fintech and information risk

by Michael Werneburg
on 2016.10.17

You are here:
Risk topics
» Risk topics blog
April, 2018

March, 2018
· the planning fallacy

February, 2018
· Valentine's day vm backup plan

November, 2017
· the unsafe workplace and the body's response

October, 2017
· ISACA article is live

September, 2017
· published
· the Equifax breach
· Tracking Vulnerability Fixes to Production

August, 2017
· evaluating third party cyber risk

July, 2017
· getting it wrong with R
· de-identifying health information
· that's a lot of tracking!

June, 2017
· gaming Google news
· privacy in this day and age
· another record breach
· writing an industry standard
· ISACA article accepted

May, 2017
· Covey time-management quadrants
· safe harbor de-identification of health data
· an ISACA article

April, 2017
· my guide on managing third party risk
· PMP for five years
· metrics that matter
· 720 reads in 48 hours
· I lost my job

March, 2017
· farewell, SIRA board
· the message and the medium
· an interesting take on consulting


An article appeared in "The Investment Executive" this weekend that highlights information risk in so-called fintech. It details a survey conducted by CGI on consumer attitudes towards such financial services as mobile aggregation of accounts from multiple financial services.

Lo and behold, the survey finds that consumers are leery of information risks when dealing with new entrants. The article deduces that incumbent providers such as banks must surely better provision such services in a secure fashion. CGI, an elderly player in financial technologies, is surely one of the incumbents that the we can count on to get it right.

But the simple fact that it's CGI that commissioned the study that exposes an underlying truth here. When you give your cash and data to a bank, you're really giving it to myriad third party providers (such as CGI). Providers of account open SaaS solutions, back office trading and settlement platforms, third party CRM's used to track interactions with you as a client. These CRM platforms have absolutely everything the bank knows about you, not just name address etc but all the records of your interactions with the banks, and anything else the banks's staff have learned about you, including relationships, hobbies, interests, political affiliations, etc. But the list goes on and on. Financial institution's mobile platforms are typically built and run by third parties. Compliance solutions, statement print and email fulfillment, investment companies, mortgage and credit card middle men, marketing analysis firms and other types of "big data" analysts.

I suspect that if any of us asked a bank for a list of such third parties, they wouldn't be able to name them. And the sad state of affairs today is such that third party risk management standards are extremely poor. Financial firms simply aren't doing their due diligence. This is something I said on an industry panel on cybersecurity this summer, but I don't see it changing any time soon. There simply isn't enough knowledge about the risks or how to measure them or deal with them. Financial firms fall over themselves to pass on their investor's data to countless providers. Then they beat those providers up on cost, which ultimately undercuts the provider's spending on protecting that data. And once the data's shared, the financial players rarely even ask what's been done to protect it.

So it's well and good to be leery of up-start fintech providers but don't think that your bank has a better handle on where your data is or how it's protected.

big list