What fintechs should consider for becoming PSD2 compliant
Regulatory initiatives around open banking (PSD2) have opened up a whole new playing field for financial technology companies (fintechs). The possibilities for innovation around payments are countless: direct payments processing from platforms or applications, split payment technology, data analytics on aggregated bank accounts or enhanced credit risk modelling.
However, as promising as it all may sound, fintechs should keep in mind that there are no easy shortcuts to open banking glory. As open banking allows organisations to be ‘in the money flow’, it presents fintechs with an array of regulatory requirements related to anti-money laundering (AML) and combating the financing of terrorism (CFT).
Perry Huijgen, Business & Risk Management at Protiviti in the Netherlands, explains how fintechs leaders can overcome the challenges related to becoming PSD2 compliant.
Are we even making money!?
Many fintechs are underestimating the actual cost of being PSD2 compliant. Especially with high-volume, low margin business models, the cost of compliance can easily cannibalise profitability. Moreover, many technologies and data companies providing solutions in this space are used to dealing with larger financial institutions, with deeper pockets.
In other words, don’t be surprised if the standard list prices for transaction monitoring or customer due diligence solutions match your first funding round.
In practice, fintech companies start exploring possible solutions for customer due diligence or transaction monitoring during or after the PSD2 application process with the regulator. However, it is recommended to bring forward the discovery of possible solutions in this space to the inception phase, to ensure the validity of your business case. In this process, external experts can help you to:
- Identify and select relevant and cost-efficient solutions and technology
- Validate the assumptions in your business case
Defeat the paper tiger
During the PSD2 application process there is a lot of focus on performing risk assessments and creating or updating policies and procedures. Having the right documentation in place is critical if you want to obtain the PSD2 license. However, it is even more important to actually implement the policies and procedures into daily operations if your organisation wants to keep its license in good standing.
This is exactly the area where many fintechs struggle. Policies and procedures are often too generic, which makes it hard to understand what needs to be implemented. In other cases, we see that fintechs adopt standard configuration templates designed by technology companies, resulting in a mismatch between the policy and their daily operation. In some worst cases, policies are in place but in practice nothing is implemented at all.
To overcome the risk of creating a paper tiger, the following is key when developing policies:
- Write policies from a practical point of view as much as possible. This may include adding practical guidance on the types of screenings, customer risk assessment methodology, relevant data points and types of monitoring scenarios
- Ensure that your policies are written by someone who not only understands the regulatory and business context, but also the implications for successful technical implementation
At Protiviti, we specialise in helping fintechs overcome red tape, in collaboration with BusinessForensics. By leveraging Protiviti’s expertise in risk management and BusinessForensics’ expertise in digital risk analysis technology, we can help fintechs:
- Identify the desired level of maturity of financial economic crime prevention within your organisation
- Create policies, procedures and controls in line with the desired level of maturity
- Implement and automate policies, procedures and controls into the BusinessForensics software
- Embed policies and procedures into your organisation’s daily operations.
Bursting the fintech bubble
Ask a typical fintech employee what they find energising in their field of work and don’t be surprised by the answers: developing innovative solutions, working on the go-live of the launching customer or growing the business by searching for partnerships in the market.
Ask the same fintech employee if their heart beats faster when working on regulatory compliance related projects and you can expect a less enthusiastic reaction. Still, there are many fintech companies that decide to develop their customer due diligence or transaction monitoring solutions in-house. And why wouldn’t they? Many fintechs have highly skilled developers working for them.
However, in practice we see that the in-house development of regulatory compliance solutions doesn’t always work out for the best. Fintech companies are quite dynamic, especially in the early stages, and their goals and even entire business models can change overnight. Combined with the ever-present work pressure, the fluidity often results in delaying or postponing regulatory compliance projects.
Also, consider the human factor, where people tend to prioritise the importance of work that is considered as an ‘energy gain’ over work that is considered as an ‘energy drain’. Given these challenges, fintechs should consider engaging external experts to work on regulatory compliance projects.
These experts can help fintechs free-up internal resources, break through boundaries by sharing best practices, and expand their network and create new partnerships as consultancies often have deeper roots in the market.