The Financial Conduct Authority (FCA) recently published Consumer Credit: Protecting Your Business From Financial Crime. The booklet is primarily for consumer credit firms regulated by the FCA to provide guidelines for Know Your Customer (KYC) practices to reduce the risk of financial crimes. However, the booklet’s discussion of good vs. poor practices and the guidelines are also directly applicable to any firm that digitally interacts with consumer personal and financial data. While currently fintech firms do not have uniform requirements to prevent financial crime, we all have a responsibility to exercise due care to protect our customers and to safeguard the confidentiality and integrity of their personal data; especially their online banking credentials. Therefore, applying the FCA’s guidelines via a risk-based lens to your specific operations will be both informative and valuable to enhance the security of your services and to maintain the trust of your customers.
Risk Assessment Self-assess the major financial crime as well as customer identity and privacy risks to your business. For example, how are you handling KYC of new customers to ensure that they are indeed the person they claim to be? Are you taking their registration at face value or are you conducting email or mobile phone verification? If so, are you screening our disposal IP addresses and VoIP phone numbers?
Policies and Procedures Do you have policies and procedures that provide clear documentation of risk managing activities to ensure rigorous adherence? Are they reviewed regularly and upon changes to your business processes? How are they communicated to your personnel?
Governance Good risk management starts at the top of the organization. Board members, owners, executive and senior managers must take responsibility for the protection of both the business and its customers. To do so effectively, there must be regular reporting on both key risk and performance indicators for the business.
Staff Awareness In addition to knowing the policies and procedures, staff should be aware of indicators of crime and abuse of the services. This is essential for IT development personnel who can build controls into the programs as well as operations staff who can monitor for such indicators and patterns.
Data Security Data security is a key component safeguarding your business and your customers. While data security is part of everyone’s job, there should be an accountable individual who has sufficient expertise, or access to expertise, to build security into every system, application and process that handles customer data. Documenting the data flows associated with your business is the best way to start this process. Using this as your guide, identify where and how bad guys (from inside and out) can abuse your services for malicious intent.
Customer Due Diligence Good KYC is necessary for any service that involves customer banking credentials or financial data. You must document and follow appropriate risk-based customer onboarding processes to ensure your services are not used for criminal activity. Good KYC means you collect and verify sufficient information about the user to obtain reasonable assurance of their true identity.
Ongoing Reporting You should have regular automated logging and reporting of the use of your services to monitor for anomalies and other indicators of abuse or misuse. These can be built-in automated scripts and manual spot-checking of operational processes.
Record Keeping Logging of important activities, such as account registrations and access attempts (both successful and failed), is necessary to ensure your services have not been compromised and for investigation in the case of hacking or other abuse. While the FCA’s booklet is not exhaustive in its scope, it provides excellent guidance for all fintech firms to craft or evolve a program to manage abuse of their online services to better protect their business, their customers and, ultimately, the stability of the financial market.
As a pioneer in bringing SaaS applications to the financial services industry, and an FFIEC supervised Technology Service Provider, Envestnet® | Yodlee® has extensive experience in meeting the highest standards in data security, privacy, and regulatory compliance. To learn more, please visit: https://www.yodlee.com/legal/yodlee-security
