Risk Management for Fintech Startups

John J. Schaub 

Oct 3, 2022 

In Sept 2022 I was the guest speaker at the FinTech focused pitch competitions for Badhouse Venture Capital. The actual presentation is here but if you are like me and hate watching videos the bullet point summary of my talk is below.

Fintech is different - FinTech presents unique challenges in that as a startup you face not just the problem you are trying to solve and competition from other entities trying to solve that problem more effectively but you face an active threat from entities trying to either steal from you or use your services to steal from others. In order to be successful as a FinTech startup you both need to solve your target problem more effectively than your competition and avoid falling victim to the criminal groups targeting you.

Financial crime happens all the time - Financial crime is incredibly common much more so than most people realise. If you have any success at all building out a Fintech you will be the target of groups trying to steal from you, this is a cost of doing business and you need to be prepared for it. 

You need to be a good neighbour - As a FinTech you are part of a wider financial ecosystem and if your service becomes a tool for criminals you can rest assured the rest of the ecosystem will cut you off very quickly. A perfect example of this occured when banks and credit card companies began banning payments to crypto exchanges a few years ago. The problem was that the crypto exchanges were providing a very useful conduit to move funds from a compromised bank account or credit card to a cash equivalent. This meant that the banks and credit card companies and their customers began to take losses. The banks and credit card companies very quickly made the decision to cut off insecure end points and the result was that the crypto exchanges were permanently hampered by added restrictions.

Criminal groups are sophisticated, capable and diligent - There is a popular misconception of criminal hackers as lone wolf types conducting attacks out of their parents basement. While these types certainly exist the real threats are much more sophisticated and capable of far longer term thinking. These groups will specialise in different parts of the criminal ecosystem be it account compromises or data exfiltration much in the same way that small startup companies might focus on one aspect of the Fintech ecosystem.

Criminals are early adopters - Following on from the previous point because there are criminals that focus almost solely on account compromises you can be sure that early in the life of your company these groups will take the time to create a few hundred accounts to be monetized later, potentially years later. Because of this you need to ensure that you either enforce proper KYC (know your customer) on all accounts from the beginning or that you routinely put a block on accounts and force those users to undergo a proper KYC when they again log into their account. As a strict rule if you suddenly see a spike in activity on long dormant accounts you should assume you are under attack or will soon be.

There is an over focus on Cybersecurity - This is not to say Cybersecurity isn't important it absolutely is but the day to day losses you will suffer are often driven by fraud which relies on social engineering style attacks rather than a breach of your network. Fraud losses can be a company ending event for a small Fintech and even if they don’t represent a major financial loss they are absolute poison for your brand. 

The biggest threat is internal - There is a tendency to focus on external threats which are absolutely real threats but the truly existential threat in Financial companies is typically internal. Because of their deep knowledge of internal processes and controls insiders can do massive amounts of damage to a company. Insider threats are wildly underestimated by early stage companies. You absolutely need to do proper background checks on key staff and build in segregation of duties into your structure from day zero to make sure insider threats are mitigated early on.

Culture is key - A team of people that understands the risk environment you are operating in and is comfortable asking questions when they see something amiss is by far the cheapest and most effective method to avoid losses. 

Proper process and forethought goes a long way - Startups try to move fast and break shit and it is very important to keep that disruptive culture in place but given the increased risk in the Fintech space it is important to think things through ahead of time and make sure you aren’t making any major blunders.

If you’d like to chat through anything I’ve discussed feel free to reach out.