Embedded finance has been a game-changer for SMEs who previously struggled to obtain funding from traditional banks. However, fintech companies with embedded finance solutions have a responsibility to become regulation savvy even if they aren’t regulated.
Alexis Alexander, chief legal and compliance officer, Liberis explores how to employ a considered and educational approach to data privacy including traditional practices, while also accepting that there are additional considerations when it comes to embedded finance.
How to navigate data privacy risks in the embedded finance environment
Embedded finance presents ambitious businesses with a compelling raft of possibilities – they can obtain and retain customers in new ways, scale much faster, and even reinvent how their products and services are deployed.
Amidst the understandable excitement, analysts have projected that the embedded finance market will reach $1.9trillion by 2028 as global adoption continues to surge.
When it comes to the SME sector, in particular, embedded finance has been a game changer. Traditionally, SMEs have struggled to access the financial services that meet their specific needs, but embedded finance bridges the gap to provide ambitious companies access to products and services directly within their existing business tools and platforms. A small retailer, for example, now can process payments and manage payroll, all from a single platform.
At a time when nearly three-quarters of UK SMEs believe their bank is actively discriminating against them in favour of larger companies, embedded finance is also providing timely alternative funding sources that are both more accessible and more flexible. SMEs can bypass the banks and tap into a wider range of lenders, including peer-to-peer platforms and alternative finance providers such as fintech companies with embedded finance solutions.
Balancing risk with reward
But, as is so often the case, these new opportunities are accompanied by considerable risks. One area to consider carefully is data privacy.
Embedded finance relies heavily on data, both for the provision of financial services and for the customisation of products and services to individual consumers. This means that embedded finance providers must navigate the many risks and regulations associated with handling sensitive customer data.
To grow and remain resilient, providers must expand their risk awareness across new areas. Data acquisition, ownership, usage, retention, and disposal practices pose significant risks, alongside security concerns including data theft, breaches, and cyberattacks.
So how can embedded finance providers respond, and make sure they are doing their best to mitigate these risks?
Employing a considered, educational approach
The starting point is recognition and identifying the data flows in play.
As well as the robust cybersecurity and data protection policies that must be in place to protect against the myriad cybersecurity threats facing financial services organisations, providers now have to accept there are additional considerations when it comes to embedded finance.
A shift left mentality is key. Organisations need to map all their data points from the outside and build in security and data retention protocols at the start of any product build.
Education and good communication are key. When converging financial products and services into non-financial platforms or products, organisations should be mindful of the possibility of conflicts of interest and make sure that they are open and honest with customers about the terms and conditions.
Legal and compliance teams need to be in and amongst the business, not shut off in an ivory tower. They need to understand the products they are building. They also need to understand how they will ingest data, as well as train the business iteratively and frequently.
Embedded finance providers should also keep a close eye on the potential dangers of data exploitation or abuse, especially when working with non-financial partners who may lack the same degree of knowledge or experience in financial services.
A regulatory focus
Providers must become savvy about regulations, even if they aren’t ‘regulated’. Most organisations will be subject to GDPR requirements, so they need to be just as conscious of risks to their customers. The Consumer Duty, whilst only applicable to FCA-authorised firms, needs to be considered by everyone in business in the UK. The prioritisation of customer outcomes including around price and value represents a cultural shift that we all need to recognise and embrace.
Understanding the specific requirements that they must comply with is essential from both a business and IT security standpoint. They should embrace their technology’s vision whilst being mindful to incorporate feedback from regulatory bodies.
Fraud and threats from nefarious third-party actors have become increasingly sophisticated and hard to predict. With the rise of AI and the desire to reduce friction in the customer journey, cybercriminals and digitally savvy fraudsters are targeting any point of security weakness. Providers must spend as much time building a secure-by-design infrastructure to ensure highly beneficial tools such as AI cannot become a risk to customer safety and data protection.
Regardless of their position, every employee needs cybersecurity awareness training, including regular updates on the most recent threats and attack methods – which are becoming increasingly sophisticated. This shouldn’t just be a case of annual ‘tick box’ e-learning courses but creative and practical engagement with employees such as company hackathons or group bug bounty bashing.
Leaning on the latest technology
Automation and augmentation are also crucial when it comes to managing data privacy risks. Thanks to the latest AI and machine learning technologies, companies can receive actionable insights and notifications through a single interface. AI can be a real force for good here. Some tools can instantly detect compromised sensitive data. It can also detect when it has left the company environment too.
These technologies allow providers to better control and coordinate security throughout the entire digital corporate environment. Additionally, it helps to lower the volume and frequency of human error. In today’s financial services ecosystem, providers will simply be unable to effectively comply with the relevant rules and regulations if they ignore the power of AI and fail to use it for good. In turn, this will help someone else use AI for bad at the expense of their business’s data security.
According to Juniper Research’s recent AI in Financial Fraud Detection report, global business spending on AI-enabled financial fraud detection and prevention platforms will exceed $10billion globally in 2027, rising from $2.7billion in 2022.
This exponential growth will be fuelled by a new trend in AI-enabled fraud protection and data management: a focus on accessing fraud information from beyond a business’ transactions. To facilitate this, fintechs are already forging new partnerships with third parties, such as credit bureaus and payment networks, to boost data coverage and enhance algorithm learning.
An inability to harness AI in your controls and infrastructure will not only have a negative commercial impact but allow those using AI for harm to infiltrate, putting your customers and the business at risk.
