digital globe


The future of fintechs: Fintech risk management

Fintech regulation as an opportunity

Fintechs are drawing increasing attention—and are at risk of potential disruption—from regulators. How to respond? See five fintech risk management principles that can help ease the disruption that closer regulatory scrutiny may bring.

This second in a series of three reports offers a high-level look at what’s at risk for fintechs in this changing regulatory environment, how risk management is both a growing imperative and an opportunity, and which principles promote effective risk management. The first report explored the future of fintechs, the risk landscape they’re facing today, and how they can thrive in a more regulated business environment. The final report will describe a framework and associated elements of a fintech regulatory risk and compliance model.

From disrupter to disrupted?

It’s an emerging irony of the fintech industry: The very companies that have disrupted the financial services industry may themselves experience disruption. Why? Because as a consequence of their success, fintechs are subject to increased attention and greater expectations from regulators.

As Deloitte previously reported in, The future of fintechs: Risk and regulatory compliance, domestic and foreign regulators continue to take notice of the financial products and services that fintechs offer and the way they operate. While acknowledging that fintechs have introduced technology that enables innovation in financial services, regulators nevertheless believe that lines are being blurred between fintechs and other more traditional financial institutions that offer the same or similar type of products. This lends support to fintech regulation, as regulators may seek to subject fintechs to some of the same regulations as other financial institutions.1

To this end, the General Accountability Office (GAO) recently issued a report analyzing the four key areas of fintech—payments, lending, wealth management and financial advice, and distributed ledger technology—to assess:

  • Benefits, risks, and protections for users
  • Current regulatory oversight
  • Regulatory challenges
  • Steps taken by regulators in the US and non-US jurisdictions to encourage financial innovation

The GAO report sets forth several recommendations for federal agencies related to:

  • Improving interagency coordination with respect to fintech
  • Addressing concerns on financial account aggregation
  • Evaluating whether it would be "feasible and beneficial" to adopt regulatory approaches similar to those undertaken by regulators in other countries

Growing exposure to the regulatory environment is and will continue to create potential risk management requirements for fintechs. These requirements are in many of the same areas as for other financial services companies, including consumer protection, Bank Secrecy Act (BSA)/Anti-Money Laundering (AML), privacy, and cybersecurity, among others. The ability of fintechs to proactively identify and address these risks through effective risk management programs may significantly impact their success and competitive edge going forward.

1 “Fintechs and regulatory compliance: Understanding risks and rewards,” CFO Journal from The Wall Street Journal, January 5, 2018,

What’s at risk for fintechs?

As the fintech sector has coalesced and expanded, several internal and external forces have contributed to making it both an exciting and challenging business environment:

  • Market growth. Customers empowered by broadband and smartphones began demanding faster, easier, and more direct access to financial products and services. Fintechs responded with a combination of vibrant entrepreneurialism and technological and product innovation.
  • Emerging technology. Technological innovation has led to new business models, new product and service delivery channels, and creative approaches to attracting, interacting with, and gaining the loyalty of customers.
  • Partnerships and alliances. Fintechs have more recently begun collaborating, whether through joint ventures, alliances, or acquisitions. Such arrangements are providing additional growth opportunities for fintechs while enabling more mature institutions to expand their traditional operations.
  • Regulatory scrutiny. Early on, fintechs were relatively unhindered by regulatory requirements that bound banks and other financial institutions. But regulators have started articulating their expectations of fintechs.

Combined, these forces are creating an array of potential fintech risk management requirements, which can have impacts in four broad areas:

Potential impacts for fintechs

As these risks become more apparent and increase with the growth of a fintech company, existing risk management programs inclusive of compliance—if they exist—will likely need to be revisited or expanded.

Effective risk management can be a revenue enabler. The success of those programs in rapidly changing regulatory and business environments will become increasingly important, as they are already for traditional financial services companies.

laptop and coffee

Five principles of effective fintech risk management

So if a company doesn’t have some form of risk management program in place or if an existing program is rudimentary in scope and design, where can it begin? Here are five basic principles of effective risk management:

Tone at the top. It’s imperative for a company’s board of directors and executive management to understand the organization’s critical processes, internal controls, and mitigation plans and to spearhead the creation of an organizational structure and culture in which “risk appetite” is both understood and adhered to.

An end-to-end perspective with strong focus on risk-based actions. It’s important to define and document a risk framework that aligns with the regulatory and operational risks identified through a formal enterprise risk assessment. Once the framework is established and regulatory risk processes and programs are in place, periodic testing should be performed for risk identification and control mitigation.

Effective incentives. With clear risk tolerances established and communicated throughout the organization by the board, management, and risk committee, employees at all levels should be empowered to step forward if they have risk-related concerns.

Risk management baked into new products. As new products and services are developed across the organization, and as new relationships with outside parties are formed, all the dimensions of risk should be considered and incorporated.

Accountability. Stakeholders across the organization, inclusive of revenue producing and non-revenue producing support staff, should be responsible for adhering to established risk tolerances.

cellphone and graphs

Time for a closer look

Although fintechs aren’t considered banks, their bank-like products continue to encroach on and disrupt the financial services industry, whether in trading, lending, deposit taking, or other areas. These outcomes are likely to attract a growing level of scrutiny from regulators that are focused on repeatable, sustainable, and compliant operational performance for the financial services industry. The knock-on effect is that many fintech companies will need to focus on their own risk management capabilities to keep pace.

Want to read the full report? Download “Fintechs and regulatory compliance: The risk management imperative.”

Back to top

Did you find this useful?