Fintech Privacy Best Practices Header

A long time ago in a galaxy far, far away, all banking had to be done in person. Mobile deposits didn’t exist, stocks couldn’t be bought and sold on a cell phone, account statements were snail-mailed, not emailed, and friends had to pay each other back with actual cash.

Fintech changed all that. 

Like Bennifer and Brangelina before it, fintech is the celebrity couple name for the increasingly important and prevalent intersection of the financial services industry sector and the technology sector. 

Advances in mobile and ecommerce tech capabilities have affected every part of our economy, but almost no industry has been shaken up by these changes as much as banks and investment firms. Although these industries were once firmly in-person, brick-and-mortar operations with the power balance heavily weighted against consumers, fintech has:

  • Automated many financial services processes
  • Accelerated the growth of the startup economy 
  • Increased industry focus on omnichannel experiences (individualized customer touchpoints across apps, email, social media accounts, websites, etc.)
  • Enabled creation, use, and acceptability of cryptocurrencies (Bitcoin, Dogecoin, etc.)
  • Disrupted the loan market
  • Deepened business’s dependence on Big Data to analyze and understand risk

Fintech’s prevalence and success, however, means that the industry is relentlessly attacked by the Dark Side, er, hackers on the dark web just like Darth Vader followed the heroes of Star Wars across the galaxy. 

In this complicated environment, a strong data privacy program can act like the Force that made Jedi so powerful. It can warn you of incoming threats, protect you from multifaceted attacks, and show you your company’s strengths.

The Force Awakens: Fintech’s Rise

The fintech origin story began in 1886 with the successful installation of the first transatlantic cable. The launch of credit cards in the 1950s and the introduction of ATMs in the 1960s led to increased digitization of financial institutions which in turn facilitated the creation of digital stock exchanges and SWIFT, a data-sharing network still used by banks and investment firms to quickly, accurately, and securely send and receive information

The growth of ecommerce in the 1990s and early 2000s also played a significant role in the expansion of the fintech industry, but the fintech we know today started when the global market crashed in 2008. As distrust for traditional banks, mortgages, and investment firms spiked dramatically, plenty of entrepreneurs were ready to give consumers innovative new ways to manage their money.

Fintech has expanded and changed more in the last 10+ years than it did in the first 125. EY found that global adoption of fintech services grew from 16% in 2015 to 64% in 2019. With the ongoing pandemic increasing our reliance on virtual solutions for nearly everything, fintech use in Europe alone has increased 72% since 2020.

According to PWC, other drivers of fintech dominance include:

  • Decreasing age in the average workplace
  • Rapidly increasing urbanization
  • A growing global middle class
  • Increasing use of mobile apps for financial transactions

The Empire Strikes Back: Current Privacy Threats in Fintech

In Star Wars canon, the Rebel Alliance’s successful destruction of the first Death Star results in swift and harsh retribution from the Galactic Empire. By the end of The Empire Strikes Back, the secret base on Hoth is destroyed, the Alliance is scattered across the galaxy, Yoda is dead, Han is frozen in carbonite, and Luke is down a hand but up one evil dad. 

Just like the Rebel’s success brought new problems, fintech’s increased importance in our lives means the fintech industry is facing a new and ever-growing threat matrix.

Because they enable access to real-time financial data and other sensitive personal data like social security numbers and credit card details, fintech firms were a primary target for hackers even before COVID. 

Current security challenges include:

  • Modernization of legacy systems that do not have adequate data security capabilities
  • Undersecured mobile apps
  • Processing consumer data using third-party vendors with poor protections
  • Phishing, spoofing, and other social engineering techniques
  • Synthetic identity fraud
  • Transaction fraud

The biggest threats facing fintech aren’t that different from the threats facing everyone else, but the economic, reputational, and individual ramifications of fintech data breaches are staggering.

Fintech data usage

Another issue facing fintech that can be spun into a positive: how data is collected and used—and how consumers feel about it. When users provide information for financial purposes, the intent is different than when making an online purchase for a pair of shoes or a new light fixture.  Financial information is sensitive and very personal to individuals. 

Fintech companies need to design their practices to address those expectations. Make it clear how data is shared, what pieces and what users should expect. Even if the law, which is often a grey area, allows this sharing, customers might not be willing to. 

