Despite a challenging economic landscape ahead, the potential for scaling up is still a key priority for many fintechs. To reach more customers, expand internationally, and make an exponentially larger impact, several considerations are necessary. From launching and validating a proposition to growing, onboarding clients, and ultimately driving revenue; it is important that organisations manage the complex risk and regulatory environment and build resilient and scalable technology and operations.
The outlook for fintechs will be driven by many factors, such as economic volatility and the changing regulatory landscape. To overcome these challenges and enable growth, ensuring resilience will be crucial.
Our Regulatory Compliance Solutions Lead, Wayne Scott, joined our partner FinTech Scotland to discuss the importance of resilience when it comes to scaling up.
“Resilience includes not only resisting adversity but also recovering from adversity, developing recovery plans, and understanding the ramifications of failure.”
The misconceptions surrounding cloud ☁️
During this session, the speakers discussed how resilience is unfortunately not always front of mind. This is especially true when it comes to cloud-based applications. The adoption of cloud-based applications clearly brings a range of benefits, allowing firms to scale quickly and easily without barriers.
However, due to misconceptions surrounding the cloud, risks are often overlooked. People assume that because critical applications are hosted in the cloud, they are guaranteed resilience. A report by McAfee indicated that 69% of CISOs trust their cloud providers to keep their data secure, and 12% believe cloud service providers are solely responsible for securing data.
Despite misconceptions, cloud service providers (CSPs) are not responsible for the application and data. CSPs only cover the security of the cloud environment itself. This means that end users are responsible for backing up and restoring data. As customers don’t own the intellectual property of the software, reliance is placed on the fintechs to provide a dependable backup solution.
It is important that the cloud shared responsibility model is understood, and the associated risks are managed. To withstand disruption, customers need to know their suppliers have measures in place that enable them to access the application and their data no matter what happens to the service.
For start-ups planning to scale, navigating the regulatory environment is essential
As firms in the financial services sector become increasingly reliant on third-party applications, any disruption to these critical technologies could have serious consequences for the firm and for the financial market.
Because of these risks (supplier failure, service deterioration, and concentration risk), regulators are enacting new regulations, laws, and guidance surrounding third-party risk management and IT outsourcing. For example, in the UK, the PRA SS2/21 regulations and in the EU, the Digital Operational Resilience Act (DORA).
These regulations emphasise the importance of developing ‘stressed exit plans’ for both critical on-premise software applications and cloud-based services to ensure a smooth transition to an alternative provider in the event of supplier failure.
Financial institutions and those who rely on critical software provided by fintechs are looking for assurance that their applications are protected in the long term and are ‘future-proof’. By ensuring solutions are compliant with these new regulations, software vendors can put themselves ahead of other providers, giving their business a competitive edge when it comes to the decision-making process.
Implementing a resilience strategy
As start-ups compete to secure funding and establish themselves as dominant players in the industry, building resilience into software solutions is essential to enhance their proposition, gain a competitive edge and attract investment. By prioritising resilience, fintech firms can offer assurance to both customers and investors that their solutions are future-proof and capable of withstanding disruption.
For over 30 years, software escrow agreements have been adopted by software customers to ensure business continuity, as well as by software vendors to provide peace of mind to their customers. These escrow agreements ensure the source code and data behind critical applications are secure and always available.
Regulators such as the UK PRA have explicitly encouraged organisations to utilise escrow solutions to strengthen resilience. When it comes to managing third-party risk, escrow agreements are a tried and tested method recognised globally by financial service regulators as a key practical solution.
“Authority firms should actively consider measures that can help ensure the ongoing provision of important business services following a disruption and/or a stressed exit (e.g., escrow arrangements), allowing for continued use of a service or technology for a transitional period following termination.”
- PRA SS2/21: Outsourcing and third-party risk management
Software escrow (for on-premise software applications) and SaaS escrow (for cloud-based applications), along with verification services, give software customers full peace of mind that, should their vendor be unable to continue service, they will have the necessary materials and knowledge to quickly get the application back up and running.