The digital disruption reshaping financial services mirrors the disruption brought about by Netflix, Uber, Lyft and Amazon in other sectors of the economy. What distinguishes financial technology companies is the financial and personal information their consumers entrust them with. The savviest fintech companies are those that employ discipline and structure to manage risk.
Many fintech companies adopt a fast-failure approach: move quickly and accept mistakes as necessary for innovation. Coordinating innovation with risk management might seem cumbersome. But if innovation is not integrated with effective risk management, companies risk running afoul of regulatory or compliance responsibilities.
One challenge fintech companies face is the sheer number of regulators that have rulemaking or supervisory authority over them due to unique business models and state level licensing and regulators. In the absence of a uniform regulatory scheme, there is widespread confusion about rules, expectations, oversight and regulatory risk. Many fintech companies and their banking partners remain uncertain about which laws and regulations apply or, most importantly, how they will be supervised against those rules.
A potential solution to this problem was the announcement in December 2016 by the Office of the Comptroller of the Currency (OCC) that it intended to create a special purpose national bank charter for fintech companies. The OCC aims to promote safety and soundness in the banking system while still encouraging innovation. A special purpose national bank charter would create a straightforward supervisory structure, coordinated by one primary regulator. This has turned out to be a controversial proposal, since the Conference of State Bank Supervisors has sued the OCC in federal court claiming that creation of a fintech charter would be a violation of the agency’s chartering authority.
Executing an effective risk management plan in an innovative culture is challenging. Companies should be alert to the following common areas of weakness that can create vulnerability.
Compliance culture: Fintech companies often have more in common with technology startups than with financial services companies, which becomes particularly notable when maintaining a compliance management system (CMS). Compared with banking peers, many fintech firms generally have less mature compliance cultures that can struggle under increased regulatory scrutiny. The lack of a comprehensive CMS exposes companies to considerable risk, particularly as regulators apply bank-like expectations to fintech companies.
Risk assessments: Many companies fail to move beyond the assessment of inherent risk to the next logical steps: identifying and closing gaps in the control structure. Assessing the control environment and continually aligning an organization’s resources, infrastructure and technology to pockets of unmitigated risk is critical.
Monitoring and testing: Fintech companies can fail to distinguish between monitoring and testing, or understand why both are important. When executed properly, the two processes provide assurance of sound and compliant risk strategy.
Complaint management: Many organizations become mired in addressing individual complaints instead of the deeper issues the complaints reveal. Root cause analysis can help companies understand what is driving the complaints and, if possible, how to mitigate similar complaints through systemic change.
Corrective action: Finally, because of their fast-fail approach, fintech companies do not always follow up to remediate problems. Companies need feedback loops and appropriate accountability structures that allow them to track, monitor and test any issues after corrective action has taken place.
Strategies Across the Organization
Fintech companies should define clear and sustainable governance and risk management practices and integrate them into decision-making and operational activities across the organization. There are a number of actions that can help companies establish or evaluate their risk management strategies.
Assess risks: Because the fast-failure approach can ignite risk issues across the board, companies should evaluate their structure and sustainability of controls, the environment in which they operate, and their leadership team’s discipline level to measure the coordination of risk management and operational progress.
Identify gaps: Often, these gaps (for example non-compliance with certain laws and regulations, ineffective controls or a poor risk culture) represent the gulf between risks and the risk tolerance of the organization. A company’s risk appetite should drive the design of its risk management strategy and execution plan.
Design a road map: Whether a certain risk should be managed through prevention or mitigation will be driven by the potential impact of the risk and the available resources. Defining a plan within these constraints is important in explaining the risk management journey to key stakeholders.
Execute the plan: Finally, companies should deploy the resources necessary to execute the plan. Appropriate governance, including clear lines of accountability, is paramount to disciplined execution.
Successful companies align their core business strategies with effective risk management and efficient compliance. This alignment is especially important in the constantly changing fintech environment. Risk management and innovation can and should coexist. When they do, success is just around the corner.
John Epperson, principal with Crowe Horwath LLP, is theco-author of this piece.