Meeting Compliance Requirements in FinTech

December 16, 2016

Navigating the notoriously complex compliance landscape of the financial industry

The financial industry is controlled by a considerable amount of oversight from a number of different regulators, and for good reason. It's an incredibly complex industry that is tied to, and impacts, the whole U.S. economy, and everyone who participates in it. Keeping up requires dedicated compliance resources and close attention to operations.

A ComputerWeekly explained, the financial services industry deals with one of the most complicated compliance landscapes that applies to organizations globally. It is subject to a multitude of both regulatory and legal mandates that span international boundaries and have implications for all practice areas of IT.

Further, things are changing rapidly in the industry, with a significant amount of market disruption. Forbes noted that evolving customer behavior and a mass increase of digital technologies are contributing to an even more complicated regulatory environment for financial companies. Cybercrime is an ever-present, ever-changing risk as well, one that has also increased compliance requirements.

Financial services compliance drivers:

  • 75% of financial organizations currently offer customer portals
  • 75% of banks offer a mobile application; 50% of insurance companies do
  • Some financial organizations still lack a mobile app, but many of those without one plan to implement within the next 12 to 24 months
  • 32% of financial institutions believe that hacking and socially engineered cyberattacks are currently their greatest threat

Government regulations in financial services
The list of government mandates and regulations affecting financial IT organizations is long and winding. Participants in The Flexential Financial Services and IT Study: Tackling the Digital Transformation, cited the following regulatory bodies as the most highly impactful among the many mentioned:

  • Federal Financial Institutions Examination Council (FFIEC)
  • Sarbanes-Oxley (SOX)
  • Federal Deposit Insurance Corporation (FDIC)
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Dodd-Frank
  • Payment Card Industry Data Security Standard  (PCI DSS)
  • Gramm-Leach-Bliley Act, or Financial Modernization Act of 1999 (GLBA)
  • Securities and Exchange Commission (SEC)
  • Consumer Financial Protection Bureau (CFPB)

SOX and HIPAA affect insurance companies more than banks, while banks are impacted more by Dodd-Frank and FFIEC. Insurance providers mentioned that state and local regulations are also a significant challenge. An IT practice considered permissible in one state may be prohibited in another, which makes juggling geographically disparate customers difficult.

The complexity of the industry's compliance landscape heavily influences the budgeting of IT departments:

  • 20% of financial institutions' IT budget goes toward satisfying government mandates and regulations.

While financial organizations are impacted by many industry and government regulatory bodies, Dodd-Frank and the FFIEC were the most frequently mentioned in Flexential's Financial Services and IT Study.

The Dodd-Frank Wall Street Reform and Consumer Protection Act is a U.S. federal law enacted in July 2010 that regulates the financial industry and is specifically aimed at preventing financial crisis. Dodd-Frank's numerous statutes enforce accountability, transparency and consumer protection, as defined by TechTarget. Dodd-Frank includes governance over IT and InfoSec practices, and is heavily affecting financial institutions, as evidenced by Flexential's Financial Services and IT Study participant commentary:

“The biggest regulation has been Dodd-Frank, which introduced about 10,000 pieces of regulations. Our legal team will go through and look at what we need to change in our process, and ultimately our IT systems, in order to accommodate it.” – Executive VP & CIO of US regional bank

“Dodd-Frank is focused more specifically on the lending side, where there is more data that needs to be collected. It makes sure you don't have customers that are transporting money to fund terrorism. We are having to implement additional safeguards to track and fulfill the regulations that are there. It puts a heavier load on us because we are having to review additional products.” – AVP of IT at large regional bank

The Federal Financial Institutions Examination Council, or FFIEC, was enacted in October 2005 and focuses specifically on cybersecurity risks, with emphasis on identifying, assessing and mitigating the continuously increasing volume and complexity of cyber threats.

“On an average basis (IT budget of $300 million a year), discretionary spending is about $100 million, and $38 million of that last year was bucketed as compliance mandated changes. These fines are just incredibly big.” – Executive VP & CIO of US regional bank

Unsurprisingly, the industry is used to government regulations, but it's not thrilled by them:

  • 55% of banking feels that the reach of government regulation is excessive
  • 28% of insurance, which is not subject to quite as many compliance demands, feels that the reach of government regulation is excessive

Adapting to digitalization and increasing cybercrime
All in all, compliance means increased pressure on resources, due to the need to jump over extra hurdles to accomplish anything. Legal, compliance and procurement objectives all run into established catch points implemented to prevent falling into traps because of the endless sea of regulations.

However, financial institutions have the power to stay in control. Managing the changes that come with digitalization and advancing cybercrime is possible with the right adaptation strategy, including the following steps summarized by Forbes:

  1. Focusing on becoming data and insight-driven.
    Since data can now be aggregated from a wide array of sources, such as controls performance, client transactions and employee conduct, taking advantage of analytics solutions can support compliance functions by enabling predictive insights.
  2. Collaboration
    Making use of shared services data processing will help standardize data and identify issues.

The right compliance partner
The technology and infrastructure behind financial organizations' IT departments determine the success rate of meeting customer demands. Given the complexity of compliance in financial services, working with a technology services provider who understands the industry landscape can be extremely beneficial for any number of IT initiatives, from compliance support to migration projects.

Selecting a third-party partner who has architected cloud and data center services specifically to align with compliance in the financial sector is key. You need someone who understands powering applications efficiently, storing data securely and meeting the demands of industry and government compliance requirements.

If your organization is interested in achieving and sustaining a compliant state in your technology practices, Flexential can help. We believe in a shared responsibility model for IT compliance, and our experts are available to answer your questions and explore your IT compliance practice. Visit or call (888) 5523-FLEX.