Consumers have demanded faster, more convenient access to banking services for a long time. Finally, thanks to this increased demand, core banking providers are beginning to offer fintechs access to their code through the use of APIs. This paves the way for fintechs to develop creative solutions. And it’s great news for fintechs interested in selling their new, innovative services to banks.
What wise fintech providers understand, however, is that having access to core system data also means having security obligations. Data protection is becoming top of mind for software developers, banks, and consumers alike.
Criminals go where the money and data live. There’s no sweeter target than financial services providers who deal regularly with both of these high-value items. The results of an IBM research report bear this out. For the past three years, financial institutions have been among criminals’ top targets.
The federal patchwork quilt of data security law
As of today, there isn’t a comprehensive federal law governing the collection, storage, and use of consumer data. In place of a federal law, there’s the Gramm-Leach-Bliley Act of 1999 and Section 5 of the FTCA. That’s where you’ll find data security requirements for financial institutions.
Then, there’s a handful of state regulations you may need to consider: California, Colorado, Virginia, and New York have passed and enforced state regulations.
And of course, if your product collects or manages credit or debit card information, compliance with PCI DSS regulations is critical.
Financial penalties for ignoring regulations regarding security can be steep. Noncompliance with PCI DSS can result in fines ranging from $4,000 - $10,000 per month, depending upon the size of the business.
If you don’t comply with GLBA requirements, that can get your company fined for a whopping $100,000 per violation. Even company officers could get hit with a $10,000 fine per violation and up to five years in prison.
Make compliance a competitive advantage
Community banks are looking for software companies who understand the world of legal and regulatory parameters they must operate within. The FDIC published a due diligence guidance document for community banks to help them vet potential fintech and software partners. One of their key recommendations was to find a fintech company that could demonstrate security and compliance.
Fintech data security best practices
-
At a bare minimum, we recommend that fintechs become SOC 2 compliant as soon as possible. Not only is SOC 2 a solid foundation in data security best practices, it shares a lot of the same requirements as ISO 27001 guidelines. That means once you’re SOC2 compliant, you’re well on your way to several other certifications.
-
If your business isn’t yet certified to hold PCI information, but you have a product idea, there’s a solution. We recommend using a certified third-party API, like those from Stripe, Plaid or Akoya. You’ll gain the benefits of leveraging a trusted, established brand – and you can avoid storing data on your own system.
-
Document your policies thoroughly and create trackable processes so you can demonstrate compliance. You’ll also want to establish regular assessments to make sure your policies keep pace with the industry and legal environment.
-
Follow the FTCs Safeguards Rule, which establishes information security program requirements. These requirements include things like:
-
-
Assessing and routinely reviewing access controls
-
Regular, thorough data inventory, including collection, transmission, and storage as well as all platforms, systems, devices, and personnel involved
-
Implement multi-factor authentication
-
Create a written incident response plan
-
Encrypt in transit and at rest
-
How does Core10 help?
We tailor what we do to suit our clients’ business needs, but above all, we look out for their best interests. We adhere to the highest level of security standards and go above and beyond to help identify potential issues before we write code.
Our team has extensive experience in the financial services industry, so we know firsthand the challenges you face. When you’re ready to talk to an API and fintech software development expert, we’re here for you.