Daria Spizheva
FinTech Engineering Writer at INSART
2 May 2019

Leveraging FinTech Startups with Regulatory Compliance: What’s the Hitch?

Implementing regulatory compliances is a requirement for companies that want to expand their operation in the global marketplace. Recent data breaches and information-security issues have proven the importance of regulating client data flow. For instance, the Securities and Exchange Commission (SEC) recently charged Voya Financial Advisors $1 million for cybersecurity failures including violations of the Safeguards Rule and the Identity Theft Red Flags Rule. As such, FinTech companies need to prioritize enhanced scrutiny and monitoring by way of stronger controlling authorities. In order to be successful, startups must comply with data-security regulations when performing the following activities, to name just a few:

  • Integrating services easily (few companies are willing to share their data with untrusted partners)
  • Raising funds at the investment round  as  investors became more knowledgeable in terms of what startups they should invest in
  • Operating within the cloud
  • Managing distributed teams
  • Utilizing the powers of Machine Learning and Artificial Intelligence in their products

Regulations in FinTech aren’t limited to FINRA/SEC. Last year’s GDPR law became one of the top policies with which startups need to align their services. It affected many industries but especially FinTech. Here’s why.

  • Financial products aggregate tons of personally identifiable information (PII) data, which require harder scrutiny on the part of controlling authorities.
  • FinTech companies, as a rule, have a startup-like nature and often cannot afford to keep entire departments tailored to compliance implementation.
  • Existing regulations prevent companies from transferring clients’ business data outside of the United States, which complicates hiring talent abroad, working with vendors, etc.

In this article, we will investigate how tech startup leaders keep their products compliant with regulations.

Frequently discussed regulations

We asked FinTech technology leaders to discuss the top trends in regulations, to identify which regulations were most attractive to them, and to say whether they already had or were in the process of getting the appropriate certifications. We also invited them to discuss the challenges of this process.

SEC/FINRA

Jason Barry, CTO at Tradier, a financial services cloud for US-based stock and option trading, reports that the company experienced 200–300% growth over the last year. To keep up with this growth and engagement, they use improved architectures, driven by Amazon Web Services (AWS) that comprised over fifty servers and services. “Amazon is a key partner of Tradier, as it’s fully compliant with SEC/FINRA guidelines,” Barry says.

This strategy is common among startups, many of whom prefer using AWS cloud technology over building their own data centers, which tend to be more complicated because of tough regulations and security standards. AWS, as many startups recognize, can provide safer data storage and can implement the most modern and exclusive security standards.

But according to Barry, Amazon isn’t Tradier’s only partner. To continuously deliver secure and risk-free services, they integrated with Apigee (recently acquired by Google), which helps them leverage authentication and protection services such as Spike Arrests.

Greg Eisenberg, Director of Engineering at Laserfiche, which produces enterprise business process-automation and -acceleration software for RIAs, says that their on-premises products can also be used in compliance with SEC Rule SEC 17a-4. Eisenberg says that on-premises security implementation is a two-way street; the Laserfiche platform contains all the tools and functionalities to secure data, but it’s up to customers to make sure those controls are in place. Also, Eisenberg says that Laserfiche will soon launch LF Vault, an SEC-17a-4-compliant storage solution within the Laserfiche cloud.

SOC 2 compliance

FinTech companies that provide software-as-a-service (SaaS) solutions, which tend to be especially concerned with information security, can pursue a SOC 2 compliance certification. SOC 2 defines criteria for managing customer data based on five “trust service principles:” security, availability, processing integrity, confidentiality, and privacy.

Currently, Eisenberg moves Laserfiche to the cloud, and for that purpose, they have a SOC 2 compliance certification. This ensures that Laserfiche follows strict information-security policies and procedures regarding the security, availability, processing, integrity, and confidentiality of customer data.

“We’ve also created a lot of documentation, and [are] working with our solution-providers to train them on best practices, and there’s a phenomenal community of solution-providers who use our answers platform to ask good questions and get answers on how to do certain things.” –Greg Eisenberg

Eisenberg’s company uses a third-party security firm to analyze their codebase, identify potential vulnerabilities, and perform penetration testing of the Laserfiche cloud. In addition, Laserfiche is the only member in the wealth-management space that has a records-management module that can be used in compliance with the Department of Defense, DoD 5015.2 for the long-term archiving and retention of digital records. This level of compliance is the international gold standard in protecting the integrity and security of digital records.

ISO/IEC 27000-series

ISO 27000-series standards provide a prescriptive set of features for an effective information-security management system. This pertains to data security and the ways in which data moves across multiple vendors. Mike Granger, CPO at Advisor Software (ASI), is on the road to introducing this level of compliance. Taking the lead of an extensive set of various tools, he reduced PII visibility as the first step:

“We’ve actually removed all PII from it so that the entity can license APIs [and] use the APIs without really ever disclosing their client at the back end. By utilizing that approach, we’ve really eliminated that problem, and it’s helped us culminate, too.” ­–Mike Granger

In addition, ASI pays special attention to privacy controls for cloud computing, which is the focus of the ISO 27018: 2014 amendment. Also, they’re on their way to Cloud Security Alliance (CSA) compliance.

Is a regulation-free world possible?

Each country and state has its own regulations for FinTechs. Thus, we can say that Alan Quinlan, Head of Ignition Advice Ireland, and Mike Giles, CTO at Ignition Advice, run a very unique B2C robo-advisory platform for individual investors. The hitch is that they’re located in Australia, which is known for its harsh regulations over financial practices. After Quinlan and Giles were established in their domestic market, they started expanding into Europe and now operate in Ireland. Alan says:

“The Irish market has suffered from the lack of investment over the last ten or fifteen years. Most markets there don’t need a license to give advice, whereas Ignition [Advice] has the in-house capability to provide advice around the regulatory side.”

Takeaways

What struggles over regulations did your company have? What did you do to align your products and processes with these standards? Share your experience and help your colleagues!