Between dystopias - Balancing innovation, regulation and security in fintech

It’s hardly surprising that many of the people talking about fintech often slip into the habit of talking about dystopian futures – rarely in the realm of startups do we see such a collision of risk averse (or at least, risk aware) cultures all worrying about different things:

  • How delicately balanced the financial system is and how impactful its destabilisation would be
  • That the finance industry has to have a high regulatory barrier because only people who understand the sector should be allowed to disrupt it
  • How the pervasive and complex use of technology introduces new cyber threats and makes it less clear who is liable for risk or mistakes
  • And there’s the additional risk of startups not worrying about risk at all...

The overriding factor to all of these risks? The risk of the industry stagnating while other sectors, dependent on accessing banking and payment services, are transformed beyond recognition. The finance industry has to match other sectors in terms of speed, efficiency and meeting consumer expectations… and it’s a delicate balance to strike, making sure that none of these concerns become the new economic reality.

We’ve paired the knowledge of our in-house fintech expert, solicitor Clive Bramley, with some thoughts from our friendly cyber geek, Dr Emma Osborn, to evaluate some of the issues in finding the balance between these dystopias, to ask: how does the “move fast and break things” culture of the startup flourish in an environment where the regulatory culture is to slow down and plan more.


Finance breaks the startup mould

There’s a few things that most startups have in common that are key to them being disruptive enough in a marketplace to gain a foothold:

  • They are agile – they try things, make mistakes, learn and adapt at a rapid pace
  • They attempt to limit organisational hierarchy and processes to reduce costs, so regulation is a burden
  • Innovation is often reliant on complexifying relationships between an increasingly diverse ecosystem of suppliers

The problem? Both regulatory compliance and cyber security are traditionally considered to be incompatible with agile methods. Both expect to be able to evaluate a fully designed solution, identify risks and reduce them to an acceptable level – they are based on a (financially) high risk development model that startups can’t afford to implement.

The division of labour between so many niche companies makes implementing solutions that comply with regulators’ objectives particularly challenging. It’s a problem that’s well understood in cyber security and safety engineering – the fault is most likely to occur where there is a responsibility gap. The more stakeholders there are in a system, the easier it is to have dependencies that nobody knows about.

It means that in fintech the development teams might need to evolve to include embedded cyber security and legal experts, to ask questions and dynamically intervene in product development, so that their requirements are considered at every stage.


Regulation trails innovation

In the past, something changed, the regulators watched, they evaluated the results, scaled up the risks and set the rules before too many people jumped on the idea.

That approach no longer works – it’s most evident in the way that consumers exercise their rights to petition. The energy required to collect over 100K signatures is getting smaller, our patience has reduced when faced with the speed of change achieved by lawmakers, courts and regulators. In the heat of the moment, few understand the protections provided by having time to think and debate issues before designing solutions. It’s a compromise tech companies make in miniature in every step of the agile process, whose ripples can be felt even in the way that we govern our countries.

Regulators have adapted to this environment with new rules, intended to open finance to competition, for example the 2009 Payment Services Regulations and 2011 EMoney Regulation. But at the same time they need to ensure “safety” as in the Strong Consumer Authentication requirements.

And what about the lack of regulatory clarity – how does the global nature of the finance industry influence the decisions that startups can make?

As with cryptocurrencies, regulators “dance” around the technology. Same with emoney in 2000s when PayPay stole a march and got “too big to fail” before the regulators got their requirements in place.

If there's not a consensus between regulatory jurisdictions, it either creates catch-22s, where is impossible to develop a compliant process, or there are unforeseen regulatory gaps.


Is disruption really a bad word?

To close, it’s worth talking about the words we use to talk about change. Many articles use disruption, transformation and innovation interchangeably, but what’s interesting is when we see authors choosing to use talk about innovation, while framing disruption (that thing that the tech industry is so proud of) as something that’s likely to cause harm (for example:

There’s arguments from within the tech industry about ethical design – ensuring that engineers’ energies are invested into developing things that enrich peoples lives. Nowhere is that more important than in the finance industry, because (like the tech industry) there are too many people dependent on it for us to assume that we can always afford to experiment.

But the reason that the finance industry is so critical is also the reason that it needs to be able to be disrupted at the same rate as everything else – because changing the environment that a business, service or IT system operates in introduces risk. It doesn’t matter whether we are talking about the risk of failing to provide services that meet consumers’ expectations, or of failing to update an IT process that still kind-of works – obsolescence introduces external risks from incompatibility and workarounds that mean that the only solution is for technologists, finance industry experts and legal/regulatory experts to collaborate.

There’s a “tension” created by the regulator: looking to free up competition by creating new types of regulated entity, while also making sure these small (and sometimes piratical) newcomers protect consumers and comply with regulations at the same time as they disrupt...

Numbers matter: costs of entry are high and innovators don’t make much headway until they get a load of users behind them, so unless you get big quick you probably are going to need to partner or be purchased.

What this actually tells us is that we should be watching out for the disruption from big tech companies... Because they have the culture to disrupt and the financial staying power of a bank.

This article has been written by cyber security expert, Emma Osborn, of OCSRC and Clive Bramley