Staying compliant when deploying fintech in a public cloud is really about knowing how to avoid the landmines. In this article, we’ll point out some of the more important ones and what you can do to avoid them.
Landmine #1: Waiting Until it’s Too Late
Many fintech companies deploying in a public cloud don’t think about compliance until it’s too late. Perhaps that’s because they incorrectly assume you’ll be in compliance by default. That somehow AWS or Google Cloud will just “handle it”.
The bad news is that these public clouds don’t just handle compliance for fintechs—it’s up to you. The good news is they offer plenty of support. This includes things like compliance and governance services, documentation, frameworks, and tools.
In the case of AWS, “customers can access controls that have been tested and validated by third-party auditors across ISO, PCI, SOC, and other certifications.” While Google Cloud promotes its support for The Consolidated Audit Trail (CAT), an upcoming regulatory obligation for U.S. broker-dealer firms.
The best first step when deploying fintech in a public cloud comes before you actually deploy. You start by understanding your compliance requirements and investigating what products and services are available from your cloud service provider (CSP) to meet those obligations.
Landmine #2: Using White Label Financial Services
In an effort to deploy fast, it’s not uncommon for financial service firms to white label part or all of their fintech applications. White labeling generally refers to software that has been purchased from a software developer and rebranded as your own. In the case of deploying in a public cloud, white labeling means integrating your fintech app with other financial services, like a trading platform already connected to an exchange.
While this is certainly a good strategy to speed up product development, it can create challenges when it comes to compliance. Not only does your application need to be compliant, but the white label service you hook into also has the same compliance requirements. And since compliance tends to be based on geography, there is no guarantee the while label service even cares about your compliance needs. That’s why many fintech companies struggle to comply with overseas regulations.
To complicate matters, some regulations require scheduled reporting of transactions, with large fines in the case of even a few hours delay. Clearly incorporating white label services into your fintech requires proper planning, monitoring, and control.
You may not have to build the white label service, but you do have to investigate it as if you had. Before committing to integrating with any white label service, you must understand how it is compliant with typical fintech regulations (e.g., PCI-DSS, SEC Rule 17-a-4(f), Reg SCI, EU Data Protection Directive, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171).
Landmine #3: Trying to do KYC Manually
If you’re planning on deploying a fintech service, then you’re probably aware your service will have to engage in Know Your Customer (KYC) compliance, to identify and verify customers’ identities. But even then, there’s a pitfall that can trip you up: trying to do KYC manually.
You cannot do KYC manually and survive in fintech—it’s just not possible. Fortunately, as digital transformation continues to impact every business, the financial services industry is migrating to eKYC. eKYC (Electronic Know Your Customer) is the remote, paperless process that minimizes the costs and traditional bureaucracy necessary in KYC processes.
This makes perfect sense. There’s just one problem. Public clouds do not offer any eKYC related services. There are bespoke automation products on the market (e.g., onfido, shuftiPro, sumsub), but in most cases, these are not what you’ll need. Moreover, most of them will process and/or store your clients’ confidential KYC data in their cloud, also not what you need.
These same challenges exist with KYB (Know Your Business), a set of regulations related to KYC. Whether KYC or KYB, you know your fintech app can’t do it manually and may not be able to take advantage of existing services. It’s a challenge you need to think through before you embark on your fintech in a public cloud.
The Cost of Noncompliance
What’s the cost of not staying compliant when deploying fintech? It can be pretty hefty. According to Fintech Futures, the 10 largest regulatory fines from all over the world in 2020 ranged from £37.8 million by FCA for AML (anti-money laundering) failings to $3 billion by Wells Fargo for fraudulent account furore.
The remarkable thing is the fine may be more costly than the financial crime that triggered the regulatory violation. Accordingly, the 2019 whitepaper, Financial Crime Compliance: The Cost of Getting it Wrong, “suggested that regulatory fines pose the most obvious, immediate and sometimes the most severe impact to company balance sheets.” For example, “in the Netherlands, ABN Amro reached a €480 million settlement, including a €300 million fine, after an investigation found it had overlooked numerous indications of money laundering and related financial crime.”
What can we take from this? Whatever investment is required to keep your fintech in compliance in cloud operations, it’s worth it. You cannot spend too much on compliance in this area.
Deploying a fintech SaaS solution in a public cloud is a fast-growing business model, as it scales extremely well and addresses many unmet needs. But deploying fintech in a public cloud comes with serious compliance requirements and those requirements have some well-defined landmines.
We covered some of those challenges in this article. Addressing compliance from the start, being cautious with white label services, and taking advantage of eKYC are just three of the more prominent ones. But the cost of non-compliance is too high to ignore them, so be sure to incorporate them into your business plan.
In the next article, the final one in the series, we’ll discuss How to Stay Secure After Deploying Your Fintech SaaS in a Public Cloud.