Vasyl Soloshchuk
12 September 2019

What Should a CTO in Fintech Know about Regulations?

Two things are impossible to miss when you’re a tech leader in FinTech:

  1. You cannot go without regulations.
  2. The regulatory landscape is labyrinthine, especially in the United States.

Wading through innumerable legal details takes far more time than a CTO can afford, so what is the effective minimum for CTOs to stay relevant to the business without missing anything important? Let’s find out together.

The two regulatory bodies one can’t pass by

No startup or initiative in the Fintech world can go without the U.S. Securities and Exchange Commission (the SEC) and Financial Industry Regulatory Authority (FINRA). Both organizations protect the investor from any possible fraud or misbehavior. If we take robo-advisors as an example, the first body from which they should accept approval before starting their activities is the SEC. To get the same legal status as traditional broker-dealers, they must first register with the SEC and then with state securities authorities, if necessary.

The required submission to the SEC is Form ADV, which indicates a summary of material changes within the firm. In addition, investment advisors must deliver to clients a brochure supplement about employees that acts on behalf of the investment advisor. The complete list of submissions necessary to start a business in Fintech can be accessed in our new white paper Fintech Regulatory Aspects and Adopting Cloud.

On top of the submission to the SEC, a firm should become a member of the FINRA or some other self-regulatory organization to be able to function. The FINRA is a nongovernmental organization subordinate to the SEC that manages risks within the broker-dealer area. It encourages investors to check filings and backgrounds of every firm or professional who has submitted to register as a registered investor advisor (RIA).

Regulatory principles in Fintech

One can speak a lot about regulations, but there are several pillars to know about current regulatory principles. To make a long story short, here they are:

  1. Traditional regulations still apply to new technology.

The financial products are usually complex. They require some inputs and then produce some outputs, but it’s usually unclear how the advice is generated. The obscurity of such processes can sometimes cause companies to produce misleading investment advice—that’s why regulatory bodies require all companies involved in finance to explain how they get the outputs that they provide to their clients.

As for Fintech companies, they should be able to explain to regulators how the tool works and how it complies with regulatory requirements. For example, to help robo-advisors explain how they comply with regulatory requirements, the SEC’s Division of Investment Management issued an update on the FINRA’s “Report on Digital Investment Advice,” the report that outlines the regulatory principles and best practices.

  1. Customer information protection should be given special attention.

Protecting the security and integrity of customer data as well as preventing unauthorized access and any other anticipated threat have become increasingly important. The SEC has issued the primary rule Regulation S-P, which requires RIAs to have policies and procedures addressing the protection of customer data. Those who fail to comply with these policies can be subject to enforcement implications. Additionally, the Federal Trade Commission (FTC) created the Red Flags Rule, requiring financial institutions with covered accounts to develop and implement written identity theft prevention programs. More details on how Fintechs can ensure their clients’ data security can be found in our Fintech Regulatory Aspects and Adopting Cloud white paper.

  1. Shared responsibility with third-party vendors is unavoidable.

The Fintech market demands that companies make their products accessible, which is why they often choose to migrate to the cloud. This type of migration enforces companies to share security responsibilities with cloud service providers (CSP). As the business adopts the cloud, they need to address “gray zones” such as credential management, data encryption, configuration management, log analysis, events monitoring, and so on.

Each popular cloud has its shared responsibility model, which is vital to take into account when choosing CSP. This model shows what areas of responsibility are still up to the company and what the CSP will handle. For example, Amazon AWS Cloud distinguishes security “in the cloud” and “of the cloud” when describing what areas of responsibility each party will have after migration.

  •     “IN the cloud” security includes customer data, identity and access management, operating system, firewall, and server-side encryption (among others). The customer company controls these areas.
  •     “OF the cloud” security means databases, storage, networking, global infrastructure and hardware, availability zones, and so on. These responsibility areas are on AWS.

What is worth asking before hiring a vendor?

When looking for vendors to help you with Fintech platform development, it’s crucial to make sure they have a robust understanding of financial regulations. Vendors having a vague idea about regulations can expose your project to major risks in the future.

For example, if you go offshore, nonresidents can’t work with production data. U.S. citizens’ data should be stored and processed only in the United States. To stay compliant with the law and ensure client data security, vendors use obfuscated data or staging-box. However, if a vendor doesn’t know much about regulations in its specific work area, your company can end up being exposed to law violations and receiving a citation or subpoena from the controller body.

The following are a few questions to ask your vendor before entrusting them with your clients’ data:

  •     Does your company conduct background checks for new employees?
  •     Does your physical office have a pass entry system?
  •     Do your employees have selective access relevant to their jobs?
  •     Do your employees pass any security certifications and training?
  •     How many internet connectivity channels does your company have? Do you use a VPN?
  •     Have you dealt with obfuscated data or staging environment before?
  •     Do you monitor who accesses the data in real time?

Usually, the answers to these questions will show the real level of the vendor’s literacy in Fintech engineering. Although a few companies have people dedicated to regulations and compliances in their staffs, startups can’t usually afford them. If you have any doubts about how to organize a secure Fintech software development process, we recommend addressing to skilled vendors only, because the potential risks are huge.


INSART is a Fintech engineering company with an extensive track record in building leading platforms for investment advice, lending, fundraising, and other aspects. INSART is proficient in establishing a secure connection and development process across all development stages. We also help companies that have never outsourced their development to figure out which architecture, technology stack and processes can provide the best possible security and comply with any type of regulations in the United States or abroad.


Fintech and regulations are inseparable. When building a Fintech product, you have so many issues to take care of—CTOs have so many issues to address, too. Meanwhile, we outlined the bare minimum to keep in mind when starting your platform or hiring a development team. We have more information available on this topic to cover other CSPs, regulatory documents, and peculiarities that are worth knowing. For details, download a free white paper Fintech Regulatory Aspects and Adopting Cloud.