ISO 31000:2018 standard advises: “When designing the framework for managing risk, the organization should examine and understand its external and internal context.”
I believe that the same guiding principle should also inform cross-organizational risk assessments. In my work as GRC and information security adviser to fintech startups, the drastic differences in organizational culture, structure, and system infrastructure design are often the source of confusion if not suspicion for the partner bank auditors.
The bank executives have a responsibility to their customers and stakeholders to assure that any sensitive data that their organization might exchange with the fintech startup will remain secure and compliant with privacy and other regulations. “Regardless of whether a fintech is under a different level of regulatory scrutiny than the bank, TD’s own security and privacy standards mean that we won’t work with companies that cannot demonstrate high standards in data protection,” said Jane Stubbington, vice-president of compliance and global chief privacy officer for TD Bank Group.
On the other hand, partner bank auditors often lack sufficient understanding of the nimble structure, aggressively forward-looking culture, and mostly cloud-based systems infrastructure of a typical fintech startup. Such bank auditors bring their “standard issue” evaluation checklists and traditional banking industry mindset to evaluating the systems and processes of a fintech. The result is similar to applying an aircraft carrier battle readiness checklist to a jet ski:
Q: Are robust locks in place to secure the aircraft at rest?
A: N/A
Q: Are ordnance storage areas properly secured and guarded?
A: N/A
Q: Are missile defense systems operational and ready at all times?
A: N/A…
As banks and other traditional services organizations engage with fintech companies to benefit from the emerging technologies and services they offer, the GRC and audit professionals in these organizations must strive to become familiar with the unique organizational and systems design features of the fintech partners. The efforts invested in this learning process will pay off by having the audits and reviews of the fintechs completed with greater accuracy and efficiency. The greater insights into the culture and structure of the fintech partners will also pave the way for new collaborative value creation opportunities.
You provide an important and relevant caution. I have seen similar situations in mergers and acquisitions – the important subject matter experts in domains such as security, data quality, infrastructure and so on are not engaged sufficiently early in the due diligence and merger processes. Often, two very different cultures (the acquirer and acquiree) are at play and are focused on successfully closing the deal, rather than success at making the deal work. Typically, many unanticipated problems emerge, and unrecognized opportunities surface too late to effectively address them.
Thank you very much for your insightful comments!