For fintech to gain mainstream adoption, the spotlight must be turned to data privacy

In 2019, the fintech world was abuzz with new players and developments. Much of the attention had turned to rising startups, taking on traditional financial institutions with non-bank alternatives powered by tech such as blockchain.

However, for consumers tempted to take the plunge, data leaks and hacks continue to be a haunting shadow that is preventing them from embracing these new, alternative products. At the same time, rogue players carelessly handling customer data also undermine the efforts of genuine and compliant players and leave a hangover of public skepticism in their wake. The effects of which have been a lasting doubt about the long-term prospects of companies in the industry and concerns about illegality.

Bringing best practice enterprise cybersecurity and data privacy to the startup realm

To put simply, there is no reason for companies to overlook cybersecurity. Whilst fintech may be new, enterprise cybersecurity is not, and the industry trend is that cybersecurity is becoming a board-level responsibility.

Many of the pitfalls in cybersecurity – even in traditional financial institutions – are racing to launch products faster than competitors without having the right team or strategy in place. We need to take a step back – to allow for sufficient review of the confidentiality, integrity, availability and resilience of internal systems and processes. These are core building blocks towards a mature cybersecurity strategy which should not be a luxury for customers, but the baseline.

Onboarding a commander in chief to lead the way

Unlike the traditional banking sector, there are currently no ‘best practice’ guidelines or nicely packaged “go to” solutions available in the fintech space. For many companies, the first step of showcasing commitment to data privacy is the appointment of the Data Protection Officer to oversee the overall privacy governance, and a Privacy Officer to run and overlook the day-to-day privacy program.

These roles are immensely important as such programs will only be successful if there is someone in an organization to take ownership of it. This also poses an exciting challenge for cybersecurity professionals looking to make an impact, and from the ground up, baking in privacy by default into the whole system development life cycle – into the DNA of their operations – rather than bolting it on as an afterthought.

Embedding privacy by design from the get-go

Fintech is an exciting field with some of the best security talent from traditional financial services and the enterprise technology world moving into startup roles, lured by an exciting and dynamic industry and the opportunity to truly innovate and architect systems that create true business impact.

Those spearheading security efforts should strongly consider industry standards and regulations such as International Organization for Standardization (ISO) as a road to improving overall cybersecurity posture. We’ve seen this in our business with exciting hires and top talent bolstering our own team and capabilities – all of whom are bringing their experience tonsure all our products and solutions have security at their core from inception to execution.

Our security team brings different levels of expertise to ensure that everything we do delivers on security and helps safeguard our platform as well as customers’ funds and information – right from the get-go.

Success for non-bank players will favor the more security focused players

All in all, when it comes to people’s hard-earned money, having a comprehensive security and privacy program is mission critical as customers deserve a trusted platform to rely on. For Europe especially, with General Data Protection Regulation (GDPR) being a key focus, for companies that are on the road to GDPR compliance, cybersecurity is a key component that should already be on the top of any agenda.

Companies can look to the new ISO27701:2019 to help with their Privacy Information Management Systems (PIMS), and while regulations and standards such as these play a role in setting companies on the right path, at the same time, self-regulation is also a component. Companies that put in the effort to ensure they achieve the highest standards, gain internationally recognized certifications, and innovate to develop new solutions – will win people’s trust and get ahead.

By Jason Lau, Chief Information Security Officer, Crypto.com

About the author

Named “Financial Technologist of the Year (Data Privacy)” by the Institute of Financial Technologists of Asia, Jason Lau is the Chief Information Security Officer at Crypto.com, responsible for driving its IT security and privacy strategy, whilst protecting Crypto.com from security threats and cyber-hacking. Jason also led the company to achieve the “Gold Standard” certification for information security management – ISO/IEC 27001:2013 Certification as well as PCI:DSS Level 1 and complying with the Cryptocurrency Security Standard.

In addition to his role as regional leader and co-chair for the International Association of Privacy Professionals (IAPP), Jason is also Adjunct Professor (Cybersecurity and Data Privacy) at one of Asia’s most prestigious business schools, and is also an official member of the Forbes Technology Council.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/