By: Fintech Association of Nigeria
The ever-changing regulatory climate necessitates the need for prudent risk management and compliance, particularly within the fintech ecosystem where the regulatory picture continues to evolve to protect both businesses and consumers.
The Central Bank of Nigeria (CBN) which is the apex regulator of all financial services, continues to establish more licenses and frameworks for operating across several areas of fintech.
Therefore, entrepreneurs need to stay abreast of these regulations to avoid compliance issues and ensure proper risk management.
These days, fintech companies operate across several jurisdictions, each with peculiar risk and compliance expectations. In addition, each subsector of fintech such as payments, switching & processing, mobile money operation (MMO) and blockchain, to name a few, comes with its own set of rules and regulations. Nonetheless, there are six key risks that all fintechs must consider in spite of sector or geographical location.
These are fraud risks, merchant and third-party risks, anti-money laundering (AML) and terrorist financing risks, consumer risks, credit risk and operational risks, and finally, cybersecurity and data privacy risks.
The great news is that management of these set of risks can be achieved through a combination of risk management and compliance tactics. Because these risks can be cumbersome for budding fintechs that just want to focus on perfecting their products, it is critical to onboard a competent Chief Compliance Officer (CCO), an experienced Chief Risk Officer (CRO) and Chief Administrative Officer (CAO). The CCO is responsible for ensuring that the organisation complies with all applicable laws, regulations, policies and procedures, while the CRO focuses on the identification and mitigation of all risks that could be a threat to profitability and productivity.
The CAO has a more general role of managing day-to-day operations which encompasses government relations, human resources, finance, compliance and more. A culture of compliance within the organisation must be built from the top down.
Auditors also have a key role to play when it comes to risk and compliance. Internal auditors investigate potential risks and weak points within the company’s systems and processes, while external auditors inspect financial statements to rule out fraud. Internal audit reports are used by management, while external audit reports are used by external stakeholders such as investors, creditors and the public.
The two roles are complementary as both are essential for the effective risk governance of an organisation. However, it is vital that the two functions maintain clear boundaries and preserve their independence.
The diagram below serves as a guide for risk management and compliance within the fintech space:
The compliance and risk management frameworks in a fintech firm should outline the control and oversight structures to manage multiple stakeholders present in evolving fintech operating models. The framework should take into cognizance, the compliance requirements at each stage of product development and the customer life cycle.
Similarly, risk management frameworks should address the potential exposures created by fintech disruption, innovation, partnerships and ongoing regulatory and financial market developments.
Early last year, United Services Automobile Association (USAA) bank was fined a whopping $60 million by the United States Treasury Department for not complying with the agency’s Bank Secrecy Act regulations. The USAA bank failed to submit reports on suspicious banking transactions in a timely manner, which exposed the inadequate risk management framework of the bank.
In addition to the fine, USAA was issued a cease-and-desist order and required to take immediate corrective actions.
This occurrence supports the notion that without robust risk management and compliance practices, organisations will fall short in predicting potential risks, and therefore would not be able to take the appropriate steps to address them on time.
Information Security is one aspect of risk management which is often ignored but has an almost immediate impact on survival. In plain terms, information security refers to the technologies, procedures and methods designed and operated by organisations in order to prevent their networks, devices and data from security breaches such as unauthorized access, malware, data thefts or hacking. Information Security Risk Management is important because it helps to easily identify any vulnerabilities that could lead to data breaches or other security incidents. It also serves to prioritize the severity of each vulnerability based on its likelihood and impact.
Fortunately, there are many ways by which fintechs can improve their posture in Information Security Risk Management. Some of these are regular password change for customers and employees, regular IT security audit, the use of Artificial Intelligence (AI) and Machine Learning (ML) to track suspicious transactions, safety-oriented application testing, and so much more.
This comes at a crucial time as a 2022 study by Statista revealed that the average cost per data breach in financial services is now as high as US$ 5.97 million per breach.
Fintech start-ups face a higher risk of data breaches than legacy banks because their human and capital resources are not as robust as incumbents. Therefore, fintechs need to take extra steps for risk mitigation.
To succeed, regulators must perceive that risk management is part of the fintech company’s self-governing mechanisms. This means that the fintech must have identified risk, taken measures to assess it and mitigate against it.
The cost of non-compliance is not limited to monetary fines alone – often, it also results in the depletion of consumer trust which can be detrimental to start-up growth. With a robust risk management and compliance framework in place, fintechs can better navigate through occasionally ambiguous regulations, rather than waste productive time and resources dealing with all sorts of risk and compliance issues.
In your opinion, what are the greatest risks facing the fintech industry? How can the compliance culture of fintechs be built further? Comment below and let’s keep the conversation going.
Some existing regulations are: Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers by the Central Bank of Nigeria (CBN), Guidelines on Minimum Requirements for Data Protection in the Nigerian Telecommunications Industry by Nigerian Communications Commission (NCC), Guidelines for Data Protection Compliance in Nigeria by National Information Technology Development Agency (NITDA), Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) Regulations by Nigerian Financial Intelligence Unit (NFIU).
In our next series on Building Resilience in Fintech Business, we will take a closer look at Ethics, Values and Accountability.
…Continue Reading HERE.
Author
Comments 1