Providing an overview of the current (and likely future direction) of laws and regulations as they pertain to financial technology companies in the UK just became a lot more challenging. The recent outcome of the so-called “Brexit” referendum has created a great deal of uncertainty and it remains to be seen whether the UK will adopt a similar approach to that used by Norway and Switzerland when it comes to IT regulations, or attempt to carve its own path. However, while the future is impossible to predict, there are some aspects of Fintech compliance that we can be relatively certain about.
[easy-tweet tweet=”Businesses should use a secure #cloud hosting provider in order to meet future #Fintech regulations” user=”veberhost”]
Regardless of whichever regulatory body ultimately oversees the fintech industry in the UK – one aspect at the top of the list of “must haves” – is cybersecurity. Both the frequency and level of sophistication of data breaches continues to rise across the globe. Alongside this, the average “costs per (hacked) user” and the cost of business lost to competitors as a result of the bad publicity following the disclosure of a breach is also growing.
Even the world’s central banks – with all of their considerable monetary muscle – are not immune from being targeted by malicious actors – as the recent $81 million Bangladesh/New York Fed SWIFT Banking Network hack proved.
Governments and regulators are discussing how to make companies share details of attempted and/or successful hacks, without threats of recrimination, with authorities – and similarly, where governmental systems have been compromised – then details of any incidences will likewise be shared with companies.
Increasingly, companies are choosing to effectively outsource the task (but not the responsibility) of cybersecurity. The costs to a company of hiring sufficient staff with the necessary skillsets seem to be skyrocketing. Hence, it makes commercial sense to hand over the security aspects of your business to a trusted partner (data centre/cloud provider) to reduce a potentially huge capital expense – into a lesser, operational expense – replete with associated tax advantages.
Governmental surveillance of data
The former EU/US Safe Harbour Agreement which had been in effect between the two countries for over 14 years – is set to be replaced by the “EU-US Privacy Shield” and is expected to come into force in July 2016.
Once it is in effect, governmental agencies will have to adhere to strict guidelines limiting their abilities to conduct surveillance – but data can once again flow and/or be stored on either side of the Atlantic.
Also, in 2018 the EU’s “General Data Protection Regulations” (GDPR) will come into effect. Failure to comply with the various regulations in this respect can be extremely expensive (e.g. up to 4 per cent of a company’s worldwide turnover!) Further – politicians have also been of the opinion that directors of companies found to be in serious breach should be subject to personal fines and even imprisonment.
Another version of an EU Directive – the “Markets in Financial Instruments Directive – Part Two” (aka MiFID II) – is soon be implemented (est. January 2018) and will require financial firms to implement changes and controls affecting a broad swathe of topics covering everything from research, derivatives, data protection, storage etc., – as well as the need to record meetings (over and above telephone calls!)
The UK’s Financial Services Authority (FCA) already mandates that anyone directly involved in equity trading must record calls. However, MiFID II broadens the scope of individuals coming under its mandate – it’s not just the top city traders, it’s also financial advisers and commodity traders not previously regulated by the FCA.
Consequently, the amount of data that will need to be securely stored will soon skyrocket. Since the data is comprised of highly sensitive information, any breach of confidentiality which falls under the purview of both the UK’s Information Commission (ICO) and as mentioned above, the new General Data Protection Regulation (GDPR) could result in significant financial penalties. Furthermore, MiFID II makes it very clear that recordings must be securely archived. Even in the event of a successful cyber-attack, conversations must be encrypted so they are unreadable.
Businesses that are looking to comply with MiFID II and the GDPR should seek to use a cloud hosting provider like Veber that has a history of reliably safeguarding their customers’ data.
Firms need to carefully consider how they can prevent employees from inadvertently causing them to be liable to stiff fines or bad publicity via misuse and/or loss of mobile devices. By implementing proper controls and even providing formal training as to how and when mobile devices/their social apps may or may not be used – firms can do a lot to mitigate their exposure.
Financial businesses may also benefit from the support of their cloud provider. Veber can supply financial businesses with virtual private networks (VPNs) and end point access that allow mobile workers to connect to remote data centres even when they are not using the local network. This means that financial businesses can enable their employees to work flexibly while still complying with stringent security regulations associated with the financial sector.
As mentioned previously, fintech firms may decide that the best way to meet regulations and compliance is to use a cloud vendor. At Veber we have already worked with a number of financial businesses who come to us for our high levels of availability, performance and flexibility. Financial information can prove hugely damaging if leaked, so businesses should look for a vendor that meets the highest compliance standards, has reliable SLAs and provides the scalability to grow. The right cloud supplier will not only help you meet regulations, but also outpace your competitors.
[easy-tweet tweet=”Despite an uncertain future, #cybersecurity will still play a crucial role within #Fintech compliance” user=”veberhost”]
Act now, before it’s too late
Although the UK’s position on forthcoming regulation is not entirely clear, businesses cannot afford to wait around. Fintech companies should begin reviewing how their IT solutions standup against future compliance standards, particularly as the EU is likely to remain a prominent trading partner. And even with an uncertain future, one thing remains clear – cybersecurity will continue to play a crucial role within Fintech compliance and regulation.