Assessing Fintech Cybersecurity: Four Basic Questions For Non-Technical Wealth Owners To Ask

01 Where are you based?

The location of a fintech’s headquarters – or its branch that you will be engaging with – can serve as a key indicator of the legal requirements governing their data privacy and security practices.

For example, all companies dealing with EU citizens must comply with the General Data Protection Regulation (GDPR), which requires measures to processes and to protect personal data from unauthorised usage and access.

Another example is the EU’s Second Payment Services Directive (PSD2). This directive requires EU-based financial institutions to facilitate secure sharing of clients’ payment-related data with authorised Third-Party Providers (like some fintechs) through properly secured data connections known as application programming interfaces (APIs). This sharing happens only with the explicit consent of the client.

Bear in mind that legal requirements to ensure financial data privacy and security are far from universal around the world. In many ways the EU has led the way here, and several other jurisdictions have incorporated similar policies into local legislation. Switzerland’s Federal Act on Data Protection is a leading example. Note that United States lawmakers have proposed GDPR-style rules at the federal level but no formal enactment has been made so far.

If the fintech you are evaluating is based outside the EU and will be handing an EU citizen’s data, you definitely want to ask a follow-up question as to whether their technology aligns with data security standards similar to those established in the EU – particularly with respect to APIs. These data connections play a crucial role in many fintechs’ operating models, which often involve gathering information like transaction histories, account balances, and loan information from originating institutions. While PSD2 is specific to the EU, it represents a world-class benchmark for securing financial data connections.

02 Can you explain your overall approach to cybersecurity in plain language?

According to the Harvard Business Review, human error is responsible for over 80% of cybersecurity incidents. Hackers often target poorly trained employees to exploit vulnerabilities.

A simple way to judge how much effort a fintech is putting into educating its team members about cybersecurity is the effort the fintech puts into educating you about it.

When assessing a fintech service provider, request an overview of their technological security measures. While this overview may involve complex technical concepts, they should be explained in a straightforward and understandable manner.

Remember: The fintech under consideration exists to serve individuals like you. If the fintech’s leadership does not prioritise making their security practices accessible to you, it may indicate similar challenges within the organisation’s internal training efforts.

03 Do you support more than two access authentication factors?

Simply put, access authentication factors are the barriers a user must navigate before using a digital service. One factor could be an online password, while another might involve a code generated by a mobile phone authentication app or delivered via SMS.

Most likely, your current financial service providers already utilise at least two-factor authentication (2FA), which is commonplace in the industry.

Support for three-factor authentication (3FA) indicates that a fintech is going the extra mile to protect client data. The third factor might be – and is, in our case at Altoo – a certificate that is installed on a user’s device and verified each time the user logs in to the system with that particular device.

04 Do you own all your data storage hardware?

Every fintech has a variety of options when it comes to storing data. Each option involves a combination of software (systems for data management) and hardware (the physical machines hosting the software).

Fintechs do not necessarily need to own hardware in order to take advantage of sophisticated, highly secure data storage software. They can rent servers owned by a cloud service provider (CSP). This option is often more cost-effective than owning and maintaining hardware.

CSPs go to great lengths to ensure security and reliability. Partnering with a CSP, however, introduces an additional layer of risk that is hard for the fintech to be fully in control of.

Therefore, a fintech’s decision to exclusively use its own data storage hardware demonstrates a remarkably strong – and accordingly more expensive – commitment to comprehensive data security practices.