Take Venmo for example. Transactions are shared via a social feed when you log in, but users have the option to make their transactions private. But this approach raises the question of what truly gives consumers the greatest privacy control. By taking an opt out rather than opt in approach, Venmo users who didn’t make the change or who might be unaware of the feed could be unknowingly sharing their financial transactions. 

To provide the greatest level of consumer control over privacy, opt in should be privacy by design approach companies choose. 

A New Hope: How to Protect Privacy and Still Profit

People often talk about data privacy and cybersecurity like they’re the same thing, but they aren’t. They need each other, but they have nuanced differences. Where cybersecurity focuses heavily on solutions for securing consumer data, data privacy is a more holistic approach that combines tech, process, and people to instill a culture of privacy best practices while focusing on the use and collection of data. 

In A New Hope, the first movie in the Star Wars saga, Luke, Leia, and Han provide the Rebel Alliance with the missing pieces of their battle plan. We’re here to give you the keys you need to protect your customers from the Dark Side by building a strong, cost-effective data privacy program.

Create cross-functional compliance

You can’t have a good privacy program without input from every department in your organization. Your customer service reps who access private data to verify mobile payments need to be following the same standards as your marketing team does when they send customized promotion information and as your IT department does in managing the technical details of a transaction.

But while the standards need to be the same, the processes may not be. Depending on what platforms your teams use and how matrixed your company is, the way teams achieve privacy compliance may look different.

To ensure all your teams are working towards the same goal, it’s crucial to create a cross-functional task force that allows departments to collaborate on troubleshooting, process updates, and employee training.

Define your data

All fintech firms need to analyze their data collection practices, but this is especially true for financial technology companies that use legacy programs. If this is you, listen up.

The more data you have, the more access points hackers have. The older the systems your data is on, the less likely it is to be well-protected.

The best way to figure out if you’re collecting data you don’t need, keeping it too long, or storing it unsafely is through what privacy experts call data mapping. Also known as a data inventory, data mapping involves following a data record through its entire journey in your system.

Figuring out what types of consumer data you’re collecting, which consent options fire at collection, who the data is shared with, what your teams are doing with it, where you’re storing it, how you’re protecting it, and how long you’re keeping it will help you identify vulnerabilities and opportunities for improvement.

Analyze your access

One of the easiest, most low-tech ways to protect your data is to restrict access to it. If you use legacy platforms, data mapping may even show you that former employees still have access to databases, entry-level employees can get into what are supposed to be highly secure files, and vendors can enter records that have nothing to do with their contracts. 

By using the principle of least privilege, which gives employees the minimum amount of data needed to complete their job, you can instantly eliminate risk.

Vet your vendors

Hackers know that it’s much easier to breach a small company that sends customers notifications of payment details than it is to hack an actual bank. And, increasingly, that’s exactly what they’re doing.

There’s nothing worse than paying the price for a mistake you didn’t make. Take some time to ask your vendors about their privacy practices. If they don’t match yours, ask them to up their game or find a new provider. 

Train your teams

Just like you want every department on your privacy planning team, you need to make sure employees in every department are getting the same privacy training. Almost all data breaches are caused by human error. Whether it’s clicking a suspicious link, opening an infected attachment, or using a weak password, your employees can either be the best defense or the biggest liability your privacy program faces.

Spending a little bit of time in every staff meeting, email blast, or company-wide event setting clear expectations for how financial account information can be used, who can access it, and how to avoid fraud will deliver a huge ROI.

Do or do not. There is no try.

Here’s a hard truth—if you aren’t actively working on a data privacy program, you’re setting yourself up to fail. 

Rome wasn’t built in a day, and you don’t have to create a just-add-water program that launches with all features all at once. 

But you also can’t expect to avoid hacks with half-measures.

Forty percent of fintech businesses that have invested in upgrading their cybersecurity and privacy systems have seen a return two to three times over their initial investment. On a basic, bottom-line level, implementing data privacy best practices is a sound business strategy.

But even more importantly, proactive privacy efforts can improve your reputation with both consumers and clients while saving you from embarrassing breaches.

Red Clover Advisors is a privacy consulting firm that specializes in helping businesses design and implement practical, functional privacy strategies. Give us a call to see how we can help you.