing House, which processes payments for banks, correctly pointed this out last year in a white paper that detailed some of the security lapses by alternative payments providers. For example, reports surfaced last spring that Venmo allows changes to important account information without notifying the user. This is a basic security blunder, and banks can be left on the hook for fraudulent transactions when new providers make such mistakes.
Setting Standards Based on Size, Access to Customer Information
To help fix this situation, regulators need to implement security standards for fintech companies based on their size and the type of customer information they touch. That means some fintech companies should be held to the same standards as banks—particularly those that offer account products—but others should not, depending on the sensitivity of the customer data they handle.
It also means that early stage startups shouldn’t be held to the same standards as larger, more mature fintech companies. An early stage startup with a minimum staff is not likely to have a security professional or the funds to hire one. So holding small startups to the same security standards as a large mobile wallet provider that processes billions of transactions per year will only strangle innovation.
Banks can play a key part in helping these early stage startups while also improving their own offerings. Many of these startups hope to partner with or be acquired by banks. As millennials grow up, those banks will increasingly compete with their peers based on their digital offerings. The ability to effectively partner with small, agile startups while ensuring security and compliance will be a competitive advantage for these institutions.
A bank that wants to partner with a promising startup can share some of its knowledge, staff and resources in security and compliance with the startup. Banks are usually cautious in launching new products in conjunction with startups anyway, typically starting with a small trial with a limited number of users before a full launch. That approach helps banks ensure security and compliance with the product and partner before a full launch with customers.
Effective Security Standards
While giving early-stage startups leeway on security makes sense, fintech companies with a threshold of customers using their products should face appropriate scrutiny and regular security audits because of their increased value and attack surface for hackers.
That means regulators will need to be more specific about their security guidance than they’ve been in the past. Regulators often shy away from mandating specific security measures, instead favoring general guidelines and benchmarking against industry peers. As the cyber threat grows bigger, regulators will need to require measures like tokenization and encryption for fintech companies handling sensitive customer information. Those fintech companies that offer account products or a direct connection to users’ existing bank accounts should be required to monitor and analyze user activity to prevent unauthorized logins and transactions.
These measures are likely to become industry standards in time anyway, but regulators shouldn’t hesitate to take a hand in speeding up that process. Regulators might prefer to wait and let the fintech market determine industry standards. Security is already a competitive advantage for fintech companies. Apple set the bar when it introduced Apple Pay and emphasized the security built into it. The fintech companies that don’t meet industry expectations for security won’t succeed in the long run. But regulators shouldn’t wait for fintech winners and losers to shake out to take action that could help protect customers’ information now.