Himanish Chaudhari,Partner,Deloitte India on the emerging realities for fintech companies and the role of the CFO.
Q: What are the risks associated with third party dependence and outsourcing of payments to fintech companies?
Himanish Chaudhari (HC): With outsourcing, some of the underlying risks might move from within the organization to the outsourced service provider, however it will also bring in additional vulnerabilities which needs to be addressed to enhance the ability to monitor the operations and the risks emanating from these providers.
Hence it is critical for the financial institutions outsourcing the services to ensure that adequate safeguards are put in place on the outsourced service providers, which needs to include an effective monitoring mechanism.
Organizations need to ensure that the same level and robustness of risk mitigation measures that are adapted internally, are replicated, at the service provider’s end.
An effective end to end governance mechanism covering the ambit of outsourcing is critical for a sustainable and effective outsourcing mechanism.
Q: Can this third party dependence be reduced by organisations? How?
HC: Outsourcing of activities to third parties is a key aspect of the operating models adopted by leading financial services entities. Organizations need to design appropriate processes to conduct due diligence, contract management and ongoing control assurance and monitoring of operations in order to safeguard itself and its customers.
Increasingly, the third parties/outsourced entities are also being brought into the regulatory ambit and hence the financial services organizations need to ensure that these third parties are open to regulatory scrutiny.
While there will be dependence on the third parties, it is critical that the organization’s risk management and monitoring framework on the outsourced activities is robust and compliant with the current regulatory environment.
Q: How would data localisation affect the fintech companies and the associated compliance burden?
HC: The Reserve Bank of India has mandated maintenance of end to end transaction details within India. Further, the draft Data Protection Bill 2018 mandates storage of personal data and processing of ‘critical personal data’ within India.
Data localization will have an impact on the cost of operations and compliance. However these companies already may have adequate controls implemented in their respective jurisdictions and the same now needs to be implemented in the Indian jurisdiction as per the local regulations. Organizations need to assess the associated people and operational impact of the same.
While the draft bill is under discussions and has been subject to lot of industry feedback, the key success factor is how the final recommendations gets implemented in a transparent and robust manner by the concerned entities.
Q: Indian fintech organisations are as much under cybersecurity threat as global companies, if not more. What are the main risks and how can these be tackled?
HC: Cyber security risk is a global phenomenon and does not know any boundaries. Therefore, Indian companies need to be concurrent with the global best practices in order to prevent and mitigate cyber security threats.
Awareness is a key component of the cyber security mitigation and therefore it is critical that it is thoroughly embedded in the tone at top level. Given the rapid pace of digitization of both front end and back end processes, it is also critical that the organizations invest in transforming the current talent pool of functional resources in to a strong techno functional workforce who not only have expertise in business, operations, regulations etc, but also understands the cyber aspects of the same.
Cyber risks are continusoly evolving and it is critical to have an organizational culture which constantly upgrades the nature of cyber risk mitigation practices across the organisation’s operational landscape. Along with investment in technology upgrade in business functionality, there needs be a constant investment by the financial organisations to prevent and detect cyber security threats. The same must form part of strategic agenda of the firm and will be key to tackle these risks.
Q: What are the new compliance related challenges being faced by fintech companies as RBI ups its scrutiny?
HC: Recent developments in the regulatory landscape for fintech entities include enhanced compliance with KYC measures, coupled with the introduction of biometric based e-kyc procedures. We have seen increasing regulatory oversight on this area of compliance, particularly with the newly operationalised payments bank entities.
The regulators have also issued guidelines for P2P entities regulating their credit, liquidity and cyber risk management areas.
Fintech companies need to assess the viability of their business models given the evolving regulatory landscape, while designing robust internal governance and policy mechanism to comply with the regulatory requirements.
Q: Risk has become a top concern for companies and CFOs as heads of finance have to bear the burden of keeping company's finances secure. What should be critical areas for CFOs to concentrate on?
HC: We have to distinguish the role of CFO into two parts; the role of CFO function and secondly the role of the CFO as a key management personnel of the organization.
As a part of the CFO function, there are significant regulations that needs to be addressed. It is imperative for the CFO function to ensure that these regulations are appropriately implemented, so that there is transparency in the financial statements and disclosures made by the financial services entities.
Furthermore, with the new technologies like blockchain and robotic process automation etc., coming into the financial services landscape, the CFO function needs to be adequately resourced from a technology point of view to address the challenges and move to the future.
As far as the CFO’s role as the key managerial personnel of the FI, needs to have control on budgetary mechanism from both revenue and cost perspectives. As a CFO, it is important to discharge not only the controller responsibilities, but also provide strategic inputs to the growth agenda of the business.
Given the increasing digitisation and ever changing landscape, the CFO role has become far more dynamic in recent past and continues to evolve at a rapid pace. It is critical that the CFO and the function is abreast and contemporaneous with the evolving landscape in order to be effective in their role both as a controller and as a strategic adviser.
Q: Personalised financial services seem to have opened the Pandora's box of troubles, as security of personal data is at an all-time high risk. What are the risks associated with this space?
HC: Financial services organizations today are collecting huge amount of personal data to offer personalised advice to their clients. This personal information may include personal assets/liabilities, expenditure habits, family details and other commitments.
Organizations need to have a robust data classification, confidentiality and protection framework to mitigate these risks. Further the regulations on personal data protection are also evolving with GDPR regime kicking in and a host of other nations in the process of drafting / issuing the privacy laws. The regulatory framework also needs to evolve in order to ensure the protection of personal data of customers.
While the regulations are designed with an objective to safeguard and protect the customers, it is critical that the transition is managed in a manner that the organizations keep pace with the evolving regulatory framework as well as ensure that the same is seamless from a customer experience standpoint.