What legal and security risks does Fintech face?

Posted by media on January 19, 2016 at 9:00 AM


Thanks to technology, well-known Fintech startups have established themselves in all areas of the financial sector, offering more effective solutions to long-standing issues than banks have ever been able to do. These businesses have all been successful at, among other things, democratising finance, facilitating access to funding and increasing the spectrum of payment both for businesses as well as clients.

In spite of the rapid rise of Fintech and the large number of innovations for financial products and services that offer significant benefits to businesses and consumers, there are still several legal and security risks that need be acknowledged. Not avoiding them could mean incurring fines and damaging the company’s reputation, and in a worse case scenario, leading to the company’s closure.

In this post we will examine these challenges and ways to mitigate them.

This post is also available in Spanish.

Legal and Security Risks and How to Mitigate Them

1. Risk of non-compliance

The financial industry has been one of the first highly regulated, and one that is being shaken to its very foundations by the advent of new technologies. The strong regulation has been precisely one of the reasons for the Fintech boom, as it has prevented banks from reacting to the flood of new financial innovations on the market (in addition to other structural and cultural impediments).

According to a survey by Silicon Valley Bank, 43% of Fintech entrepreneurs and investors from the United States consider that regulations are going to be shackles that can hinder the sector’s growth in 2016.

Source: Silicon Valley Bank

What is the main challenge faced by Fintech companies in 2016?

For these new tech companies, the problem is not knowing which regulations, laws or rulings require their compliance. Given the recent revision of pre-era digital laws, by local governments and by the European Union. Therefore, it would be highly worthwhile for businesses to employ a compliance officer, a professional who can guide them in legislative matters and help them establish procedures to mitigate the risk of breaking the law without being aware of that.

The main laws, regulations and legal documents affecting Fintech are:

  • The Customer Identification Procedure (Know Your Customer). In Spain addressed in Articles 3, 4 and 5 of the Law on Prevention of Money Laundering and Financing of Terrorism.
  • Suspicious Activity Report employed when an unusual financial transaction is carried out or has been carried out by a client with a particular risk profile (identified by the compliance officer or compliance department).

Being up-to-date with legal compliance should be, without a doubt, a key facet of a startup’s business plan from the outset. For companies in the first few years of their operations, hiring a compliance officer might not be financially viable, which in turn creates the additional challenge of being compliant with the law without incurring huge costs.

In this sense, a digital signature is a tool that can contribute to this objective. It allows for a client identification process during the signing process of any document, and fulfils current legal requirements to protect against money laundering. And it also gains user consent to instantly carry out financial transactions in the client’s name.

Signature for a loan contract.


Signature authorizing the purchase of a financial product.

Signature for complying with SEPA Regulation.

Firma de contratos de préstamo


Firma de autorizaciones para comprar productos financieros

Acciones, obligaciones, CFDs, futuros, opciones...

Firma de mandatos SEPA

Our advanced electronic signature solution offers the unique identification of the signer. How can this be achieved? Through several pieces of electronic evidence collected during the signing process:
  1. Data regarding the time and place of the signing and the grounds on which the document was signed: document name, signer’s email, CRC File Format (unique internal identifier of the document), date (dd/mm/yyyy) and time (hh/mm/ss UTC) of all actions, geographical location, server, operating system and device from which the signature is made. In addition, we assign a private ID to the document when we register it on our data base.
  1. The signer’s biometric data: we gather biometric data that is embedded in the same document as the completed signature. This data is securely archived, encrypted with a public/private key and attached to the signed document in the form of metadata.

2. Risk of infringement of a client's right to privacy

Data Analysis vs Customer Privacy

Fintech collects, stores and manages a vast amount of personal data and financial information related to its customers. The upside is that it can use powerful tools for data analysis that offer a thorough understanding of customers, so that financial products and services can be tailored according to their needs.

For companies offering loans, knowledge of customers through data analysis allows them to better adjust risk profiles, set interest rates and even anticipate their future financing needs.

The downside is that accessing and using customer data may be in violation of their right to privacy, an important right for both customers and regulators. In this post we explore at greater length how to minimize the legal risks associated with data analysis.


The European Commission wishes to unify the Data Protection Law under the General Data Protection Regulation that replaced the 1995 directive. The draft of the new regulation was issued in 2012 but has undergone several revisions by the European Parliament and has still yet to be approved by the Council in order to become an official law. 

In the most extreme case, the proposed rule requires companies wishing to analyze client data to first obtain client consent if the reason for data analysis differs from the one cited in order to collect data initially.

3. Risk of cyber-attack

“There are only two types of companies: those that are already hacked and those that will be".
- Robert Mueller, FBI Director 

The recorded number of cyber attacks in the past year proves that no company is immune to digital terrorism and the large volume of data that Fintech companies collect, store and manage, makes them particularly vulnerable. In addition to the theft of personal and financial data, such attacks disrupt business activity, damage a company’s reputation and undermine the confidence of customers.

Just as in the case of failing to comply with legislation, the ideal solution would be to simply hire a Chief Information Security Officer, but doing so would not be viable for a startup. Rather, less costly options that are just as effective must be sought to mitigate cyber risk.

One option is to establish security procedures and define contingency measures to swiftly respond to an incident and isolate an attack as quickly as possible. Having an action plan is important, but having a prevention plan is even better. You can take a look at this in our post What should businesses do to prevent a cyber attack?

Another highly recommendable option is to store the minimum amount of personal client data. At Signaturit we do not “store” signatures, meaning that it would be necessary to sign a document anew each and every time it is required, without retrieving any kind of existing data. This feature guarantees greater security.

The conclusion that we wish to draw with this post is that Fintech companies should not forget that the legal and security risks to their business are real, and that they must address them from the outset, formulate an adequate plan of action and employ mechanisms to mitigate them.

The future of Fintech is promising, and it would be a shame to see its activities cut short by pitfalls that could have been avoided, even if on a modest budget.

This post is also available in Spanish.

Download Whitepaper


Topics: Finance & Insurance

Blog Subscription

Recent Posts