No industry can compete with wealth management and fintech in regard to accountability. Every step one takes in the field is highly regulated and is subject to legal prosecution, in spite of the fact that one may have no knowledge of it.

Sometimes, when we have a conversation with early-stage startups or companies that have never outsourced development, it turns out that their executives know little about how processes should be organized to comply with the law. When conversations come to this point, they provide us access to sensitive areas that, by law, shouldn’t be exposed to us. Of course, they experienced no negative consequences because we knew about what we could and could not do in this regard. Additionally, because we reacted immediately and explained every aspect of data protection law to them, we ensured the security of the system was maintained.

In this post, we’ll try to outline the basics that every wealthtech executive should be aware of. We will describe the main regulations and bodies to deal with to start a new business, what activities one should do repeatedly to stay compliant, and what types of responsibility breakdown exist for cloud adopters.

What Is Necessary To Start A Robo-advisor?

The journey of a wealthtech startup begins with the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA). These organizations aim to protect investors from fraud and misbehavior, so they check all the aspects of a new startup before it starts serving clients. Therefore, the first step to registering a robo-advisor is the submission of Form ADV to the SEC. This form includes a summary of material changes within the firm. It can be supplemented with a brochure describing who will actually serve the investment advisor. For example, on-premises products should also be used in compliance with rule SEC 17a-4, so there are particular laws to comply with based on the system specifics.

Every robo-advisor should be able to explain to regulators how the tool works and how it complies with regulatory requirements. This is to ensure that the outputs the system provides to its customers don’t mislead investors in their financial decisions. In this update on the FINRA’s “Report on Digital Investment Advice,” one can find the best practices of how to validate one’s platform for regulators.

FINRA is the best known nongovernmental organization that manages broker–dealer industry risks and monitors companies that provide investment advice. It encourages investors to check the filings and backgrounds of every firm or professional before starting a collaboration. Thus, it’s crucial for startups to become members of FINRA or some other self-regulatory organization before beginning operations.

Obviously, this list of submissions and partnerships isn’t complete, but at least it can give insight into how much work should be preceding the launching of the platform.

Personally Identifiable Information: What Does It Mean For WealthTechs?

Wealthtech aggregates tons of personally identifiable information (PII) data, which requires harder scrutiny on the part of controlling authorities. For example, last year’s GDPR law became one of the top policies with which startups needed to align their services. It obliged companies to provide users with access to and control over their personal data. Additionally, Regulation S-P and the Red Flags Rule regulate customer data protection and help prevent identity theft.

In large enterprises, often there are departments tailored exclusively to ensuring compliance, monitoring the data flow, and safeguarding security. Still, given the end-to-end integrations number that’s required to provide competitive services today, PII security is a problem.

Additionally, existing regulations complicate the way companies can transfer clients’ business data outside of the United States, which deters them from hiring talent or working with vendors abroad. However, it’s not the location that defines the vendor’s safety but a solid knowledge of secure development process organization.

Here is a checklist to help with quickly examining whether your company or your vendors have secure processes:

Of course, these are not all the regulations that comprise data security.

Cloud Providers And Shared Responsibility Model

High security standards and client demand make cloud adoption imperative. The shared responsibility model establishes high-level delineation of security responsibilities between the customer and the cloud service provider (CSP). If you don’t know that delineation, this may cause a security breach.

The responsibility breakdown is dependent on the CSP you want to partner with. The information about what responsibilities each cloud provider will have when you start collaborating with them can be found on their websites. For example, Microsoft Azure outlines that the customer always takes responsibility for data, accounts, accesses, and endpoints. Besides that, other responsibilities are dependent on the type of deployment: on-premises, infrastructure-as-a-service, platform-as-a-service, and software-as-a-service. The picture above illustrates the responsibility areas of each side for every deployment type.

Takeaways

It’s impossible to operate in wealthtech without a clear understanding of the regulatory aspects. The intricate rules and shared responsibility areas give rise to potential data security risks. To mitigate them, companies need a robust and comprehensive guide with explanations, comparisons, and best practices. Download our free white paper Fintech Regulatory Aspects and Adopting Cloud to obtain more detail about this subject and help your startup combat threats before they happen.

Vasyl Soloshchuk is CEO and co-owner at INSART, a fintech and Java engineering company. Vasyl is also the author of WealthTech Club, which conducts research into Fortune 500 and start-up robo-advisor and wealth management companies.