Is GDPR a competitive advantage for FinTechs?

Complying with GDPR is forcing financial services organisations to undergo considerable (and expensive) change, but it might be a blessing in disguise for smaller FinTechs looking to gain an edge.

GDPR is here now, and the heat is being felt everywhere. However, despite the possibility of heavy fines, it appears that businesses were still unprepared for the deadline. Many are still trying to understand how GDPR will affect them and what exactly they need to do. A Deloitte survey shows that only 15% of organisations expected to be fully compliant in time, with the majority instead targeting a risk-based, defensible position.

In short, some feel big businesses may understand the need for GDPR, but it doesn’t mean they’re enjoying the compliance process.

Competition and compliance
But what does it mean for smaller companies like FinTech start-ups?

Traditionally, the financial services industry has been a hostile environment for newcomers. The incumbent advantage for large banks was significant, as large overheads and regulatory complexity facing new entrants worked to protect well established brands.

However, the recent growth of digitally enabled FS players, from challenger banks to software providers, has generally been welcomed as an unexpected challenge to the old status quo.

What is not yet understood is whether the complexities of GDPR compliance will prove especially difficult for the newer, less experienced FinTech entities, or whether this regulation provides an opportunity for them to gain an edge over their larger and less agile rivals.

A Fintech opportunity
The intent behind GDPR according to the EU commission is “give citizens back control over their personal data, and to simplify the regulatory environment for business”. In simple terms, this means that businesses are expected to understand exactly where personal data within their business lies, why it was collected and how it will be protected. This regulation does not demand intricate red tape or excessive audits, instead it emphasises contentious practice supported by clear and transparent notices or policies.

This emphasis on what you do and how you do it may actually provide FinTechs a comparative advantage over incumbent rivals.

We see this occurring in three areas:

1. Expense - A FinTech’s path to compliance will be faster and less expensive than large established financial organisations. Incumbents have thousands of employees, large customer bases and will have gradually acquired personal data in an ad-hoc manner. This leaves data widely distributed and frequently duplicated.
   
   FinTechs, by comparison, could in many cases be dealing with smaller, more rigorously curated datasets. Their employee numbers are lower, and there will be fewer fragmented processes to unpick and re-establish. They will also often be UK based, avoiding some of the complexity around international data transfers.
   
   This will allow FinTechs to cheaply and efficiently ensure compliance. Research has demonstrated that the cost of GDPR compliance is not static. It scales closely with business size, leaving established players facing far higher compliance costs than nimble start-ups.
2. Partnerships - Many FinTechs are already providing software and tooling that allows banks to make sense of their data lakes. GDPR has sparked interest in data mapping solutions that help the customer automate the production of data inventories and processing registers.
   
   These are often seen as effective ways for banks to fulfil the Article 30 requirement (knowing where personal data is) and can result in profitable contracts between FinTechs and incumbent businesses. This new frontier offers FinTechs growth, development of valuable relationships and the closer embedding of their businesses in the financial landscape.
3. Awareness - Encouraged by a number of high profile data breaches, the press around GDPR and its principles has begun to generate a growing public interest in the treatment of people’s data selves. Off the back of scandals around social media, data brokers and academics misusing data, consumers are only becoming more aware of how valuable their personal data is.
   
   GDPR could help catalyse a ‘data awakening’, where businesses and customers begin to take data diligence and security much more seriously. This awakening also has the potential to provide further competitive advantage for FinTechs as they can more effectively demonstrate that ‘privacy by design’ is evident in their products and corporate culture.
   
   Additionally, GDPR introduces a new 72-hour mandatory breach notification rule. In short, once a breach has been detected, a business has maximum 72 hours in which to investigate the breach and to let the regulator know what has happened. This will be a huge challenge for businesses, who have previously taken on average 200 days to detect an issue and escalate it to regulators.
   
   FinTech’s who can demonstrate a sincere commitment to protecting data (or provide products that enable others to demonstrate that commitment) will be rewarded by more customers.

The road ahead
Of course, none of the above is specifically the goal of GDPR, but the regulation’s impact is hard to underestimate. Such sweeping regulations often have unforeseen consequences. A more competitive financial services landscape could be one such consequence.