blue digital split image


Fintech risk and compliance management

A framework to empower the organization

The financial technology (fintech) industry continues to invest in innovations that create exciting new products and support evolving customer preferences. Evolving fintech risk management functions are tasked with addressing the potential exposures created by their innovation, partnerships, and ongoing financial and regulatory market developments. Learn more here on the increasing pressure for fintech firms to elevate their risk management capabilities, including the development of a responsive operational risk and compliance program.

This third in a series of three reports on the future of fintechs describes a framework and associated elements of a fintech regulatory risk and compliance model. The first report explores the future of fintechs, the risk landscape they’re facing today, and how they can thrive in a more regulated business environment. The second paper examines governance and business considerations for fintechs that are planning to pursue a bank charter.

Risk and compliance program framework

Risk and compliance program framework figure 1 portrays a risk and compliance program framework derived from regulatory expectations that consist of capabilities responsive to the inherent risk of the operating business.

  • People and culture: The risk and compliance management program aligns with company culture and can be operationalized to meet regulatory and industry expectations. Company culture empowers its people to effect proper risk management and achieve business objectives.
  • Business risk strategy: Risk and compliance strategy are aligned to the business’s strategy, with risk management having a seat at the table. Risk management has a view and advises the business, management, and board on its strategy.
  • Governance and policy: Clear and well-articulated roles, responsibilities, and decision rights support the risk culture and strategy. Established committees with the defined mandate of advising and/or decisioning and the genesis of their remittance are well understood.
  • Risk assessment and regulatory change: Control identification and implementation, combined with an understanding of regulatory requirements, exist within a successful customer journey. Associated control vulnerabilities and applicable regulatory obligations are known, controlled, and follow an established change process.
  • Monitoring and testing: A controls testing and monitoring program for at minimum high-risk activities with applicable reporting of risks and issues is established. Further development and implementation of key performance indicators (KPIs) and key risk indicators (KRIs) are monitored with defined thresholds.
  • Data capture: Consistent capture, measurement, and reporting of data that informs management and board for decisioning is in place.
  • Issue management: Issues decisioned at various levels, including the business, risk management, executive management, and board, are identified, escalated, and remediated. Focus is on the early identification of systemic/thematic issue and resolution of issues to sustainability.
  • Awareness and training: The training program includes risk management–related training applicable across businesses and the firm more broadly (e.g., segregation of duties and PATRIOT Act).
  • Regulatory interaction: Internal coordination of communication and messaging to requisite regulators (e.g., state regulators, attorney generals, Federal Trade Commission, and Consumer Financial Protection Bureau) that is consistent and accurately reflects business and risk performance and strategy execution.

Tailor a broad-based risk management program

Using this type of framework as a guide, fintechs can tailor for their needs a broad-based risk management program:

Step #1: Define roles and responsibilities through a governance model

Step #2: Understand applicable risks and rank them

Step #3: Evaluate the controls environment

Step #4: Evaluate risk and response options

Step #5: Consider the organization’s maturity level and technology use

Step #6: Engage management through effective reporting and communication


Contact us

Peter Reynolds
Managing Director
Risk & Financial Advisory | Deloitte & Touche LLP
+1 212 313 1660
Gina Primeaux
Risk & Financial Advisory | Deloitte & Touche LLP
+1 714 436 7341
Harish Dakshina
Senior Manager
Risk & Financial Advisory | Deloitte & Touche LLP
+1 404 388 2898
Amanda Williamson 
Senior Manager 
Risk & Financial Advisory | Deloitte & Touche LLP 
+1 704 887 2069
James D Simpson
Senior Manager
Risk & Financial Advisory | Deloitte & Touche LLP
+1 816 881 5197
Tara Wensel
Risk & Financial Advisory | Deloitte & Touche LLP
+1 347 224 4056

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?