FinTechs and startups are now at a regulatory crossroad. Though they have largely existed in an environment of self-regulation, these halcyon days are almost over. State and Federal government voices are starting to express a need for more formal oversight. Regulators are struggling with the balance between protections of end users and not impeding the company’s abilities to foster innovation.
Small companies like FinTechs and startups, either as a standalone entity or as a vendor/service provider to a larger firm, have historically had major challenges with their compliance controls specifically, and with attention to data privacy in general.
Large established firms, especially in highly regulated industries (e.g. financial service, life sciences, pharmaceutical, etc.) are sometimes reluctant to do business with these smaller firms as they represent considerable risk if their controls are not in order.
Because FinTech may not currently be directly subject to traditional regulators, compliance with established laws [e.g. anti-money laundering (AML), Know Your Customer (KYC)] is difficult to measure and monitor. Here is the essence of the regulatory concern: with no direct regulation per se, customers may not understand that the traditional consumer protections they have been accustomed to with larger firms may not apply, since those protection laws wouldn't be extended to consumers who might do business with that company.
Since this may be a new paradigm for these smaller firms, I want to call attention to six general trends in the privacy space that FinTechs and startups would be well advised to be aware of as they try to ‘move up’ into the big leagues and improve their visibility with brand name, world-class firms.
They are:
1. Shifting demographics (i.e. focus and emphasis on millennial’s impact to your business) necessitate a new and different approach to the understanding of ‘customer privacy.’
2. Customers are savvier than ever of their privacy rights and expectations. They are not reluctant to express their concerns – especially on social media.
3. The rise of class action law suits represents a continuous risk to companies of all sizes, but can be especially destructive to a small firm with limited capital and resources.
4. There has been a constant revision of what is considered "personal information" and the scope is getting wider. Almost any data collected by a small firm is likely subject to protection of some kind.
5. There has also been a constant revision or addition of increasingly restrictive state privacy and security legislation which threatens many small startups with potentially overwhelming compliance overhead. Most small firms either lack the in-house expertise to sufficiently deal with all that is required from a compliance perspective, or they may just not be aware of what is expected from them.
6. Most regulators are showing an increased attention on consumer protection. Even if companies are following the letter of the law, if there is evidence of customer harm, a regulator may take action.
The message here should not be construed as all doom and gloom. FinTechs represent major disruptive possibilities across many industries, and consumers will be the ultimate beneficiaries. However, companies need to be cognizant of their corporate citizen responsibilities. Sure, consumers love a sexy and easy to use interface, but features and user experience shouldn’t override cyber security and privacy concerns and obligations.
Innovators in this space should devote reasonable time and resources to regulatory compliance. At the end of the day, good privacy is good business!