On July 31, 2018, the Office of the Comptroller of the Currency (OCC) announced that it would begin accepting applications for Special Purpose National Bank (SPNB) charters for nondepository financial technology (fintech) companies. Over the next two years, fintech companies will need to meet the information security compliance as well as the banking regulatory compliance requirements with which traditional financial institutions struggle.

Managing the Cost of Compliance with Technology

What is a Special Purpose National Bank?

The OCC defines an SPNB as a “those banks whose operations are limited to certain activities, such as credit card operations, fiduciary activities, community development, or cash management activities. Special purpose national banks also include national banks that engage in limited banking activities, including one or more of the core banking functions of taking deposits, paying checks, or lending money.”

The late 2017 cryptocurrency boom and bust provides an example of the unregulated fintech market. Digital currency trading acts as a cash management system left unregulated by the federal government. Robo-advisors, digital platforms using artificial intelligence to enable financial planning, provide another example of SPNCs. Finally, unbanked/underbanked web-based services such as pre-paid cards or mobile apps that enable low-cost money wires would also fall under the new charters.

How are traditional financial services and fintech similar?

Although the New York Department of Financial Services argues differently, several compliance similarities exist between fintech and traditional financial in terms of both information security and banking regulations.

Know Your Customer (KYC)

Traditional banking services need to comply with KYC laws in order to protect themselves from fraudulent account creation. Increasingly, fintech companies need to do the same background checks. Although many fintech companies piggy-back on traditional bank records by allowing people to link their payment processes to existing accounts, not all fintechs engage in this practice. Additionally, since fintech lives in a digital space, many companies find themselves needing to adhere to a variety of state and international laws.

Allowing fintech companies to apply for SPNB status may offer a more streamlined approach to the KYC problem. Although individual state regulations traditionally mirror federal KYC policies, fintechs as non-bank products find themselves attempting to comply with an increasingly tangled set of information and privacy laws.

Customer Identification Program (CIP)

A large informational burden for banks lies in the CIP regulatory requirements. To remain compliant with CIP, banks must collect documentation and information about a customer’s legal entity customer name/legal name, date of birth, address, and social security number/government identification number. Records retention requirements mean that banks need to have copies of personal documents to prove their CIP programs.

Anti-Money Laundering (AML)

The rise of third-party APIs, mobile payments, and virtual technologies increasing shift the money laundering possibilities away from traditional financial institutions. As part of the ongoing AML compliance procedures, banks and fintechs that apply for SPNB status will need to continuously monitor transactions and report suspicious activities. Suspicious Activity Reports (SARs) contain private information, some of which cannot even be shared with the Board of Directors.

Identity Theft Red Flags

The OCC, by whom fintech companies would be regulated, created the Red Flags Rule as early as 2007. Moreover, as more financial institutions incorporated online account opening opportunities, the red flags for new account fraud meant that these companies needed to protect information even more rigorously. Fintech companies looking to file for SPNB charters will be required to take on these regulatory due diligence methods.

Where are the overlaps between regulatory banking requirements and information security?

All of the regulations above incorporate maintaining customer privacy. In some cases, traditional financial institutions need to not only protect information from outsiders but also from their auditors. Protecting information can mean redacting or anonymizing data.

The April 2018 “Compliance Costs, Economies of Scale, and Compliance Performance” report from the Federal Reserve Bank of St. Louis noted that Bank Secrecy Act compliance accounted for 22.3% of compliance costs. However, information technology registered extremely low in terms of compliance expensitures. For most of these companies, the data processing costs (which included data manipulation for compliance purposes and information technology) accounted for .5-1.5% of compliance costs. In fact, IT security is not on the list of the top compliance costs.

Meanwhile, the average cost of cybercrime increased an average of $12.97 million per financial firm between 2014 and 2017. Thus, while cybersecurity compliance did not make the list, it accounts for a large risk to financial institution stability.

Within the financial services sector, companies appear to either bake the cybersecurity costs into other compliance initiatives (such as BSA) or not consider it as part of their ongoing compliance requirement.

Why financial institutions need to invest in cybersecurity

Financial institutions and fintech companies looking to apply for an SPNB charter need to focus on cybersecurity initiatives that protect customer information. Increasingly, customers seek to engage in digital transactions rather than cash transactions. Therefore, financial institutions and fintech companies need to enhance their information security risk management efforts.

More than any other industry, the financial services and fintech sectors store and transmit personally identifiable information that needs additional security protections. As both industries roll out more mobile applications and web-based applications to meet customer needs, they need to focus on providing application security that protects their customers from a data breach.

Moreover, financial institutions need to continuously monitor their ever-expanding perimeters. As customers increasingly use digital wallets and connect payment applications through the Internet of Things, the number of attack vectors increases. Continually monitoring a company’s information security environment will become more important as fintech companies begin to fall under the federal regulatory umbrella.

How ZenGRC eases continuous compliance costs

With our role-based authorization capabilities, you can provide all employees access to the information they need to enact your risk based corporate strategies. Empowering employees with the required information allows them to maintain the corporate culture you set and reinforces the environment management defined.

Compliance requires communication with the Board of Directors to ensure appropriate oversight. However, your Board of Directors does not want overly detailed reports. Creating annual presentations is time-consuming. ZenGRC’s reporting tools provide easy-to-digest reports with graphics that clearly explain your risk profile. These reports give your Board the information they need while saving you creation time.

This ease of communication applies to work with your internal auditor as well. Auditors need documentation to prove that implementation matches policy. When they spend time on the administrative information gathering tasks, audits take longer and information may end up incomplete. ZenGRC provides a single source of truth by aggregating all records, reports, policies, procedures, and control listing in one place. Streamlining the audit process not only saves time and money but also leads to stronger audit outcomes.

For more more information on how ZenGRC enables continuous compliance, contact us.