fintech and information risk
the journal of Michael Werneburg
twenty-seven years and one million words
An article appeared in "The Investment Executive" this weekend that highlights information risk in so-called fintech. It details a survey conducted by CGI on consumer attitudes towards such financial services as mobile aggregation of accounts from multiple financial services.
Lo and behold, the survey finds that consumers are leery of information risks when dealing with new entrants. The article deduces that incumbent providers such as banks must surely better provision such services in a secure fashion. CGI, an elderly player in financial technologies, is surely one of the incumbents that the we can count on to get it right.
But the simple fact that it's CGI that commissioned the study that exposes an underlying truth here. When you give your cash and data to a bank, you're really giving it to myriad third party providers (such as CGI). Providers of account open SaaS solutions, back office trading and settlement platforms, third party CRM's used to track interactions with you as a client. These CRM platforms have absolutely everything the bank knows about you, not just name address etc but all the records of your interactions with the banks, and anything else the banks's staff have learned about you, including relationships, hobbies, interests, political affiliations, etc. But the list goes on and on. Financial institution's mobile platforms are typically built and run by third parties. Compliance solutions, statement print and email fulfillment, investment companies, mortgage and credit card middle men, marketing analysis firms and other types of "big data" analysts.
I suspect that if any of us asked a bank for a list of such third parties, they wouldn't be able to name them. And the sad state of affairs today is such that third party risk management standards are extremely poor. Financial firms simply aren't doing their due diligence. This is something I said on an industry panel on cybersecurity this summer, but I don't see it changing any time soon. There simply isn't enough knowledge about the risks or how to measure them or deal with them. Financial firms fall over themselves to pass on their investor's data to countless providers. Then they beat those providers up on cost, which ultimately undercuts the provider's spending on protecting that data. And once the data's shared, the financial players rarely even ask what's been done to protect it.
So it's well and good to be leery of up-start fintech providers but don't think that your bank has a better handle on where your data is or how it's protected.